Stay one step ahead of cyber criminals with our regular news and tips
2025 was the year when cyber security really hit the national conversation. From headline-grabbing attacks on retail and car giants M&S, Co-op and Jaguar Land Rover, to incursions into children’s nurseries and European airports, it seemed that every month there was a new frontier being breached.
The seriousness of the impact on the British economy was clear when the government had to step in to underwrite a £1.5 billion loan guarantee for JLR and its vast network of suppliers.
And it appears that there is a steep increase in the severity of cyber attacks on UK soil. According to the National Cyber Security Centre, “Highly significant” cyber attacks (with the potential to have a serious impact on essential services) increased by 50% in the past year.
Our mission in the face of this challenging environment continues to be to educate, inform and support British organisations in their cyber security journey.
In the final edition of this year’s newsletter, we look at sophisticated new phishing strategies, reveal the £1m+ penalty on a password manager that spectacularly failed at its job, caution about the dangers of using AI agents without appropriate safeguards and examine the latest sanctions on Russian hackers by Western allies.
How AiTM phishing scams are beating MFA
This alert comes from our cyber security analyst Aaron Davey, who warns about the continuing popularity of adversary-in-the-middle (AiTM) phishing scams that can bypass multi-factor authentication (MFA).
A typical AiTM attack lures its victims with a phishing email or message that contains a link to a fake login page. This page is a perfect replica of a legitimate site (for example, SSO, webmail or banking portals). The hacker then acts as an intermediary between the user and a real site, harvesting the victim’s log-in information along the way.
The entire attack is easily carried out by even non-technical criminals using sophisticated phishing kits freely available on phishing-as-a-service (PhaaS) platforms. Aaron has seen recent research on a new wave of advanced phishing kits in the wild (BlackForce, GhostFrame, InboxPrime AI and Spiderman).
These kits are built to bypass traditional MFA and minimise detection, increasing the chances of successful account takeover even when MFA is enabled. In fact, hackers are increasingly using HTML attachments, QR codes in PDFs or malicious SVG files to evade email filters to send their victims these links. Also, the phishing emails look particularly convincing as many of them use some form of AI.
Threat actors are increasingly exploiting weak links within the supply chain, leveraging their trusted marketing platforms, already reputable, to distribute emails embedded with adversary-in-the-middle (AiTM) payloads to other businesses.
A recent trend involves customised URLs that pre-populate the victim’s Microsoft 365 username, enhancing the credibility of the phishing page. In addition, attackers are incorporating authentic company branding into these emails.
Our security team investigated one case where 30 users received unique messages with varied subject lines, ranging from contract reviews to holiday schedules, designed to maximise the chance of timely relevance. It’s a numbers game where one well-timed email, such as during a new hire’s onboarding, can significantly increase the likelihood of compromise.
How to protect against MFA interception:
- Use advanced authentication methods. While MFA is still a major line of defence, it’s important to acknowledge it’s not bulletproof. Our experts advise using additional authentication methods, such as hardware tokens like FIDO2 or biometric data.
- Train your staff. Ensure that all employees are trained to recognise phishing emails. This includes basic checks, such as inspecting the URL in an email message or knowing how to verify the authenticity of a login page.
- Choose multilayered email security. Advanced filtering tools go beyond basic spam filtering and use AI, sandboxing and real-time URL analysis to detect sophisticated threats.
For more details on adversary-in-the-middle (AiTM), also known as man-in-the-middle (MitM) attacks, read our blog.
Cyber Security Irony Award 2025? Password company using poor passwords fined £1.2m by ICO
Password manager provider LastPass UK Ltd has been hit with a £1.2m fine by the UK Information Commissioner’s Office. The penalty is for a 2022 data breach which exposed the credentials of up to 1.6 million UK customers. We had a detailed analysis of the fallout from that incident on our blog.
The ICO stated, “We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database.”
Personal information that was stolen includes names, emails, phone numbers and stored website addresses.
Significantly, LastPass’ use of a ‘zero-knowledge’ encryption system meant that the hackers may not have been able to decrypt customer passwords. However, as Intersys’ MD Matthew Geyman noted soon after the incident, the hack would still leave LastPass customers open to risk of future attacks, including targeted phishing campaigns due to the stolen data.
