TL;DR

• [Cloud / Identity] Recent operations (e.g., Storm-2949, UNC6671/BlackFile) show single-identity compromise reliably scaling to tenant-wide cloud/SaaS breaches via SSPR/AiTM, control-plane abuse, and automation-like data access that blends with normal admin activity.

• [Vulnerabilities / Infrastructure] Newly KEV-listed flaws in Microsoft Exchange and Cisco Catalyst SD-WAN, plus malware-signing-as-a-service (Fox Tempest), highlight that edge, control-plane, and trust infrastructure (code-signing) are high-value, actively exploited footholds that require patch + compromise validation, not patch-only.

• [AI / Misconfiguration] Frontier AI increases attacker throughput in vuln discovery while misconfigured AI/agentic apps (often on Kubernetes) are emerging as a dominant, practical initial-access vector—turning configuration errors, weak auth, and exposed endpoints into exploitable “non-CVE” vulnerabilities at cloud scale.

Current Stories

TL;DR

• [Cloud Identity / Intrusion] Storm-2949: compromised identity → cloud-wide breach (Azure + M365)
  • What happened: Microsoft detailed Storm-2949 using targeted social engineering consistent with SSPR abuse to take over Entra ID identities, then expanding into Microsoft 365 and Azure (Key Vault, Storage, SQL, App Service, VMs), including ScreenConnect for endpoint reach.
  • Why it matters: This is “control-plane compromise as lateral movement”—attackers can blend into legitimate admin activity with fewer malware signals, stressing identity + cloud audit correlation.