Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally.

CVE-2025-29973: Microsoft Azure File Sync Elevation of Privilege Vulnerability

Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.

CVE-2025-29970: Microsoft Brokering File System Elevation of Privilege Vulnerability

A Türkiye-affiliated threat actor exploited a zero-day security flaw in an Indian enterprise communication platform called Output Messenger as part of a cyber espionage attack campaign since April 2024.
"These exploits have resulted in a collection of related user data from targets in Iraq," the Microsoft Threat Intelligence team said. "The targets of the attack are associated with the Kurdish

Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone…

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone looking to streamline your personal digital workflow, improving your efficiency can save you time, reduce stress, and boost performance. Here are some practical strategies to enhance your digital efficiency.

****1\. Streamline Your Digital Workspace****

A cluttered digital environment can slow you down significantly. Organize your desktop, categorize your files, and declutter unnecessary applications. Use cloud storage services like Dropbox or Google Drive to keep essential documents accessible and secure, reducing the need for excessive local storage.

Use productivity tools like Trello, Asana, or Notion to effectively manage tasks and projects. These platforms help you visualize your workload, prioritize tasks, and collaborate seamlessly with others.

****2\. Automate Repetitive Tasks****

Automation is a game-changer when it comes to digital efficiency. Identify repetitive tasks that consume your time and automate them. For instance:

*   **Email filtering and sorting**: Use rules and filters to automatically categorize incoming messages.
*   **Social media scheduling**: Use platforms like Buffer or Hootsuite to schedule posts in advance, saving you from constant manual posting.
*   **Data entry and reporting**: Utilize tools such as Zapier or Integromat to automate workflows between different apps.

Automating routine processes frees up valuable time for more strategic and creative tasks.

****3\. Optimize Your Internet and Hosting Solutions****

Slow-loading websites and unreliable hosting services can hamper your efficiency, especially if you rely on web-based applications. Upgrading to a reliable DS hosting solution can significantly boost your website’s performance, ensuring faster loading times and improved reliability. Dedicated servers offer more control, security, and better resource allocation compared to shared hosting, making them ideal for businesses or resource-intensive applications.

****4\. Use Keyboard Shortcuts and Productivity Hacks****

Mastering keyboard shortcuts can drastically decrease the time spent navigating your computer or specific applications. For example:

*   **Ctrl + C** and **Ctrl + V** for copy-paste
*   **Ctrl + Z** to undo
*   **Alt + Tab** to switch between windows quickly.

In addition, explore browser extensions like LastPass for password management or Grammarly for real-time grammar checks, making your digital activities more streamlined and error-free.

****5\. Limit Digital Distractions****

Distractions are one of the main barriers to digital efficiency. Use website blockers like Freedom or StayFocusd to limit time-wasting sites during work hours. Turn off unnecessary notifications and schedule regular tech-free breaks to improve your focus. You can also investigate app blockers for your smartphone to limit distractions more generally. 

****6\. Leverage Cloud-Based Collaboration Tools****

For teams, cloud-based collaboration tools are essential for maintaining efficiency. Platforms like Slack, Microsoft Teams, and Google Workspace allow for real-time communication, file sharing, and collaboration, decreasing the need for lengthy email threads and streamlining project management.

****Final Thoughts****

Improving your digital efficiency doesn’t require a massive overhaul, it’s about making small, intentional changes to your workflow. From investing in reliable DS hosting to automating repetitive tasks, every improvement adds up to significant time and productivity gains. Embrace these strategies and watch your digital efficiency soar.

(Image by Moondance from Pixabay)

Practical Ways to Improve Your Digital Efficiency

As AI-driven fraud becomes increasingly common, more people feel the need to verify every interaction they have online.

These days, when Nicole Yelland receives a meeting request from someone she doesn’t already know, she conducts a multistep background check before deciding whether to accept. Yelland, who works in public relations for a Detroit-based nonprofit, says she’ll run the person’s information through Spokeo, a personal data aggregator that she pays a monthly subscription fee to use. If the contact claims to speak Spanish, Yelland says, she will casually test their ability to understand and translate trickier phrases. If something doesn’t quite seem right, she’ll ask the person to join a Microsoft Teams call—with their camera on.

If Yelland sounds paranoid, that’s because she is. In January, before she started her current nonprofit role, Yelland says, she got roped into an elaborate scam targeting job seekers. “Now, I do the whole verification rigamarole any time someone reaches out to me,” she tells WIRED.