The ICO shared details of how a hacker gained access to the laptops of two employees, added malware and captured an employee’s master password in separate incidents. The hacker was thus able to breach LastPass’ backup database and steal customer information. In a shocking find, the ICO revealed that the hacker was able to access the employee’s personal and business LastPass vaults, both of which used the same master password (an elementary security fail for an employee of a password manager provider).
Password manager hygiene tips from Jake Ives, Head of Security
- Your password vault is only as secure as your master password, so ensure that the latter is strong, unique, and not reused anywhere else.
- Always use your password manager to generate passwords for every account you create. Each site should have a unique, random password, regardless of its complexity or whether you think you can remember it, because the password manager is designed to handle that for you.
- Be mindful of how you use the password manager. While it is safe to populate the username and password fields, the notes section may not always offer the same level of protection, so avoid storing highly sensitive information there.
- Choose a provider that provides auditing capabilities, including tracking changes to the vault and logging account access events, to maintain visibility and security.
- Finally, take the time to review the options available to you carefully. Avoid choosing the cheapest solution or an obscure provider, as this can result in a product that appears secure but lacks the necessary protections. Consider reputable solutions such as Keeper (our preferred partner), 1Password, and Dashlane, and for more technically inclined users who want to self-host their instance or tinker with more advanced options, Bitwarden is a good option too.
Is your AI agent a security threat?
With 75% of knowledge workers using AI in the workplace, the technology promises to transform business efficiency and productivity. It also has the potential to create huge cyber security risks.
Microsoft Copilot Studio is a prime example of no-code AI technology, which is freely available to even non-technical users. Employees can build powerful AI agents to help streamline business workflows, chat with customers and integrate with other business processes. But, if used without the proper guardrails, these AI agents can expose sensitive corporate data at a scale previously unheard of.
Security researchers at Tenable recently experimented with Copilot Studio and were able to use prompt injection to bypass security controls and trick the AI agents into sharing credit card information and even booking a free holiday.
The researchers revealed the level of deep access an AI agent can have within an organisation. They also emphasised the importance of securing Copilot Studio with the following tips:
- Comprehensively record all AI agent-enabled tools to know which database or systems the agent can interact with.
- Assess the sensitivity of data in the database and limit unnecessary exposure to AI agents. Roll out permissions based on the objective of the agent.
- Restrict ‘write and update’ functions to only what is necessary for core use cases and minimise access to particular fields or values.
- Regularly examine user prompts and requests which trigger agent actions, particularly ones that dynamically alter the agent’s behaviour or access to data.
- Scrutinise agent actions for any signs of data leakage or departure from its original intended functionality.
Our recent blog describes how a managed intelligence provider can help set up the right governance and security guardrails for safely deploying AI within your organisation. This video by Jake highlights some risks of Chat GPT’s new Atlas Browser.
UK sanctions put Russian hosting services out in the cold
The UK government, along with its US and Australian counterparts, has slapped coordinated sanctions on the Russian cyber crime group Media Land. The group is accused of enabling cyber attacks on Western businesses, including UK-based companies.
Media Land operates a so-called ‘bulletproof’ hosting service which supplies the online infrastructure that allows cyber criminals to carry out a range of attacks using malware, phishing and ransomware.
The sanctions are also aimed at Media Land’s linchpin Alexander Volosovik, AKA Yalishanda, a notorious cyber criminal who has worked closely with other Russian cyber crime syndicates such as the un-ironically named Evil Corp, LockBit and Black Basta.
The same sanctions also targeted another Russian business Aeza Group LLC, which is believed to have supported the work of the Social Design Agency – a Russian disinformation organisation. The latter was sanctioned by the UK in 2024 for trying to destabilise Ukraine and undermine global democracies.
Russia has emerged as one of the world’s most prolific cyber actors targeting critical infrastructure, public services and private organisations with impunity. Last year, the UK and its allies uncovered evidence of Russian military units carrying out cyber attacks for the first time. The NCSC has highlighted Russia as one of several hostile nation-state actors targeting the UK.
British businesses are estimated to have lost £14.7bn to cyber attacks in 2024.
Other vulnerabilities
Apple Multiple Products Use-After-Free WebKit Vulnerability
Google Chromium Out of Bounds Memory Access Vulnerability
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability