M365 Copilot AI Prompt Injection Attack Patched; Salesforce Misconfigurations Risk Data Leaks; Patch Tuesday: Microsoft and Adobe

Microsoft has patched the flaw, and no user action is required to address the issue. The flaw is leveraging Microsoft Graph to answer a query which is using data from their mailbox, OneDrive, SharePoint, Office Files and MS Teams. It's the Microsoft Graph interface which allows exfiltration of the otherwise organizationally private data.

Lee Neely

These retrieval bugs are really fascinating, as any GenAI that uses any type of document ingestion or web scraping feature can be prone to having issues between what is designed to be data to be ingested versus new prompt commands. These confusion bugs are common in many traditional web bugs where the system cannot determine the difference between data and code.

Moses Frost

This is another warning that AI applications are complex, immature and, from a security perspective, present serious risks to data security requiring remediation until those 'finer levels of granularity' are routinely built in.

John Pescatore

One more instance in which features, functions, and 'early-to-market' trump secure by design. We can expect it to get worse as software becomes ever more complex.

William Hugh Murray

'Low Code' systems have been the rage for quite a bit of time, especially now with the advent of GenAI systems. These systems, however, do generate quite a bit of code, and as was disclosed in this disclosure, there was plenty of attack surface in these systems. If you're looking to use these, I suspect they have not been thoroughly audited, and you should probably give these a look.

Moses Frost

Data safety, like physical safety, requires built-in 'interlocks' to prevent users/admins from selecting unsafe combinations of settings and parameters. Essentially, a form of setting 'fuzz testing' is needed before release for apps that will handle sensitive data.

John Pescatore

With cloud-based services we're reminded that security of the configuration is paramount. It's easy to be lulled into thinking the provider handles everything; they generally don't. Make sure that you know the consequence of loss and protection requirements for the data you're processing in that environment to ensure you implement the appropriate security controls. Then, make sure that you review the baseline regularly to ensure all previous and new protections are implemented. If you're a SalesForce shop, review your field level and components' permissions, verify you're applying regular updates, and make sure you are using private, not public, caching mechanisms to protect user data.

Lee Neely

Make sure you're not forgetting to update your Adobe suite; CC users are likely being prompted, but you probably have standalone installs of reader you need to verify. Check for older Adobe products, like Reader 2020, to see if they can either be removed or upgraded to the current versions. Note that the AEM Cloud service is automatically updated; you're going to have to update your on-premises version yourself, for now. There are no reported exploits, but don't bank on that remaining unchanged.

Lee Neely

We cannot patch our way to security. Patching is not timely or efficient. We need secure development tools and procedures that result in essential quality early.

William Hugh Murray

WebDAV, a Critical SMB Vulnerability, and a Word RCE. What decade is this again?

Moses Frost

CVE-2025-5958 and CVE-2025-5959 have CVSS scores of 8.8. I'm pretty sure we all saw the latest relaunch to update Chrome, released Tuesday, but did you check Firefox? CVE-2025-49709 and CVE-2025-49710 have CVSS scores of 9.8. Good news is the Firefox update was also released June 10th, and ESR 128.11 & 115.24 are not affected.

Lee Neely

These vulnerabilities put all users and uses at risk. The use of browsers should be restricted to browsing. Prefer purpose built clients for sensitive applications.

William Hugh Murray

First, kudos to Google for investing in a bug bounty program. It's proven itself repeatedly these past few years. Second, both Google and Mozilla make it easy to update to the latest version of their browser. Just close and restart your browser. In fact, get into the habit of restarting your browser daily, it's an excellent security best practice.

Curtis Dukes

The issue was that the installer configuration could be abused by a user with system level access. This handling is fixed in the updated ScreenConnect. The code signing certificates were used by all three products, so updates are needed. If you're using the cloud versions of ConnectWise Automate or RMM, the updates will be automatically applied. The updates for the on-premises versions of ScreenConnect and Automate are available now and need to be applied to avoid user impact.

Lee Neely

I would say if ConnectWise is being proactive by rotating certificates based on a disclosure, that would be a great move. If you're a ConnectWise customer, you will probably need to update to get the new certificates.

