Simply Cyber Newsletter #185

Crush Your Week Like a Cyber Pro with Simply Cyber!

Start your work week off at full speed with expert analysis and actionable intel from top cybersecurity news stories. Share with your End Users, Peers, and Executives to support weekly security awareness with the Simply Cyber Newsletter.

FOR END USERS

ChatGPT share links abused to host fake outage pages to deliver malware. Threat actors are abusing ChatGPT’s content-sharing feature to display fake outage notices hosted on legitimate ChatGPT URLs. Victims are prompted to download a supposed desktop application that is actually malware. Researchers found similar campaigns abusing AI platform sharing features to distribute malicious software and steal credentials.

What you need to know: Educate your end users that a familiar website address is no longer enough to establish trust. In this campaign, attackers exploited trust in a real one. They used ChatGPT to generate a fake outage page in HTML, published it through a legitimate sharing link, and let the platform itself render it from an openai.com address. There was no fake website to spot. The “Download our desktop app to continue” button then sent users to openew[.]app, a separate site impersonating OpenAI’s download portal, which served the malware.

That hop is the lesson here; a legitimate service does not resolve an outage by directing users to download software from an unrelated domain. The address displaying the message was genuine, but the action it requested was not. Teach users to separate the two. Trust should be based on the task being requested, not solely on the brand or domain presenting it.

This is also not an isolated case. Researchers observed similar abuse of Anthropic’s Claude Artifacts feature, suggesting that AI sharing platforms are becoming another avenue for delivering malicious content through trusted services. Reinforce one habit above all: unexpected prompts to download, install, or run software should trigger verification before action, even when they appear on platforms employees use every day.

FOR PEERS

AI-built ransomware toolkit automates EDR evasion, AD discovery. Researchers at Sophos discovered a ransomware attack framework that uses AI tools including Cursor and Claude Opus to accelerate malware development, Active Directory discovery, and EDR evasion testing. The AI-assisted toolkit generated and refined payloads against multiple security products, significantly reducing the time required to operationalize offensive security research.

What you need to know: This story is less about autonomous AI attacks and more about how fast threat actors can now turn public research into usable offensive capability. Sophos found operators using AI agents to automate malware development, Active Directory discovery, testing, documentation, and EDR bypass research, while humans stayed in control of the workflow. The shift is speed. Work that once demanded specialized expertise and long development cycles now happens through rapid iteration across multiple agents. Worth noting: the framework sometimes overreported its own success, so a claimed bypass is not a confirmed one, but the volume of attempts is now far higher than before. The real question for your team is pace. Do current detection engineering, threat hunting, purple team, and control validation efforts assume a speed of adversary development that no longer matches reality? The challenge is shifting from whether attackers can weaponize public research to how fast they can do it.

FOR EXECUTIVES

New cyber force would cost up to $11 billion to start, commission says. A commission of policy experts and former military leaders estimates that creating a dedicated U.S. Cyber Force would cost up to $11 billion, take 12 to 18 months to establish, and require approximately 30,000 personnel. Supporters argue the move is necessary to address growing cyber threats and expand national cyber capabilities.

What you need to know: U.S. Cyber Command is not failing today. According to the federal commission behind this proposal, the problem is that it has no clear path to grow as adversaries get more capable and aggressive, and that gap, not a present-day crisis, is what supporters say justifies the investment.

The same gap is worth checking inside your own organization. A security team can look healthy on staffing numbers, performance metrics, and audit results while quietly losing ground, because hiring, retention, succession planning, and skills development have not kept pace with the threat. Technology can be bought and deployed in a quarter. Experienced people, institutional knowledge, and operational maturity take years to build and are far harder to replace once they walk out the door.

So ask your security leaders a direct question. Not whether the organization is protected today, but whether there is a realistic path to stay protected two years from now. If the honest answer depends on people you have not hired, skills you are not developing, or capabilities you keep meaning to build later, that is the gap to close while it is still a budget decision and not an incident.

Claude is not just a chatbot anymore. Is your security team ready?

Claude.ai is one thing. Agentic workflows, MCP connections, ungoverned skills taking actions across your data? That's a different conversation — and most security teams aren't equipped for it.

Harmonic Security gives your CISO the visibility and controls to say yes confidently.

JOIN US EVERY WEEKDAY DAILY CYBER THREAT BRIEF

Gerald Auger, Ph.D. livestreams the Daily Cyber Threat Brief on Simply Cyber every weekday at 8:00 AM EDT: https://cyberthreatbrief.simplycyber.io

Join the party with cybersecurity enthusiasts and professionals alike who enjoy learning about the latest in cybersecurity news and staying connected.

THIS TUESDAY: SC SKILLS STREAM WITH ALETHE DENIS

Pretexts That Hold Up Under Pressure

What happens when your pretext falls apart the moment someone challenges your story?

In this Simply Cyber Skills Stream, Alethe Denis, Senior Security Consultant II at Bishop Fox and DEF CON Black Badge-winning social engineer, shares how to build pretexts that can withstand real-world pressure during physical red team engagements.

Most social engineering discussions focus on what to say. This session focuses on how to create believable stories that hold up when faced with skeptical employees, unexpected questions, or situations that do not go according to plan.

Drawing from her experience in social engineering, physical security assessments, and offensive security operations, Alethe will discuss the mindset and preparation behind creating stronger, more resilient pretexts for real-world engagements.

This Skills Stream is designed for red teamers, social engineers, OSINT practitioners, physical security professionals, and anyone interested in the human side of offensive security.

Join us this Tuesday at 1:00 PM EDT: https://youtube.com/live/mG-jRlyiW8k 

Register to attend and get an email reminder: https://luma.com/2q0zvwc1 

SC MEDIA GROUP WEEKLY EVENTS SCHEDULE

Join us for learning and networking every day of the work week on YouTube: youtube.com/@simplycyber 

Connect with the SC Discord community: simplycyber.io/discord

SIMPLY CYBER MONTHLY EVENTS LINEUP

Want to know what’s happening at Simply Cyber at any given time?

Head over to the SC Monthly Events Calendar to register for new and upcoming events for the month - don’t forget to subscribe! lu.ma/simplycyber 

SC ACADEMY THE PLACE FOR CYBER CAREERS

At Simply Cyber Academy, we specialize in making GRC and Cybersecurity Careers a reality. Empower your career by learning real in-demand skills from cyber experts and the theory behind those skills with Simply Cyber Academy.

The popular GRC Analyst Master Class is a must for kickstarting your GRC Cybersecurity career. In addition, we have new courses covering various areas of focus in cyber available to help you advance in your career.

Check out the NEW FREE courses available in the academy!

SIMPLY CYBER ACADEMY BLOG HIGHLIGHT

Check out the highlighted blog on Simply Cyber Academy:  

LET’S CONNECT

Stay current on trending topics, tips, events and resources in cybersecurity, connect with Simply Cyber on socials for new content.

As always, please send me feedback. Which tip above is your favorite? What do you want more or less of? Other suggestions? Please let me know. Just send a DM on X with #actionableintel in the subject so I can find it.

Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Find more about what’s happening this week in the Simply Cyber community, below. Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Thank you and see you again next week, #TeamSC!

Gerry