Digital imposter scams aren’t new; messaging platforms, social media sites, and dating apps have long been rife with fakery. In a time when remote work and distributed teams have become commonplace, professional communications channels are no longer safe, either. The same artificial intelligence tools that tech companies promise will boost worker productivity are also making it easier for criminals and fraudsters to construct fake personas in seconds.

On LinkedIn, it can be hard to distinguish a slightly touched-up headshot of a real person from a too-polished, AI-generated facsimile. Deepfake videos are getting so good that longtime email scammers are pivoting to impersonating people on live video calls. According to the US Federal Trade Commission, reports of job and employment related scams nearly tripled from 2020 to 2024, and actual losses from those scams have increased from $90 million to $500 million.

Yelland says the scammers that approached her back in January were impersonating a real company, one with a legitimate product. The “hiring manager” she corresponded with over email also seemed legit, even sharing a slide deck outlining the responsibilities of the role they were advertising. But during the first video interview, Yelland says, the scammers refused to turn their cameras on during a Microsoft Teams meeting and made unusual requests for detailed personal information, including her driver’s license number. Realizing she’d been duped, Yelland slammed her laptop shut.

These kinds of schemes have become so widespread that AI startups have emerged promising to detect other AI-enabled deepfakes, including GetReal Labs and Reality Defender. OpenAI CEO Sam Altman also runs an identity-verification startup called Tools for Humanity, which makes eye-scanning devices that capture a person’s biometric data, create a unique identifier for their identity, and store that information on the blockchain. The whole idea behind it is proving “personhood,” or that someone is a real human. (Lots of people working on blockchain technology say that blockchain is the solution for identity verification.)

But some corporate professionals are turning instead to old-fashioned social engineering techniques to verify every fishy-seeming interaction they have. Welcome to the Age of Paranoia, when someone might ask you to send them an email while you’re mid-conversation on the phone, slide into your Instagram DMs to ensure the LinkedIn message you sent was really from you, or request you text a selfie with a time stamp, proving you are who you claim to be. Some colleagues say they even share code words with each other, so they have a way to ensure they’re not being misled if an encounter feels off.

“What’s funny is, the lo-fi approach works,” says Daniel Goldman, a blockchain software engineer and former startup founder. Goldman says he began changing his own behavior after he heard a prominent figure in the crypto world had been convincingly deepfaked on a video call. “It put the fear of god in me,” he says. Afterward, he warned his family and friends that even if they hear what they believe is his voice or see him on a video call asking for something concrete—like money or an internet password—they should hang up and email him first before doing anything.

Ken Schumacher, founder of the recruitment verification service Ropes, says he’s worked with hiring managers who ask job candidates rapid-fire questions about the city where they claim to live on their résumé, such as their favorite coffee shops and places to hang out. If the applicant is actually based in that geographic region, Schumacher says, they should be able to respond quickly with accurate details.

Another verification tactic some people use, Schumacher says, is what he calls the “phone camera trick.” If someone suspects the person they’re talking to over video chat is being deceitful, they can ask them to hold up their phone camera to show their laptop. The idea is to verify whether the individual may be running deepfake technology on their computer, obscuring their true identity or surroundings. But it’s safe to say this approach can also be off-putting: Honest job candidates may be hesitant to show off the inside of their homes or offices, or worry a hiring manager is trying to learn details about their personal lives.

“Everyone is on edge and wary of each other now,” Schumacher says.

While turning yourself into a human captcha may be a fairly effective approach to operational security, even the most paranoid admit these checks create an atmosphere of distrust before two parties have even had the chance to really connect. They can also be a huge time suck. “I feel like something’s gotta give,” Yelland says. “I’m wasting so much time at work just trying to figure out if people are real.”

Jessica Eise, an assistant professor studying climate change and social behavior at Indiana University Bloomington, says her research team has been forced to essentially become digital forensics experts due to the amount of fraudsters who respond to ads for paid virtual surveys. (Scammers aren’t as interested in the unpaid surveys, unsurprisingly.) For one of her research projects, which is federally funded, all of the online participants have to be over the age of 18 and living in the US.

“My team would check time stamps for when participants answered emails, and if the timing was suspicious, we could guess they might be in a different time zone,” Eise says. “Then we’d look for other clues we came to recognize, like certain formats of email address or incoherent demographic data.”

