FIDO Downgrade Attack Demonstrated in Microsoft Entra ID

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting.

A new malware campaign using MostereRAT, a banking malware-turned-RAT, targets Japanese Windows users. The malware employs sophisticated evasion techniques, including the use of an obscure programming language and disabling of security tools, to maintain long-term access and control over compromised systems. The campaign begins with phishing emails that lure victims into downloading a malicious Word document. Once installed, MostereRAT deploys multiple modules to achieve persistence, privilege escalation, and remote access. The malware is designed to evade detection and disable various antivirus and endpoint detection and response (EDR) products, making it difficult for defenders to detect and mitigate the threat. The primary goal of MostereRAT is to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool. It can also perform Early Bird Injection to inject an EXE into svchost.exe.

The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.

Six major password managers are vulnerable to clickjacking attacks that can leak account credentials, 2FA codes, and credit card details. The flaws were presented at DEF CON 33 and verified by Socket. Attackers exploit these vulnerabilities by overlaying invisible HTML elements over the password manager interface, tricking users into leaking sensitive information. The affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The vulnerabilities can be exploited when users visit malicious pages or websites vulnerable to XSS or cache poisoning. Some vendors have acknowledged the issues and are working on fixes, while others have downplayed the severity or not responded. Bitwarden has released a patch, and users are advised to disable the autofill function and use copy/paste until fixes are available.