CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Systematic exploitation of low-severity alert gaps uncovered across 25M enterprise security alerts

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Analysis of 25 million security alerts from 10 million endpoints reveals threat actors systematically exploiting overlooked low-severity and informational alerts to achieve persistent access. Nearly 1% of confirmed incidents originated from these deprioritized alerts, equating to approximately one missed breach per week in typical enterprise environments. Forensic endpoint investigations of 82,000 alerts found 2,600 active infections, with 51% previously marked as "mitigated" by EDR solutions, indicating false confidence in automated remediation. Phishing campaigns increasingly bypass email gateways by leveraging trusted cloud platforms (Vercel, CodePen, OneDrive, PayPal) and novel obfuscation techniques, while cloud telemetry highlights long-term persistence tactics and AWS misconfigurations as primary vectors.

Timeline

  1. 08.05.2026 13:30 1 articles · 15h ago

    Enterprise security analysis reveals persistent access via low-severity alert exploitation and EDR blind spots

    A dataset of 25M security alerts from live enterprise environments shows threat actors systematically exploiting gaps in low-severity alert triage, resulting in one missed breach per week on average. Forensic analysis of 82,000 endpoints found 2,600 active infections, with 51% previously marked "mitigated" by EDR tools. Phishing campaigns now abuse trusted cloud platforms (e.g., PayPal, OneDrive) and employ advanced obfuscation, while cloud telemetry highlights long-term persistence and AWS misconfiguration as dominant risks.

    Show sources
    Open in new tab

Information Snippets

  • Nearly 1% of confirmed incidents in 25M alerts originated from low-severity or informational alerts, climbing to nearly 2% on endpoints, equating to ~54 real threats annually per enterprise.

    First reported: 08.05.2026 13:30
    1 source, 1 article
    Show sources

  • Of 82,000 alerts subjected to live forensic memory scans, 2,600 had active infections; 51% of these were previously marked as "mitigated" by EDR solutions.

    First reported: 08.05.2026 13:30
    1 source, 1 article
    Show sources

  • Identified malware families in memory included Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer, indicating active criminal and nation-state operations.

    First reported: 08.05.2026 13:30
    1 source, 1 article
    Show sources

  • Less than 6% of confirmed malicious phishing emails contained attachments; most relied on links and language to evade detection.

    First reported: 08.05.2026 13:30
    1 source, 1 article
    Show sources

  • Attackers increasingly abuse trusted platforms (Vercel, CodePen, OneDrive, PayPal) for phishing, including a documented campaign using PayPal’s legitimate payment infrastructure with embedded callback numbers and Unicode homoglyphs.

    First reported: 08.05.2026 13:30
    1 source, 1 article
    Show sources

  • Four new email gateway bypass techniques were identified: Base64 payloads in SVG files, links embedded in PDF annotation metadata, dynamically loaded phishing pages via OneDrive shares, and DOCX files concealing archived HTML with QR codes.

    First reported: 08.05.2026 13:30
    1 source, 1 article
    Show sources

  • Cloud telemetry revealed concentrated defense evasion and persistence tactics, with AWS misconfigurations (notably S3 access management and logging issues) accounting for 70% of cloud control violations.

    First reported: 08.05.2026 13:30
    1 source, 1 article
    Show sources