Eise says the amount of time her team spent screening people was “exorbitant” and that they’ve now shrunk the size of the cohort for each study and have turned to “snowball sampling,” or recruiting people they know personally to join their studies. The researchers are also handing out more physical flyers to solicit participants in person. “We care a lot about making sure that our data has integrity, that we’re studying who we say we’re trying to study,” she says. “I don’t think there’s an easy solution to this.”

Barring any widespread technical solution, a little common sense can go a long way in spotting bad actors. Yelland shared with me the slide deck that she received as part of the fake job pitch. At first glance, it seemed legit, but when she looked at it again, a few details stood out. The job promised to pay substantially more than the average salary for a similar role in her location and offered unlimited vacation time, generous paid parental leave, and fully covered health care benefits. In today’s job environment, that might have been the biggest tipoff of all that it was a scam.

_Update 5/12/2025, 6:34 PM ET: This article was updated to clarify the nature of a federally funded research project._

Deepfakes, Scams, and the Age of Paranoia

Varonis reveals attackers are using SEO poisoning to trick IT admins into downloading malware, alongside a critical root…

Varonis reveals attackers are using SEO poisoning to trick IT admins into downloading malware, alongside a critical root access vulnerability in Azure’s AZNFS-mount utility affecting HPC/AI workloads. Update Azure immediately.

Cybersecurity researchers at Varonis have issued warnings on two distinct but significant threats targeting IT administrators and cloud infrastructure. Emerging within the last two months, as noted by Varonis in a blog post published on 2 May 2025, a growing trend of attackers using SEO poisoning to trick administrators into downloading malware disguised as legitimate tools is observed.

Separately, on May 6th, the company’s Threat Labs reported a critical vulnerability in a preinstalled Azure utility that could allow unprivileged users to gain full root access to cloud systems.

The SEO poisoning campaign involves cybercriminals manipulating search engine rankings to place malicious websites at the top of results for common IT administration tools. Unsuspecting admins, believing they are downloading genuine software, instead install malware that can lead to the installation of backdoors like SMOKEDHAM, enabling persistent access for attackers.

Varonis MDR Forensics team members Tom Barnea and Simon Biggs highlighted cases where this technique led to the deployment of monitoring software like a renamed version of Kickidler (grabber.exe), allowing attackers to secretly observe infected machines and steal credentials.

Attack flow – Image credit: Varonis

This initial access often paves the way for data exfiltration, as seen in one instance where the attackers successfully transferred nearly a terabyte of data out of the network, followed by the encryption of critical systems like the customer’s ESXi devices for ransom.

Ransom note – Image credit: Varonis

In a separate but equally concerning discovery, Varonis Threat Labs, led by researcher Tal Peleg, identified a critical flaw in the AZNFS-mount utility, a tool preinstalled on Azure High-Performance Computing (HPC) and Artificial Intelligence (AI) images. This vulnerability, affecting all versions up to 2.0.10, could allow an ordinary user to escalate their privileges to root on a Linux machine.

As per Veronis’ research, shared with Hackread.com, the flaw exists in the “mount.aznfs” binary, which, due to incorrect permissions, could be exploited to execute arbitrary commands with the highest system privileges. By manipulating a specific environment variable, attackers could effectively take complete control of the affected Azure systems.

Varonis Threat Labs responsibly disclosed this vulnerability to Microsoft Azure, which classified it as low severity. However, the potential impact of gaining root access to cloud infrastructure is significant, as it may allow attackers to mount additional storage, install malware, and move laterally within cloud environments. Microsoft has since released a fix in version 2.0.11 of the AZNFS-mount utility.

Still, these findings show cybercriminals are constantly improving their tactics for targeting critical IT infrastructure more effectively. The SEO poisoning campaign highlights the need for better awareness among IT professionals when downloading tools from online searches, even those appearing highly ranked. The Azure utility vulnerability emphasizes the importance of timely patching and careful configuration of cloud resources.

Varonis advises organizations to implement a “Defense in Depth” strategy, including employee training, endpoint security, network segmentation, and strict access controls, to mitigate these growing threats. Azure customers utilizing HPC images or NFS for Azure Storage are advised to update their AZNFS-mount utility immediately.

New SEO Poisoning Campaign Targeting IT Admins With Malware

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability. The vulnerability from the April Microsoft Patch Tuesday allows an attacker operating under a regular user account to escalate their privileges to SYSTEM level.🔻 According to Microsoft, the vulnerability was exploited in attacks against organizations in the U.S., Venezuela, Spain, and Saudi […]

**About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability.** The vulnerability from the April Microsoft Patch Tuesday allows an attacker operating under a regular user account to escalate their privileges to SYSTEM level.  
  
