惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cloudbric
Cloudbric
有赞技术团队
有赞技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Threat Research - Cisco Blogs
L
LangChain Blog
Simon Willison's Weblog
Simon Willison's Weblog
Project Zero
Project Zero
Latest news
Latest news
S
Schneier on Security
Cisco Talos Blog
Cisco Talos Blog
MyScale Blog
MyScale Blog
C
Check Point Blog
IT之家
IT之家
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CERT Recently Published Vulnerability Notes
Scott Helme
Scott Helme
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
G
Google Developers Blog
T
Tor Project blog
T
Threatpost
D
DataBreaches.Net
博客园 - 【当耐特】
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Troy Hunt's Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
博客园_首页
S
Securelist
T
The Exploit Database - CXSecurity.com
Last Week in AI
Last Week in AI
量子位
U
Unit 42
Know Your Adversary
Know Your Adversary
Hugging Face - Blog
Hugging Face - Blog
S
Security Affairs
Google Online Security Blog
Google Online Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
S
SegmentFault 最新的问题
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志

Human Risk Management Blog

Trust, Verify, Protect: Modernizing Email Security for the Cloud Report: Social Engineering Remains a Central Part of AI-assisted Attacks ClickFix Social Engineering is Now the Leading Malware Delivery Method CyberheistNews Vol 16 #28 Your 2026 Phishing by Industry Benchmarks: The Findings on Human Risk Scammers Can Use AI Tools to Pinpoint Your Location Based on a Photo Report: Attackers Are Using AI to Automate Social Engineering Your KnowBe4 Fresh Compliance Plus Content Updates from June 2026 From Awareness to Digital Workforce Security Your KnowBe4 Fresh Content Updates from June 2026 Threat Actor Uses Phishing to Breach Orgs for Ransomware Gangs Invoice Phishing Attacks Are Abusing the Shop App Phishing Campaign Impersonates Interpol to Deliver Ransomware Prompt Injection and the Rise of Agentic Risk Hyper-Targeted Social Engineering Needs Real-Time Video Response Your Email is Protected. Is Your Teams Chat? CyberheistNews Vol 16 #27 [HOW TO] Your Cybersecurity Starts at Home on World Social Media Day 2026 Phishing by Industry Benchmarking Report: Findings on Human Risk Static DLP Is Leaving You in the Dark: Why It’s Time for Intelligent, Self-Serve Outbound DLP and Misdirected Content Analysis INC Ransomware Gang Targets the Legal Sector 5 Essential Cybersecurity Defenses for Cloud Email Security Cybercriminals Are Targeting the FIFA World Cup 2026 Why Bite-Sized Security Awareness Training Matters in an Age of TikTok and Digital Distraction Happy 3rd Birthday to Our KnowBe4 Community! Phishing Exposes Employee Data at 86% of Fortune 100 Companies Shadow AI Is Not Shadow IT With a Better Marketing Budget CyberheistNews Vol 16 #26 A New Extortion Scam Uses IT Impersonation to Breach Organizations Cybersecurity Starts At Home This World Social Media Day FTC Report: Americans Lost $3.5 Billion to Imposter Scams Last Year Report: Device Code Phishing is Surging Report: Online Shoppers Increasingly Ignore Scam Warning Signs Security Training Needs Google Maps, Not Christopher Columbus Turn Account Takeover Into Real-Time Security Coaching Extortion Gang Sends In-Person Attackers to Exfiltrate Data Attackers aren’t loyal to any collaboration channel CyberheistNews Vol 16 #25 [The AI Tell] How To Expose Machine-Written Phishing Fast Social Engineering Attacks Abuse Workplace Collaboration Tools New Extortion Brand Uses IT Impersonation to Breach Organizations APWG Report: Social Media Phishing is Surging Cybersecurity Awareness Training for AI: Key Focus Areas Americans Lost $900 Million to AI-Powered Scams Last Year What AI Can’t Hide When It Writes a Phishing Email Your AI Agents Are Eager to Please And Easy to Exploit From 1% to 26%: How AIDA Orchestration Fixes the Remedial Training Gap Best AI Agent Security Tools for SMB and Enterprise in 2026 4 Hot Summer Travel Tips To Avoid Scams The Role of Agentic AI in Phishing Security Training A Credit Score for Cyber Behavior Agentic AI Security in 2026: What to Know How to Secure AI Agents: 4 Best Practices An Overview of Email Compliance Regulations and Reporting Report: AI-Assisted Fraud is Surging Attackers Use Spoofed ChatGPT Site to Deliver Malware I Love Device-Bound Session Credentials, But They Are Still Phishable and Hackable Nearly Two-Thirds of CEOs Cite Cyberattacks as Their Top Concern A Look at Spam vs. Phishing: 4 Key Differences KnowBe4 Wins Multiple 2026 TrustRadius Top Rated Awards Cyber Insurance for Mid‑Market Organizations in Southeast Asia KnowBe4 Earns Multiple 2026 Buyer's Choice Awards from TrustRadius The New Frontier: Securing Japan’s Hybrid Digital Workforce (2026 & Beyond) CyberheistNews Vol 16 #23 Now Phishing Attacks Use Real Hotel Reservations to Target Travelers Report: AI-Enabled Social Engineering Attacks Are on the Rise Your KnowBe4 Fresh Compliance Plus Content Updates from May 2026 FBI: Kali365 Phishing Kit is Targeting Microsoft 365 Accounts KB4-CON - AI Is Everything How to Secure AI Adoption In Your Organization Your KnowBe4 Fresh Content Updates from May 2026 The Silent Invitation: A Deep Dive into Calendar Invite Phishing Cyber Insurance for Mid‑Market Organizations in Southeast Asia Chinese-Language Phishing Kits Are Growing More Advanced Phishing Attacks Are Using Real Hotel Reservation Info to Target Travelers Warning: Scammers are Exploiting Geopolitical Unrest Athletes Are Increasingly Targeted by Social Engineering Attacks AI Agent Governance Part 3 - Runtime Governance: The Hidden Performance Cost of Agentic AI AI Agent Governance Part 2 - What Good Looks Like: Governing AI Agents in Practice 8 Ways to Reduce False Positives in Email Security Ransomware Attacks Drive a Surge in Cyber Insurance Claims My Favorite 5 KnowBe4 Agents Perry Carpenter KB4-CON 2026 Q&A: Deepfakes & Deception Free Gift Fallacy: How Attackers Harvest Credit Cards via Fake Surveys When Global Conflict Becomes a Cyber Weapon: How Iran Tensions and Other Stressful Events Fuel Social Engineering Attacks CyberheistNews Vol 16 #21 [Heads Up] GitHub Breach Shows Developer Tools Are Social Engineering Targets Alert: Extortion Groups Are Using Phishing Kits to Automate Their Attacks Beyond the Chatbot: Why Your AI Agents are Your Newest (and Most Vulnerable) Colleagues Report: Adversarial Use of AI is Evolving
CyberheistNews Vol 16 #24 [FBI Alert] Lock Down Your Microsoft 365 Device Code Flows Now
KnowBe4 Team · 2026-06-16 · via Human Risk Management Blog

