The newest wave of cyberattacks isn’t loud. It’s quiet, routine-looking, and designed to blend into the same login screens, encrypted messages, and IT tools employees use every day.
Security teams are tracking a clear shift: phishing is getting harder to spot early because it increasingly rides on trusted infrastructure, real authentication flows, encrypted traffic, and permissions that look normal on paper. At the same time, actively exploited vulnerabilities, like a newly flagged Cisco flaw in its Catalyst SD-WAN Manager, are shrinking the window between “patch available” and “you’ve been hit.”
The result is a dangerous illusion. An organization can be fully “up to date” in audits and still get blindsided by attacks that don’t trip the usual alarms.
OAuth Trap turns “clean” single sign-on into a session theft machine
OAuth Trap works because it exploits muscle memory: click, approve, move on. Instead of sending a sketchy attachment, attackers push targets into an authentication flow that looks exactly like what they see at work, SSO login, an authorization pop-up, a consent screen asking to “allow access.”
When the process feels legitimate, people lower their guard. And that’s the point. The attacker isn’t always stealing a password, they’re grabbing an OAuth token or locking in delegated access that can persist even after a password change.
This is why security teams are increasingly focused on tightening consent policies and monitoring third-party app authorizations. The problem isn’t just “users clicking.” OAuth is designed to make approving access fast, and attackers are abusing that design.
There’s no single magic fix. Companies are combining regular reviews of authorized apps, alerts for unusual consent events, and conditional access policies. The practical sweet spot: limit what users can approve on their own, route sensitive permissions through an approval process, and log OAuth/token/SSO activity with enough detail to spot abuse.
“EDR killer” tactics aim to blind security tools before ransomware hits
Another trend showing up in recent threat reporting: attackers increasingly try to disable endpoint detection and response (EDR) tools before they deploy ransomware. One common method is BYOVD, “Bring Your Own Vulnerable Driver”, where criminals use a flawed (but often signed) driver to gain powerful system access and sabotage defenses.
What makes this especially nasty is how normal it can look. Installing drivers, running privileged commands, and changing system components can all happen during legitimate IT work. Done carefully, an attacker can make the activity look like routine administration, right up until the security tooling goes dark.
As one security leader put it bluntly: companies spend heavily on detection, but not enough on preventing attackers from turning detection off. Defensive steps include blocking unapproved drivers, using attack surface reduction rules, and watching closely for signs of tampering.
The organizations that fare best assume EDR will fail at some point. They add layers: centralized logging that doesn’t live on the endpoint, integrity checks, network segmentation, and tabletop exercises that explicitly test “EDR down” scenarios.
Signal phishing shows encrypted messaging doesn’t stop social engineering
Phishing isn’t staying in email. Attackers are moving into the channels where teams communicate fastest, encrypted messaging apps like Signal, because that’s where people react quickly and question less.
Encryption protects messages in transit. It doesn’t protect the person reading them. A typical play: a fake “internal” contact sends an urgent request, a link to a login page, or a supposed IT verification step. In a busy workplace, it works because everyone has gotten real messages from support staff, managers, or vendors.
This shift also breaks traditional defenses. Email filters, sandboxing, and DMARC don’t see what happens inside chat apps. So the response has to include simple rules employees can follow: don’t send authentication links over chat, don’t request or share one-time codes in messages, and require a second verification step for sensitive actions.
Overly strict bans can backfire, people just move to other apps. The more durable approach is to create verified official channels, set identity-check procedures, and train employees using realistic, recent examples that match what attackers are doing now.
“Zombie ZIP” booby-trapped archives are back, because they look harmless
Zombie ZIP is a reminder that old-school tricks still work when they’re packaged well. Attackers are using compressed archives to hide malicious files in plain sight, buried in folder trees, disguised with misleading names, or structured to slip past basic checks.
In corporate life, ZIP files are everywhere: shared documents, exports, attachments, internal repositories. That normalcy is the advantage. And when the final payload is fetched later over encrypted connections, defenders lose even more early warning signals.
This puts pressure on endpoint policy. If employees can run anything from their Downloads folder, it’s a coin flip. Companies reducing risk are tightening application controls, restricting scripts and macros, and monitoring what happens after a file is opened, new processes, outbound connections, persistence attempts.
The challenge is avoiding a productivity meltdown for teams that legitimately handle archives all day. Many companies are moving toward controlled exceptions, scanned drop zones, and server-side unpacking instead of letting every workstation extract and execute locally.
Cisco warns of active exploitation targeting Catalyst SD-WAN Manager
Beyond phishing and stealth tactics, patching remains a race, especially when vendors confirm real-world exploitation. Cisco says two vulnerabilities affecting Catalyst SD-WAN Manager (formerly called vManage) are being exploited “in the wild.” One of them, CVE-2026-20122, carries a CVSS severity score of 7.1 and is described as an arbitrary file overwrite flaw that could let an authenticated remote attacker overwrite files on the local system.
That word, “authenticated”, often gets misunderstood as “less urgent.” In practice, credentials get stolen, reused, guessed, or obtained after an initial compromise. And an SD-WAN management platform is a high-value target: it can touch network connectivity, policy controls, and sometimes sensitive access secrets.
The broader pattern is familiar: the gap between disclosure and exploitation keeps shrinking. IT teams, stretched thin, can’t patch everything instantly, and when maintenance windows and testing lag, attackers don’t wait.
The realistic playbook is prioritization with discipline: maintain a precise asset inventory, understand real exposure, segment critical systems, monitor for exploitation signals, and have an update plan that doesn’t start only after an emergency. When exploitation is confirmed, the worst time to discover who owns a system, or where it even is, is after attackers are already inside.
Key Takeaways
- Modern phishing mimics legitimate user journeys, especially through OAuth and encrypted flows.
- EDR killer and BYOVD techniques aim to disable defenses before the main attack.
- Messaging apps like Signal are becoming a full-fledged social engineering channel.
- Booby-trapped archives like Zombie ZIP remain effective because these formats seem so ordinary.
- Actively exploited vulnerabilities, like Cisco's CVE-2026-20122, leave less time to respond.
Frequently Asked Questions
Why is OAuth Trap harder to detect than classic phishing?
Because the attack relies on authentication flows that look like normal sign-ins, with believable pages and sometimes legitimate infrastructure. The weak signal is in the consent granted and how tokens are used, not in an obvious malicious file.
What is a BYOVD attack against an EDR?
BYOVD stands for “Bring Your Own Vulnerable Driver.” The attacker brings or exploits a vulnerable driver to gain high privileges on the machine, then tries to disable or bypass the EDR. The goal is to reduce visibility and prevent automated response.
Does Signal encryption protect against phishing?
Encryption protects message transport, not the user’s decision. If a message pushes you to click a link or approve an action, the risk remains. Defense relies on usage rules, identity verification, and internal procedures.
Why can a ZIP archive be dangerous in a company environment?
Because it can hide deceptive files, folder structures that bury the dangerous item, or trigger an execution chain after it’s opened. Controls should include scanning, restricting execution from high-risk folders, and behavioral monitoring.
Is an “authenticated attacker” vulnerability less urgent to fix?
Not necessarily. Credentials can be stolen, reused, or obtained after an initial compromise. On critical components like an SD-WAN manager, authenticated exploitation can have major impact. Priority depends on exposure, access controls, and signs of active exploitation.
Sources
En tant que jeune média indépendant, The Inquirer 🇫🇷 a besoin de votre aide. Soutenez-nous en nous suivant et en nous ajoutant à vos favoris sur Google News. Merci !