🔻 According to Microsoft, the vulnerability was exploited in attacks against organizations in the U.S., Venezuela, Spain, and Saudi Arabia. The exploit was embedded in the PipeMagic malware used by the Storm-2460 group to deploy ransomware.

🔻 On May 7, Symantec reported technical details about another exploit for the vulnerability, used by Balloonfly group (associated with the Play ransomware) in an attack on a U.S. organization prior to April 8.

👾 Are there public exploits? According to BDU FSTEC — yes. NVD also lists “exploit links”, but they point to detection and mitigation scripts. 🤷‍♂️ No mentions yet in exploit packs or on GitHub.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability

Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email…

Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials.

Cybersecurity researchers at Cofense Intelligence have reported a new and increasingly effective method cybercriminals are using to deliver credential phishing pages directly to users’ email inboxes. This technique, which emerged in mid-2022, leverages “blob URIs” (binary large objects- Uniform Resource Identifiers).

For your information, Blob URIs are addresses that point to temporary data saved by your internet browser on your own computer. These have legitimate applications on the internet, such as how YouTube temporarily stores video data within a user’s browser for playback.

A key characteristic of blob URIs is their localized nature; that is, a blob URI created by one browser cannot be accessed by any other, even on the same device. This inherent privacy feature although beneficial for legitimate web functions, has been weaponized by threat actors for malicious purposes.

According to Cofense Intelligence’s analysis, shared with Hackread.com, since Blob URI data isn’t on the regular internet, security systems that check emails cannot easily see the harmful fake login pages.

Therefore, when you get a phishing email, the link doesn’t go straight to a fake website. Instead, it often sends you to a real website that the security programs trust, like Microsoft’s OneDrive. From there, you get sent to a hidden webpage controlled by the attacker.

This hidden page then uses a blob URI to create the fake login page right in your browser. Even though this page is only saved on your computer, it can still steal your username and password and send it to the hackers.

This presents a challenge for automated security systems, particularly Secure Email Gateways (SEGs), which analyze website content to identify phishing attempts, researchers noted. The novelty of phishing attacks using blob URIs means AI-powered security models may not yet be adequately trained to distinguish between legitimate and malicious uses.

This lack of pattern recognition, combined with the common attacker tactic of using multiple redirects, complicates automated detection and increases the likelihood of phishing emails bypassing security.

Cofense Intelligence has observed multiple phishing campaigns employing this blob URI technique, with lures designed to trick users into logging in to fake versions of familiar services like OneDrive. These lures include notifications of encrypted messages, prompts to access Intuit tax accounts, and alerts from financial institutions. Despite the varied initial pretexts, the general attack flow remains consistent.

Researchers warn that this type of phishing might become more common because it’s good at getting past security. So, it’s important to be careful about links in emails, even if they look like they go to real websites, and to always double-check before you type in your login information. Seeing “blob:http://” or “blob:https://” in the website address can be a sign of this new trick.

Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser

A flaw in Microsoft Entra ID’s legacy login allowed attackers to bypass MFA, targeting admin accounts across finance,…

A flaw in Microsoft Entra ID’s legacy login allowed attackers to bypass MFA, targeting admin accounts across finance, healthcare, and tech sectors.

Cybersecurity firm Guardz has discovered a targeted campaign exploiting a weakness in Microsoft Entra ID’s legacy authentication protocols, allowing attackers to bypass modern security measures like Multi-Factor Authentication (MFA).

The attacks, which occurred between March 18 and April 7, 2025, utilized Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method, to gain unauthorized access, highlighting the dangers of outdated authentication in cloud environments.

This campaign, according to Guardz’s report, shared with Hackread.com, targeted various sectors including financial services, healthcare, manufacturing, and technology services.

This incident follows the widespread Microsoft Entra ID account lockouts reported by Hackread.com in April 2025, caused by an internal Microsoft error with refresh tokens and the MACE Credential Revocation app. While Hackread’s report detailed unintentional lockouts due to an internal issue, the Guardz discovery highlights a deliberate exploitation of Entra ID vulnerabilities by malicious actors.

****Campaign Analysis****

Guardz Research Unit (GRU) discovered that threat actors were actively exploiting BAV2ROPC – a compatibility feature within Entra ID that allows older applications to authenticate using simple usernames and passwords.