Cyberheist News


CyberheistNews Vol 16 #24  |   June 16th, 2026


[FBI Alert] Lock Down Your Microsoft 365 Device Code Flows Now

The U.S. Federal Bureau of Investigation (FBI) has warned that a new phishing-as-a-service (PhaaS) platform called "Kali365" is targeting OAuth tokens to gain direct access to users' Microsoft 365 accounts without stealing credentials or multifactor authentication codes.

"Through the Kali365 platform subscription, cyber threat actors can capture 'OAuth' tokens and gain persistent access to targeted individuals or entities' Microsoft 365 environments," the Bureau says. "Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities."

According to the FBI, the attack proceeds as follows:

  • Lure: An attacker sends a phishing email impersonating trusted cloud productivity and document-sharing services. This phishing email contains a device code with instructions to visit a legitimate Microsoft verification page and enter the code.
  • Authorization: The targeted individuals/entities navigate to the real Microsoft page and pastes in the device code, unknowingly authorizing the attacker's device to access their account.
  • Token Theft: The attacker captures OAuth access and refresh tokens, granting them access to the targeted individuals/entities' Microsoft 365 account.
  • Persistence: The attacker can now access Microsoft 365 services such as Outlook, Teams and OneDrive without needing a password or completing any additional MFA challenges.

The Bureau recommends that organizations lock down their device code flows to limit or block device authentication codes unless absolutely necessary. Employee awareness training also helps users recognize phishing attempts so they can thwart these attacks from the start.

Blog post with links:
https://blog.knowbe4.com/fbi-kali365-phishing-kit-targeting-microsoft-365

Why Your DLP Is Failing and What to Do About It

Insider-related incidents now cost organizations $19.5 million annually.

That figure is up 20% in two years—and legacy DLP isn't closing the gap. From accidental mis-deliveries and malicious theft to employees pasting sensitive data into unauthorized Shadow AI tools, a single breach can cause catastrophic damage.

With misdirected emails and unvetted AI usage driving modern security incidents, it's time for intelligent, context-aware data security.

Join Erich Kron, KnowBe4 CISO Advisor, as he deconstructs the hidden risks inside your email environment and shows you a fundamentally different approach to data protection — one built around user intent and behavioral context, not rigid rules and reactive blocks.

You'll learn how to:

  • Use behavioral AI to identify risky behaviors and stop mistakes or malicious actions in real time.
  • Protect your proprietary and sensitive data from exposure to unapproved Shadow AI tools without disrupting productivity.
  • Eliminate mis-delivery errors and safeguard sensitive data automatically.
  • Explore tools to assess your users' risk levels and gain full audit visibility for compliance.
  • Use contextual nudges to create teachable moments that improve security awareness across your workforce.

Join us and find out how you can proactively prevent data loss while building a more security-conscious culture in your organization and earn CPE credits for attending!

Date/Time: TOMORROW, Wednesday, June 17, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/why-your-dlp-is-failing?partnerref=CHN2

Visa: "Now AI-Enabled Social Engineering Attacks Are the No. 1 Fraud Category"

Threat actors are increasingly using AI-enabled social engineering to get around technical security measures, according to a new report from Visa.

Social engineering attacks were behind the largest number of losses in the second half of 2025. "From July to December 2025, Visa identified nearly $1 billion in scam-related activity, making scams the single largest category of consumer payment fraud," Visa says.

"Unlike traditional fraud, these attacks typically do not require breaching technology. Instead, scammers impersonate trusted brands and institutions, manufacture urgency and deceive victims into completing legitimate-looking transactions."

The report also found that ransomware attacks rose by 26% in the second half of 2025, though the number of victims who paid the ransom fell to the lowest on record. Visa believes this reflects "improving resilience and recovery capabilities, as well as a reluctance to pay when data could still be leaked, regardless of payment."

Michael Jabbara, SVP, Payment Ecosystem Risk and Control at Visa, stated, "The rapid adoption of AI has fundamentally lowered the barrier to entry for fraud. What once required deep technical skill can now be executed with a prompt.

"That reality makes intelligence-driven defenses and coordinated action across the ecosystem more critical than ever."

Paul Fabara, Visa's Chief Risk and Client Services Officer, added, "Payments at a network level continue to get safer, but threats are evolving faster than ever. Criminals are increasingly targeting people rather than technology, using deception, urgency and AI-enabled tools to exploit trust.

"Addressing this shift requires continuous innovation at the network level and close collaboration across banks, merchants, policymakers and the broader payments ecosystem."

Blog post with links:
https://blog.knowbe4.com/report-ai-enabled-social-engineering-attacks-are-on-the-rise

Email and Messaging Security That Understands You

Email is your riskiest channel for attacks and data loss. Nearly 58,000 threats slip past traditional defenses every day. They're not occasional. They're persistent, high-volume and growing more sophisticated with AI.

See how you can stop up to 97% more attacks and uncover 10 times more potential data breaches before they happen.

Join this live demo of KnowBe4’s Cloud Email Security to see how you can detect the full spectrum of inbound threats and outbound data loss, and coach your workforce in real time against every threat.

We will showcase:

  • Self-Serve DLP Rule Builder: Easily build and manage custom rules to stop outbound data leaks.
  • Misdirected Content Analysis: Smarter AI that understands context to catch errors before sensitive data goes to the wrong recipient.
  • NEW! Microsoft Teams Messaging Security: Extending defense beyond the inbox to monitor external chats, block threats and harden collaboration settings.
  • Teachable Security Moments: Real-time coaching that fixes risky user behavior in the moment.

