NetBird 0.66.0 released with new feature: netbird expose

We’re excited to introduce netbird expose — a simple and secure way to expose your local services through the NetBird reverse proxy.

https://forum.netbird.io/t/netbird-v0-66-0-released/569

#NetBird #MeshVPN #ZeroTrust

MFA Service Degradation at Microsoft — 504 Gateway Timeout Errors
Incident MO1237461 impacting U.S. tenants across Microsoft 365.

Symptoms:
Intermittent or failed MFA challenges returning 504 errors, suggesting upstream authentication gateway or load balancing issues within Microsoft Entra ID.

Risk considerations:
• Conditional Access enforcement failures
• VPN and device login disruptions
• Federated SaaS access denial
• Identity-based perimeter breakdown

Operational challenge:
Relax MFA → Increased identity risk
Maintain MFA → Productivity halt

Are you monitoring Entra telemetry and authentication gateway latency metrics during this window?

Source: https://cybersecuritynews.com/microsoft-mfa-down/

Engage below.
Follow @technadu for actionable identity threat coverage.

#Infosec #MFA #EntraID #IAM #ZeroTrust #CloudSecurity #Microsoft365 #IdentityOps #SOC #CyberResilience

Vishing-Based Compromise at Optimizely Highlights Identity Risk

Attackers gained access via voice phishing, targeting SSO-linked systems and CRM records.

No confirmed privilege escalation, but exposure of business contact data reinforces how social engineering bypasses perimeter defenses.

Activity patterns resemble ShinyHunters campaigns abusing MFA prompts and OAuth 2.0 device authorization flows.

Common post-access targets include Salesforce, Microsoft 365, Google Workspace, Slack, SAP, Atlassian - wherever SSO tokens provide lateral access.

Identity is the control plane. Once tokens are compromised, downstream exposure scales quickly.

Is your organization monitoring abnormal device code authentication and token issuance events?

Source: https://www.bleepingcomputer.com/news/security/ad-tech-firm-optimizely-confirms-data-breach-after-vishing-attack/

Engage below.
Follow @technadu for actionable threat intelligence.

#Infosec #Vishing #OAuth #IAM #SSO #ZeroTrust #ThreatHunting #SOC #IdentitySecurity #CyberRisk

Don’t skip JIT access. Just-In-Time VM access reduces attack surface by closing RDP/SSH ports until needed. https://aka.ms/JITAccess #ZeroTrust #MicrosoftSecurity

Cloudflare becomes first SASE platform with post quantum encryption across entire stack

https://fed.brid.gy/r/https://nerds.xyz/2026/02/cloudflare-post-quantum-sase/

Boost your skills with today’s cybersecurity playlist: exploits, defenses, and real-world lessons. 🔒 https://www.youtube.com/playlist?list=PLXqx05yil_mew_AnvzUlwPH5iYHIVU4Hq

#CyberAwareness #NetworkSecurity #ZeroTrust #ThreatIntelligence #Malware

Boost your skills with today’s cybersecurity playlist: exploits, defenses, and real-world lessons. 🔒 https://www.youtube.com/playlist?list=PLXqx05yil_mfKzWQpJp8Rs3OR6fE6dLF0

#CyberAwareness #NetworkSecurity #ZeroTrust #ThreatIntelligence #Malware

Boost your skills with today’s cybersecurity playlist: exploits, defenses, and real-world lessons. 🔒 https://www.youtube.com/playlist?list=PLXqx05yil_mf8FCFSBbaMbSfgskTQVZRj

#CyberAwareness #NetworkSecurity #ZeroTrust #ThreatIntelligence #Malware

Proton vs. Infinito.Nexus

https://blog.infinito.nexus/blog/2026/02/22/proton-vs-infinito-nexus/

“Starkiller” phishing service proxies real login pages and relays MFA in real time.
Targets include brands like Microsoft and Google.

Result:
Passwords captured.
MFA intercepted.
Session cookies stolen.
Reported by Abnormal AI.

Phishing is evolving into enterprise-grade tooling.

Source: https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

Are passkeys the only sustainable defense?
Follow @technadu for independent cybersecurity reporting.

Join the discussion below.

#CyberSecurity #Phishing #MFA #AccountTakeover #ZeroTrust #Infosec #DigitalIdentity #ThreatIntel

Oracle erweitert OCI-Netzwerksicherheit: Zero Trust Packet Routing jetzt mit Cross-VCN-Unterstützung

Die Neuerung zielt darauf ab, die wachsende Komplexität verteilter Cloud-Architekturen beherrschbarer zu machen.

https://www.all-about-security.de/oracle-erweitert-oci-netzwerksicherheit-zero-trust-packet-routing-jetzt-mit-cross-vcn-unterstuetzung/

#oracle #oci #netzwerksicherheit #zerotrust

The sentencing of Oleksandr Didenko highlights the operational mechanics of North Korea’s IT worker revenue scheme.

TTPs included:
• Identity theft & resale infrastructure
• U.S.-based laptop farms
• Remote access tooling
• Money transmitter accounts
• Tax filings under stolen identities
The Federal Bureau of Investigation linked the activity to broader nation-state revenue generation.
The United Nations estimates up to $600M annually generated via embedded IT workers.
Technical mitigation questions:
- Device attestation + hardware-bound identity?
- Continuous behavioral authentication?
- Payroll anomaly detection?
- Zero-trust for remote contractors?

Drop your technical countermeasures below.

Source: https://therecord.media/north-korea-laptop-farm-ukraine

Follow Technadu for advanced cyber threat reporting.

#ThreatModeling #InsiderThreat #NorthKorea #IdentityManagement #ZeroTrust #RemoteAccessSecurity #CyberCounterintelligence #FraudDetection #Infosec #SecurityEngineering #RiskManagement #CyberIntelligence

Your daily dose of hacking & defense. Check out today’s curated playlist for pros & learners alike. ⚡ https://www.youtube.com/playlist?list=PLXqx05yil_meKsZWMDFFsBP_ejhKnWGKu
#Hacking #CyberDefense #ZeroTrust #CyberAwareness #Malware

The Rhysida ransomware group claims it breached the Cheyenne and Arapaho Tribes, demanding 10 BTC after disrupting education and administrative systems.

Governor Reggie Wassana confirmed refusal to negotiate.

Rhysida has a history of targeting public-sector networks, including state and municipal infrastructure.

Technical considerations:
• Initial access vector? Phishing vs exposed RDP?
• Backup segmentation and immutability
• Insurance-driven IR workflows
• Data exfiltration + double extortion tactics
• Public-sector attack surface mapping
Should smaller governments move toward managed detection and response (MDR) as a baseline requirement?

Source: https://therecord.media/cheyenne-arapaho-ransomware-rhysida

Share your technical insights below.

Follow @technadu for advanced ransomware intelligence.

#Ransomware #ThreatHunting #IncidentResponse #PublicSectorSecurity #CyberResilience #BlueTeam #Infosec #GovTech #DigitalForensics #CyberThreatIntel #DataProtection #SOC #ZeroTrust

Palo Alto Networks to acquire Koi Security for $400M, targeting the emerging Agentic Endpoint attack surface.

Koi (Assaraf, Dardikman, Kruk) developed LLM-powered analysis to detect:
• Malicious extensions/plugins
• Package ecosystem abuse (NPM, Homebrew)
• AI agent exploit chaining
• Model artifact manipulation
• Credential hijacking within agent frameworks

Planned integration into Prisma AIRS™ and Cortex XDR® aims to improve AI runtime visibility and enforcement.

Question for defenders:
Are your telemetry pipelines mapping AI agent behavior - or just traditional executables?

Source: https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint

Drop your technical perspective below.
Follow Technadu for advanced threat intelligence reporting.

#Infosec #ThreatModeling #AppSec #EndpointSecurity #AIsecurity #DetectionEngineering #XDR #ZeroTrust #SupplyChainSecurity #LLMsecurity #BlueTeam #RedTeam #CyberArchitecture

AI Platform Hardening: Lockdown Mode & Risk Labeling Framework
To mitigate prompt injection–driven data exfiltration, OpenAI introduced:
• Lockdown Mode — deterministic external interaction constraints
• Cached-only browsing under restricted mode
• Tool disablement where safety guarantees aren’t provable
• Standardized “Elevated Risk” labeling across ChatGPT, Atlas, Codex

This layered approach builds upon sandboxing, monitoring, URL exfiltration controls, and enterprise-grade RBAC with audit logs.

Security significance:
Prompt injection attacks operate at the instruction layer, not the transport layer. Deterministic restriction reduces attack surface by limiting outbound interaction vectors.

Risk labeling also formalizes user awareness — similar to privileged execution prompts in operating systems.

Source: https://openai.com/index/introducing-lockdown-mode-and-elevated-risk-labels-in-chatgpt/

Question for practitioners:
Should AI network access follow zero-trust principles by default?

Follow TechNadu for AI security architecture insights.

#Infosec #AISecurity #PromptInjection #ZeroTrust #AppSec #CyberDefense #RiskManagement

La CISA ordonne le retrait des appareils en fin de vie

--> https://www.datasecuritybreach.fr/la-cisa-ordonne-le-retrait-des-appareils-en-fin-de-vie/

// Calendrier serré : inventorier, retirer, puis surveiller en continu. Objectif : couper l’accès aux périphériques Edge non maintenus (EoL), devenus une autoroute pour les intrusions.

#CISA #cybersecurite #EOL #vulnerabilites #patchmanagement #zeroTrust #ITsecurity #zataz @Damien_Bancal

CISA Operating Under Shutdown Constraints - Strategic Implications

Effective February 14, 2026, CISA is functioning at 38% staffing under Antideficiency Act exceptions.

Operational posture:
• KEV catalog maintained and updated for actively exploited vulns
• Emergency recall authority for national security threats
• Slower validation and vulnerability triage cycles expected
• CIRCIA rule finalization halted
• KEV enforcement activities likely suspended
Reduced analyst bandwidth directly impacts vulnerability validation, patch availability coordination, and federal liaison processes.

While KEV updates continue, compliance oversight appears weakened. That introduces potential lag between vulnerability disclosure and sector-wide remediation.

From a defensive architecture standpoint, this highlights the fragility of centralized cyber coordination under political funding constraints.
How should national-level cyber coordination be insulated from budget volatility?

Source: https://www.securityweek.com/cisa-navigates-dhs-shutdown-with-reduced-staff/

Follow @technadu for threat intelligence and policy-level cybersecurity reporting.

#Infosec #CISA #KEV #CIRCIA #CyberDefense #ZeroTrust #CriticalInfrastructure #ThreatIntelligence #NationalSecurity

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

We treat source code and containers as untrusted until explicitly verified.

In a Zero Trust world, confidence isn't assumed, it's proven 🛡️

Read how Chadd Owen maps the 7 Pillars of Zero Trust to actionable security: https://anchore.com/blog/anchore-enterprise-powers-dow-zero-trust/

#ZeroTrust