Phishing campaign abuses Google Cloud workflows to impersonate legitimate Google emails — [AMER] A Check Point write-up said attackers abused Google Cloud Application Integration’s “Send Email” path to deliver messages from a Google-owned sender while routing victims through trusted Google URLs and fake CAPTCHA steps (02-01-2026) [AMER]. This matters because IR teams must pivot from simple sender reputation checks to SaaS workflow telemetry, redirect-chain reconstruction, and session-token hunting to validate scope and prevent repeat credential-harvest pivots. (Source: Security Affairs, 02-01-2026).

IBM warns of critical API Connect auth bypass enabling remote access (CVE-2025-13915) — [AMER] IBM disclosed a critical API Connect authentication bypass (CVE-2025-13915, CVSS 9.8) that could enable remote access to exposed deployments if unpatched (02-01-2026) [AMER]. This matters because API gateways are high-trust chokepoints, so responders should prioritize rapid asset discovery, patch verification, and log review for anomalous admin sessions, token issuance, and unexpected portal activity suggesting pre-fix exploitation. (Source: Security Affairs, 02-01-2026).

Ongoing cryptocurrency thefts traced to the 2022 LastPass breach, researchers say — [AMER] Reporting citing TRM Labs linked continuing wallet-drain incidents to encrypted LastPass vaults stolen in 2022, with victim losses occurring long after the original compromise and laundering activity observed across multiple exchanges (02-01-2026) [AMER]. This matters because investigators should treat historic credential-vault theft as a long-tail case type, expanding victim outreach, password-strength triage, and on-chain monitoring to identify clustered drain patterns and expedite freezing and attribution workflows. (Source: BleepingComputer, 02-01-2026).

Resecurity says ShinyHunters “breach” accessed a honeypot, not production systems — [AMER] ShinyHunters claimed it breached Resecurity, but the firm said the accessed environment was a purpose-built honeypot populated with synthetic data to observe attacker behavior and collect telemetry (04-01-2026) [AMER]. This matters because deception environments can generate evidence-grade TTPs and tooling artifacts while reducing real-data exposure, helping investigators validate exfiltration claims, refine detections, and avoid operational overreaction during extortion-driven disclosure cycles. (Source: BleepingComputer, 04-01-2026).

Sedgwick confirms incident affecting government-focused subsidiary — [AMER] Claims administrator Sedgwick said it is responding to a security incident at Sedgwick Government Solutions and reported notifying law enforcement while communicating with customers and citing segmentation between environments (03-01-2026) [AMER]. This matters because segmentation assertions must be quickly validated with identity and cross-domain access scoping, and because government-adjacent vendors face heightened reporting, chain-of-custody, and evidence preservation expectations from day one. (Source: The Record, 03-01-2026).

Covenant Health says nearly 480,000 impacted by data breach — [AMER] Covenant Health disclosed a breach impacting 478,188 people, describing attacker access windows and notifying affected individuals while offering credit monitoring (02-01-2026) [AMER]. This matters because healthcare incidents require tightly controlled PHI handling, regulator-ready timelines, and coordinated patient communications, and DFIR teams must preserve forensic artifacts that align clinical disruptions, network access, and potential exfiltration indicators. (Source: The Record, 02-01-2026).

VVS Stealer: Python infostealer targets Discord tokens and browser data — [EMEA] Unit 42 research described “VVS Stealer,” a Telegram-sold Python infostealer that steals Discord tokens, browser credentials, screenshots and more, using obfuscation tooling and persistence mechanisms to survive reboots (05-01-2026) [EMEA]. This matters because Discord token theft enables rapid account takeover and community-targeted social engineering, so defenders should hunt for suspicious webhook exfiltration, PyInstaller/Pyarmor artifacts, and unexpected local staging of credential bundles in endpoint telemetry. (Source: Security Affairs, 05-01-2026).

Trusted-domain redirect chains highlight evolving “legitimate platform” phishing tradecraft — [AMER] Researchers said attackers chained trusted Google endpoints (including googleusercontent.com-style hosting) with validation gates to funnel users toward credential-harvest pages that mimic enterprise login flows (02-01-2026) [AMER]. This matters for threat intel because it supplies concrete URL-chain and infrastructure patterns for detection engineering, and it reinforces that defenders must correlate full redirect paths and SaaS activity rather than relying on single-URL reputation alone. (Source: Security Affairs, 02-01-2026).

India police report arrests in “digital arrest” fraud involving mule accounts and crypto conversion — [APAC] Police in India reported arrests tied to a “digital arrest” scam that coerced transfers through mule accounts and converted proceeds into crypto (including USDT), alongside device seizures and Telegram-linked facilitation details (04-01-2026) [APAC]. This matters because it shows enforcement pressure points—mule network mapping, telecom/device artifacts, and exchange coordination—that DFIR and fraud teams can accelerate with rapid preservation requests, wallet/address intelligence, and evidence packaging for cross-border referrals. (Source: India Today, 04-01-2026).

No additional credible updates in the last 72h.

France refers Grok-generated sexual content concerns to prosecutors; regulator alerted — [EMEA] Reuters reported French ministers referred allegedly illegal sexual and sexist Grok-generated content on X to prosecutors and alerted regulator Arcom, raising questions about Digital Services Act obligations and platform controls (02-01-2026) [EMEA]. This matters because AI tooling is now a compliance and incident surface, and security teams should anticipate regulator-driven evidence requests around content provenance, abuse reporting workflows, and auditability of guardrails when safety controls fail. (Source: Reuters, 02-01-2026).

Trump blocks a China-linked chip asset deal on national security grounds — [AMER] Reuters said President Donald Trump ordered divestment of a U.S. chip and wafer-fab asset acquisition after CFIUS flagged national security risk and China-related control concerns, requiring the deal to be unwound within a defined period (03-01-2026) [AMER]. This matters because hardware and fabs remain core to cyber resilience, signaling stricter supply-chain provenance scrutiny that impacts enterprise risk assessments, vendor due diligence, and incident planning around embedded dependencies. (Source: Reuters, 03-01-2026).

No additional credible updates in the last 72h.

No additional credible updates in the last 72h.