Your defenses are only as strong as your weakest entry point. Don't let email be it.

Date/Time: Wednesday, June 24, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/ces-demo-3?partnerref=HS

A Look at Spam vs. Phishing: 4 Key Differences

Great inspiration for creating user-facing security awareness content!

Spam and phishing are often used interchangeably in email security, but they serve distinct purposes and carry varying levels of risk. Understanding the difference between spam vs. phishing helps organizations better recognize threats and respond appropriately.

This guide breaks down how spam and phishing differ, how to identify each and what steps organizations can take to reduce risk.

Key Takeaways:

  • Spam emails are unsolicited and typically promotional, while phishing emails are designed to deceive users into taking risky actions.
  • The key difference between the two is intent: spam promotes, phishing manipulates.
  • Phishing poses a higher risk because it can lead to credential theft, financial loss and broader system exposure.
  • Spam is usually generic and low-pressure, while phishing messages often create urgency and mimic trusted sources.
  • Effective defense requires both technical controls and user training to improve how threats are recognized and handled.

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/a-look-at-spam-vs.-phishing-4-key-differences

[Virtual Summit] Secure Every Human & AI Agent

You're invited! Join us for the Workforce Security Summit on July 8 to see what securing both your humans and AI agents looks like in practice.

The workforce has changed, your security strategy needs to catch up. AI agents are proliferating across your organization. Attackers are weaponizing deepfakes and AI-powered social engineering against your people. The old playbook wasn't built for a workforce that is no longer purely human.

Here's what you'll walk away with:

  • Look to the future of AI-native security: Join CEO Bryan Palma for a look at the future of digital workforce security and the innovation shaping what comes next
  • Know your threat. Own your defense. Walk away confident you have the knowledge and tools to defend against the threats targeting your people and agents — deepfakes, AI-powered phishing, voice cloning and more
  • See what’s coming on the KnowBe4 Platform roadmap and get an exclusive inside look at what’s next

Date/Time: Wednesday, July 8 @ 1:00 - 3:00 PM ET

Save My Spot:
https://www.knowbe4.com/workforce-summit-na?partnerref=CHN

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: KnowBe4 Wins Multiple 2026 TrustRadius Top Rated Awards:
https://blog.knowbe4.com/knowbe4-wins-multiple-2026-trustradius-top-rated-awards

PPS: [For your CMO] Yours Truly in Forbes "Five Patterns Leading To An Impending Revenue Miss":
https://www.forbes.com/councils/forbestechcouncil/2026/06/09/five-patterns-leading-to-an-impending-revenue-miss/

Quotes of the Week  

"There is nothing impossible to him who will try."
- Alexander the Great (356 - 323 BC)


"It is hard to fail, but it is worse never to have tried to succeed. In this life we get nothing save by effort."
- Theodore Roosevelt - 26th U.S. President (1858 - 1919)


Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-24-fbi-alert-lock-down-your-microsoft-365-device-code-flows-now

Security News

APWG Report: Social Media Phishing Is Surging

Phishing scams surged across social media platforms during the first quarter of 2026, according to a new report from the Anti-Phishing Working Group (APWG).

"Threat volume increased in Q1 2026 on every social media platform, predominantly in two formats: Scams (27.1 percent of all threats) and Impersonation (43.8 percent of all threats)," the report says.

The APWG adds, "Impersonation became more prevalent than in the previous quarter. Impersonation is frequently the opening move in a scam campaign, with threat actors establishing a fake identity before advancing to financial fraud. Seen through that lens, the two categories remain deeply intertwined, and their combined 70.9 percent share still represents the core of the threat landscape."

Attackers are also using more advanced evasion techniques to hide their websites from security scanners, giving their schemes a longer lifespan.

"Fraudsters appear to be using more intricate and elaborate methods to hide their scam and phishing sites," the APWG says. "Phishers are still employing well-known techniques such as geo/IP blocking and user-agent blocking. But an increasing number of sites only show fraudulent content when the referrer is a certain site or kind of site.

"For example, the fraud site is only displayed if the user came from the Bing search engine and had searched for "[bank name] bank login", or visited from a certain social media site (i.e. a user clicked on a comment in a TikTok video).

"Otherwise, the visitors will see innocuous-looking content, or may be redirected to another site."

KnowBe4 empowers your workforce to make smarter security decisions every day.

The APWG has the story:
https://www.accessnewswire.com/newsroom/en/computers-technology-and-internet/apwg-q1-2026-report-phishing-and-scams-rising-on-all-social-media-1170893

Americans Lost $900 Million to AI-Powered Scams Last Year

The U.S. Federal Bureau of Investigation (FBI) warns that Americans lost just under $900 million to AI-powered scams in 2025, Malwarebytes reports. Total reported losses to scams last year reached nearly $21 billion, a 26% increase from 2024.

The researchers note that the true losses are likely much higher, since many attacks go unreported. "The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos and AI‑generated scripts," Malwarebytes says. "These tools have supercharged classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers and government impersonation."

The FBI notes that AI tools have drastically lowered the bar for attackers to craft highly realistic fraudulent content. "AI technology enables the creation of convincing synthetic content, such as social media profiles and personalized conversations, often in mass quantities," the Bureau says.

"People have manipulated video and audio similarly for decades, but the widespread availability of this developing technology makes it possible to create high-quality content. AI-enabled synthetic content is becoming increasingly difficult to detect and easier to make, which allows criminal actors to potentially conduct successful fraud schemes against individuals, businesses and financial institutions."

Malwarebytes concludes that these attacks will increase as AI tools improve and become more accessible. "The FBI and financial institutions recommend verifying identities via official contact channels," Malwarebytes says.

"One of their biggest concerns is government impersonation scams, which have evolved from crude IRS gift‑card phone calls into sophisticated, multi‑channel operations that combine spoofed caller ID, stolen agency logos and AI-generated audio and video of public officials.

"This report, and others like it, shows how AI is being weaponized to automate research on victims, generate convincing scripts and create highly believable deepfake personas at scale. AI is also increasingly used in business email compromise (BEC), romance scams and impersonation fraud.

"In BEC cases involving AI, losses have already reached tens of millions of dollars for businesses alone."

Over 70,000 organizations worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce risk.

Malwarebytes has the story:
https://www.malwarebytes.com/blog/scams/2026/06/americans-lost-nearly-900-million-to-ai-powered-scams-fbi-says

What KnowBe4 Customers Say

"Thank you so much for the fantastic call today. You answered many questions that I had that I hadn't even verbalized on the call. It has been a good experience working with KnowBe4 for about nine years now and you two have continued that great working relationship. I greatly appreciate you!"

- T.M., Executive Director - Information Technology Services

The 10 Interesting News Items This Week

  1. OpenClaw AI agent found falling for phishing attacks, spills user data:
    https://www.bleepingcomputer.com/news/security/openclaw-ai-agent-found-falling-for-phishing-attacks-spills-user-data/
  2. Attackers continue to exploit World Cup hype:
    https://cyble.com/blog/fifa-world-cup-2026-scams/
  3. AI brands as bait: How threat actors are using the AI hype in social engineering:
    https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/
  4. WhatsApp says it disrupted new NSO spyware phishing attacks:
    https://www.bleepingcomputer.com/news/security/whatsapp-says-it-disrupted-new-nso-spyware-phishing-attacks/
  5. When “Hi, This Is IT” Comes Through Microsoft Teams:
    https://unit42.paloaltonetworks.com/microsoft-teams-phishing/
  6. North Koreans behind nearly half of U.S. tech industry hacks, says CrowdStrike:
    https://techcrunch.com/2026/06/10/north-koreans-behind-nearly-half-of-us-tech-industry-hacks-says-crowdstrike/
  7. Social media overtakes email as the primary vector for scams:
    https://www.bitdefender.com/en-us/blog/hotforsecurity/global-scam-report-2026
  8. Authorities dismantle 'AudiA6' ransomware crypto-laundering service:
    https://www.bleepingcomputer.com/news/legal/authorities-dismantle-audia6-ransomware-crypto-laundering-service/
  9. Google sues China-based cybercrime network over AI phishing tools:
    https://www.helpnetsecurity.com/2026/06/12/google-china-based-cybercrime-network-lawsuit/
  10. Cybersecurity software misses one in five phishing links:
    https://www.infosecurity-magazine.com/news/cybersecurity-fails-to-detect/

Cyberheist 'Fave' Links

This Week's Links We Like, Tips, Hints and Fun Stuff