Moses Frost

Operation Secure discovered 69 infostealer variants including Lumma, Risepro, and Meta Stealer. The identified infrastructure included 117 C2 servers spread across 89 internet service providers. The information stolen included credentials, cookies, credit card details and cryptocurrency account data. Make sure you know how to update those credentials, that you've enabled MFA where available, and that you know who (and what) has access to your online accounts, particularly financial/banking services.

Lee Neely

I think our industry downplays InfoStealers, as quite honestly these things are probably just as bad if not worse than other types of malware. With 100GB of InfoStealer logs being reported, that is a lot of data.

Moses Frost

Some eye-popping figures posted as part of Operation Secure, and it only took four months. Kudos to team Law Enforcement. That said, cyber-crime still pays handsomely, so expect the infrastructure to be rebuilt and operational soon. Until then, hopefully everyone can enjoy the slowdown in phishing, smishing, and vishing attacks delivered daily to their inbox.

Curtis Dukes

We may never get the cost of attack greater than the value of success but this is a big step in the right direction.

William Hugh Murray

The annus horribilis for Texas continues. Seems like a serious review is in order by the TX CIO and CISO on how systems are secured within the state. Sure, credentials get can be compromised. That's why we have multi-factor authentication (MFA). Another interesting tidbit is that a user (TX employee) can download all records (300K). Seems like a bit more granularity in protecting citizens data would be in order as well.

Curtis Dukes

TxDOT's notice to affected users advises them to be careful of emails, texts or calls related to past crashes, and they have established a dedicated call line for victims with questions. Not a bad time to remind users to verify contact from law enforcement as many phishing scams rely on people accepting that contact as genuine.

Lee Neely

Crash reports also contain known associates of people in the vehicle you're in.

Moses Frost

Ticketholders are being asked to present paper or emailed tickets and are being turned away if they don't have verifiable tickets. When's the last time you thought about a low-tech backup for your digital ticket? Yes24 is reporting they have regained access to their administrator account and are restoring services. When's the last time you walked through the scenario of losing access to your administrator accounts? Don't just think about OS/AD admin; consider your applications, local and hosted. Make sure those break-glass processes work.

Lee Neely

Companies find interesting and sometimes unique ways to hide the fact of a security incident. Most likely they're guided by their legal team. In this case the use of the term 'system maintenance.' Yes, they are likely performing system maintenance but is that maintenance routine or the result of a security incident? We now know it's the latter.

Curtis Dukes

M&S is closing in on full-service restoration. If you're a M&S online user, be aware of the limits in both selection and delivery for online shopping: it's clothing and footwear right now, beauty and homeware targeted next week. Even so, many items are still reporting out of stock, so be patient.

Lee Neely

By now LibreOffice is probably good enough for standard office documents. If someone in the ministry is an Excel power user, you may find LibreOffice lacking. We have seen a few governments attempt this, specifically in Germany, it's not been generally successful. To be frank it has less to do with Linux itself and more to do with the Desktop Environments provided. Another one to watch for sure.

Moses Frost

This is really about the EUÕs desire to reduce dependence on foreign technology providers, and assert greater control over its digital infrastructure, data, and technological future. While the idea of switching both the operating system and office productivity suite sounds simple, user and process impact may not be so simple. Additionally, the switch requires a change in security and support processes, skills, training, and products. The Ministry is being careful with the transition, acknowledging the transition will have impacts and may require returning to the old system to develop alternatives.

Lee Neely

Protection of a country's data (aka, digital sovereignty) is an important mandate in Europe and will continue to be. That said, there are some serious technical and fiscal challenges in getting off a private sector cloud and use of commercial IT applications. When it comes to cloud infrastructure, there arenÕt a lot of options without a lot of fiscal investment. Even open-source software comes at a cost that tends to grow over time. And what's next, the building of chip fab's and manufacturing of endpoint devices? Perhaps it's time to move away from the political soundbite and entertain other strategies to enforce the EU mandate.

Curtis Dukes