top of page
Blog
What we’re seeing. What it means. What comes next.
Because understanding is the first step to staying ahead.
Threat Detection
Incident Response
Vulnerability Management
Compliance
Emerging Trends
Detection Through Deception: Where It Fits in a Modern SOC Strategy
The visibility problem we keep running into Most SIEM deployments follow a familiar pattern: collect logs, apply rules, generate alerts. That approach works, but it starts to break down in one area we regularly see during investigations - telling the difference between legitimate activity and attacker behavior when both look the same. Attackers are no longer relying on obviously malicious tools. They use valid credentials, built-in admin utilities, and approved access paths.
Why SIEMs Need Strong Detection Engineering and How We Approach It at CyberSift
There is a recurring assumption in many environments: if the SIEM is properly configured, detection is “solved.” In reality, SIEMs don’t detect threats - they execute logic. And that logic is only as good as the assumptions behind it. What we consistently observe in real-world incidents is not a lack of SIEM coverage, but a lack of detection engineering discipline. At CyberSift, this is one of the core areas we continuously invest in: expanding, validating, and maintaining de
When the Run Dialog Becomes an Attack Vector
Recent research from Atos described a new variant of the ClickFix social engineering technique, where attackers trick users into executing malicious commands through the Windows Run dialog (Win + R). Instead of delivering traditional malware, attackers rely on user interaction with built-in Windows tools. Victims are instructed to copy and run commands that appear to resolve an issue - such as fixing a browser problem or completing a verification step. In reality, these comma
Potentially Unwanted Software on Corporate Endpoints
During a recent proactive threat hunting exercise, we identified the presence of OneLaunch on a workstation within a monitored environment. While not classified as malware, OneLaunch falls into the category of Potentially Unwanted Programs (PUPs) - software that often arrives through bundled installers and can introduce unnecessary risk into corporate environments. At first glance, these applications may appear harmless. However, they frequently modify browser settings, intro
FortiGate Edge Devices Targeted in Recent Intrusions
Recent research published by SentinelOne highlighted a series of intrusions targeting organizations through compromised FortiOS devices. Edge infrastructure has become an increasingly attractive target for attackers. Firewalls, VPN gateways, and other perimeter devices often sit directly exposed to the internet while maintaining deep visibility into internal networks. Compromise of these systems can provide attackers with a strategic foothold that extends far beyond a single
From Alerts to Hours: The Hidden Cost of Noise
Over 1 Million Alerts — What’s Behind That Number? Over the last 7 days, this environment generated 1,107,211 alerts. At first glance, that sounds like strong security coverage. But here’s the reality: More alerts don’t mean more protection — they often mean more noise. The real question is not how many alerts were generated, but: How many of these actually matter? Use Case: SMB to Public IP To understand how this pattern behaves across the environment, we zoomed into a speci
Threat actors don't need your password or MFA to compromise your users
Cybersift is observing a modern type of phishing attacks on Office 365 users which deviate from the typical fake login web page, we analysts are typically accustomed to seeing. The new phishing attack utilizes device registration to compromise the victim’s account, meaning that the threat actor does not require to steal your password to gain entry. But this modern phishing attack is smarter than you might think. Case Study We analyzed a phishing email which utilized a device
Deconstructing the Tor Exit Node Attack on Microsoft
Introduction As the digital backbone for millions of enterprises, Microsoft Office 365 has become the primary option for modern identity-based warfare. Today’s attackers don't just "log in" they meticulously craft digital fingerprints to mirror legitimate employees, attempting to slip past automated defense unnoticed. This analysis explores a high-severity incident where a corporate account was compromised through a combination of network anonymization and device metadata man
How to Optimise Incident Response and Streamline SOC Operations
Security Operations Centers (SOCs) are under severe pressure to defend organisations due to evolving cyber threats. However, many SOC teams struggle with alert fatigue, slow response times, and fragmented security tools that makes it challenging to manage incidents effectively. Traditional manual incident response processes are inefficient. They require analysts to examine massive amounts of security alerts, correlate data from multiple sources, and respond to threats manuall
Your Biggest Risk Isn’t Compliance. It’s Fragmentation.
In our previous article , we explored why compliance alone does not constitute a security strategy. Regulatory alignment establishes structure, but structure does not automatically translate into operational protection. The next question is where the real vulnerability lies. For many RegTech and payment institutions, it is not insufficient controls – but disconnected ones. RegTech and payment infrastructures are API-driven, cloud-dependent and transaction-intensive. They con
Compliance Is Not a Security Strategy
A Reality Check for EU RegTech & Payment Companies The European financial ecosystem - especially RegTech providers and payment institutions - lives under constant regulatory scrutiny. Between PSD2, DORA, NIS2 Directive, GDPR and PCI DSS, security is rarely ignored. Controls are mapped. Documentation is structured. Audit trails are maintained. Reports are submitted. On paper, everything looks robust. But here is the uncomfortable truth: Passing regulation does not mean you are
The Token is the Perimeter: Why OAuth is the New Frontier
The recent supply chain breach at Vercel highlights a critical blind spot: once an attacker hijacks a valid OAuth token, they don’t need to crack your password, they simply inherit your trust and walk right past your MFA No password is needed No MFA challenge is triggered No anomalous login event is created while the user is accepted Once a session token is issued, access is governed by the token alone, completely detached from the factors that created it. This is what an OAu
Data Poisoning: The Risk of Corrupted AI Training
The most significant vulnerability in the age of Artificial Intelligence isn't necessarily a flaw in the code, it’s a flaw in the information. Because AI models are built on vast amounts of data, their reliability depends entirely on the integrity of that input. This has given rise to a calculated method of attack known as data poisoning, where adversaries subtly subvert an AI’s learning process to control its outcomes. Unlike a traditional hack, data poisoning doesn't requir
What Happens If an Attacker Never Makes a Mistake?
The most dangerous attacks do not look like attacks We like to believe attacks are loud. Failed logins, SIEM alerts, and malware detections are what most analysts are trained to look for. But the most dangerous attackers generate none of that. There are no failed logins, no alerts, and no obvious anomalies. From the system’s perspective, everything is working exactly as expected. The broken assumption Most detection strategies rely on one core idea: malicious activity will lo
The Rise of Vibe Coding Risks
The Rise of Vibe Coding Risks Welcome to the latest dispatch from the front lines of Vibe Coding . If you haven't heard, "vibe coding" is the 2026 trend where we stop wrestling with boring syntax and start "vibing" apps into existence using natural language. It’s fast, it’s magical, and if you aren't careful it's a total security dumpster fire. Think of vibe coding like hiring a brilliant, caffeinated intern who works at 10,000 mph but has absolutely no concept of what a "lo
The Dark Side of Autonomy: Who is Watching Your AI Agents?
We have officially entered the era of the Agentic Workforce . Companies are no longer just using AI to write emails; they are deploying AI "agents" to actually do things: manage databases, connect to APIs, and automate entire business workflows. Agentic Workforce is a massive leap in productivity. But it’s also a massive security blind spot. The Problem: When Good AI Goes "Rogue" The very thing that makes an AI agent powerful is its agencies - its ability to take a goal and
The Hidden Costs of Cyber Blind Spots
David Vassallo, CTO, CyberSift August, 2025 According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a data breach reached a record US$4.88 million – up from US$4.45 million in 2023. Strikingly, around 95% of breaches stemmed from unknown or poorly managed digital assets, also known as shadow or unmanaged IT . The Missing Piece: Accurate IT Asset Inventory A modern security strategy begins with visibility. Risk.net ’s analysis of the 2023 Citrix Bleed inciden
bottom of page