Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Fraud is built on deception, and third-party fraud is no exception. In this type of fraud, attackers use stolen or synthetic identities to impersonate legitimate customers and gain unauthorized access to accounts, services, or funds. By exploiting the trust between businesses and their customers, fraudsters bypass traditional security measures, making third-party fraud a growing threat in an era of automated attacks and large-scale data breaches.

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! When a company goes under data theft is a concern, but when one has highly sensitive information…

When you type a familiar website address in your web browser, you expect to land on a particular webpage, but what if you are redirected to a fake website designed to steal your sensitive data? Cyber attackers trick your internet settings into sending you to fake websites instead of the real ones. This is called a DNS spoofing or poisoning attack which exploits vulnerabilities in the Domain Name System (DNS) to compromise the entire network.

Traditional on-premises identity management solutions are no longer adequate to support small and midsize organizations. Moreover, modern Cloud alternatives have significantly eased the complexity and inefficiencies of premises-based identity management.

INKY has published its annual report on email security, finding that phishing accounted for 30% of all reported cybercrimes last year. “Phishing threats grew in both volume and sophistication, introducing new attack vectors like QR codes, cross-site scripting, and weaponized file types (e.g., RTF and DOT),” the report says. “Cybercriminals also increasingly exploited trusted services such as DocuSign and PayPal, underscoring the urgent need for adaptive, robust security solutions.”

A KnowBe4 Threat Lab Publication Authors: By James Dyer, Threat Intelligence Lead at KnowBe4 and Lucy Gee, Cybersecurity Threat Researcher at KnowBe4 On March 3, 2025, the KnowBe4 Threat Labs team observed a massive influx of phishing attacks originating from legitimate Microsoft domains. KnowBe4 Defend detected activity starting on February 24th, with a peak on March 3rd, when 7,000 attacks from microsoft-noreply@microsoft.com were recorded within a 30-minute window.

Networking and infrastructure and operations (I&O) teams often feel that they are facing contradictory challenges. They are expected to manually maintain the complex legacy infrastructure that keeps the business running, while also finding capacity and licence to help their organizations innovate at a time of rapid technological change.

A critical improper authorization vulnerability (CVSS 9.1) in Next.js, tracked as CVE-2025-29927, was publicly disclosed on March 21, 2025. Next.js is a popular React-based web framework used for building full-stack applications. This vulnerability impacts applications that utilize middleware for authorization checks. Middleware functions used to implement access control, session validation, redirects, or security headers on incoming HTTP requests.

By James Rees, MD, Razorthorn Security.

Grep (Global Regular Expression print) command is a powerful text searching utility in Unix/Linux systems. Grep takes a pattern such as a regular expression or string and searches one or more input files for the lines that contain the expected pattern. Grep command can be significantly used for text searching and filtering, log analysis, code scanning, configuration management, data extraction etc.