Unlike contemporary interactive login processes that mandate MFA and other security checks, BAV2ROPC operates non-interactively. This critical difference allows attackers to completely circumvent MFA, Conditional Access Policies, and even login alerts and user presence verification, effectively rendering these modern protections useless.

****Attack Timeline****

The attack occured in two distinct phases starting with an “Initialization” phase between March 18th and 20th, characterized by a lower intensity of probing, averaging around 2,709 suspicious login attempts daily.

This was followed by a “Sustained Attack” phase, from March 21st to April 3rd, which featured a dramatic surge in activity, spiking to over 6,444 attempts per day (a whopping 138% increase). This escalation indicated a clear shift towards aggressive exploitation of the identified vulnerabilities.

Guardz Research tracked over 9,000 suspicious Exchange login attempts, primarily from Eastern Europe and the Asia-Pacific region. The campaign involved automated credential spraying and brute-force tactics, focusing on exposed legacy endpoints.

The attacks targeted various legacy authentication vectors, with over 90% aimed at Exchange Online and the Microsoft Authentication Library, including a significant focus on administrator accounts.

“Admin accounts were a specific focus. One subset received nearly 10,000 attempts from 432 IPs within 8 hours,_“_ wrote Guardz’s Elli Shlomo in their blog post.

While the campaign has subsided, Guardz warns that the vulnerability persists in many organizations still relying on protocols like BAV2ROPC, SMTP AUTH, POP3, and IMAP4 for compatibility. These methods bypass MFA, ignore Conditional Access, and enable silent, non-interactive logins, thus, creating a “hidden backdoor,” researchers noted.

Dor Eisner, CEO and Co-Founder of Guardz emphasized the critical nature of this issue, stating, “This campaign is a wake-up call, not just about one vulnerability, but about the broader need to retire outdated technologies that no longer serve today’s threat landscape.”

To mitigate the risks, Guardz urges organizations to immediately audit and disable legacy authentication, enforce modern authentication with MFA, implement conditional access policies to block unsupported flows, and closely monitor for unusual login activity.

Legacy Login in Microsoft Entra ID Exploited to Breach Cloud Accounts

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2025 Q1 Security Researcher Leaderboard are 0x140ce, VictorV, Vaisha Bernard of Eye Security!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2025 Q1 Security Researcher Leaderboard are **0x140ce, VictorV, Vaisha Bernard of Eye Security!**

Check out the full list of researchers recognized this quarter here.  

Congratulations to the top Azure researchers this quarter: **Anonymous, Sandro Poppi, and Vaisha Bernard of Eye Security!**

Congratulations to the top Office researchers this quarter: **0x140ce, Li Shuang and willJ, and f4!**

Congratulations to the top Windows researchers this quarter: **VictorV, wkai, Zhiniang Peng with HUST & R4nger with CyberKunLun!**

Congratulations to the top Dynamics researchers this quarter: **Brad Schlintz, Dhiral Patel (@dhiralpatel94), and Artem Shymshyrian (Xtytia0922)!**

This 2025 Q1 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between January 1, 2025, and March 31, 2025
    
*   Submitted to the MSRC team between October 1, 2024, and December 31, 2024 (last program period), but assessed after January 1, 2025
    

While Researcher Recognition points have been part of MSRC’s reward program for many years, this year marks the first time they are visible in the researcher portal. This added transparency allows you to track your standing more easily throughout the year. If assessment criteria are updated, your points may be adjusted accordingly, which could affect your quarterly score. However, please note that Quarterly and Annual leaderboard rankings are based on the point value at the time you receive the “You’ve Made Leaderboard” notification email. These rankings remain fixed, even if your point total changes afterward.

Past quarterly and annual leaderboard announcements:  

*   MSRC 2024 Q4 Security Researcher Leaderboard
    
*   MSRC 2024 Q3 Security Researcher Leaderboard
    
*   MSRC 2024 Most Valuable Security Researcher Leaderboard
    
*   MSRC 2024 Q2 Security Researcher Leaderboard
    
*   MSRC 2024 Q1 Security Researcher Leaderboard
    
*   MSRC 2023 Q4 Security Researcher Leaderboard
    
*   MSRC 2023 Q3 Security Researcher Leaderboard
    
*   MSRC 2023 Q2 Security Researcher Leaderboard  
    
*   MSRC 2023 Q1 Security Researcher Leaderboard  
    
*   MSRC 2023 Most Valuable Security Researcher Leaderboard
    

Keep up the awesome work and we look forward to seeing you next quarter!

Madeline Eckert, MSRC

Tag

#microsoft