Over 1 Million Alerts — What’s Behind That Number? Over the last 7 days, this environment generated 1,107,211 alerts. At first glance, that sounds like strong security coverage. But here’s the reality: More alerts don’t mean more protection — they often mean more noise. The real question is not how many alerts were generated, but: How many of these actually matter? Use Case: SMB to Public IP To understand how this pattern behaves across the environment, we zoomed into a speci

The recent supply chain breach at Vercel highlights a critical blind spot: once an attacker hijacks a valid OAuth token, they don’t need to crack your password, they simply inherit your trust and walk right past your MFA No password is needed No MFA challenge is triggered No anomalous login event is created while the user is accepted Once a session token is issued, access is governed by the token alone, completely detached from the factors that created it. This is what an OAu

Cybersift is observing a modern type of phishing attacks on Office 365 users which deviate from the typical fake login web page, we analysts are typically accustomed to seeing. The new phishing attack utilizes device registration to compromise the victim’s account, meaning that the threat actor does not require to steal your password to gain entry. But this modern phishing attack is smarter than you might think. Case Study We analyzed a phishing email which utilized a device

Introduction As the digital backbone for millions of enterprises, Microsoft Office 365 has become the primary option for modern identity-based warfare. Today’s attackers don't just "log in" they meticulously craft digital fingerprints to mirror legitimate employees, attempting to slip past automated defense unnoticed. This analysis explores a high-severity incident where a corporate account was compromised through a combination of network anonymization and device metadata man

The visibility problem we keep running into Most SIEM deployments follow a familiar pattern: collect logs, apply rules, generate alerts. That approach works, but it starts to break down in one area we regularly see during investigations - telling the difference between legitimate activity and attacker behavior when both look the same. Attackers are no longer relying on obviously malicious tools. They use valid credentials, built-in admin utilities, and approved access paths.

There is a recurring assumption in many environments: if the SIEM is properly configured, detection is “solved.” In reality, SIEMs don’t detect threats - they execute logic. And that logic is only as good as the assumptions behind it. What we consistently observe in real-world incidents is not a lack of SIEM coverage, but a lack of detection engineering discipline. At CyberSift, this is one of the core areas we continuously invest in: expanding, validating, and maintaining de

The most significant vulnerability in the age of Artificial Intelligence isn't necessarily a flaw in the code, it’s a flaw in the information. Because AI models are built on vast amounts of data, their reliability depends entirely on the integrity of that input. This has given rise to a calculated method of attack known as data poisoning, where adversaries subtly subvert an AI’s learning process to control its outcomes. Unlike a traditional hack, data poisoning doesn't requir

The most dangerous attacks do not look like attacks We like to believe attacks are loud. Failed logins, SIEM alerts, and malware detections are what most analysts are trained to look for. But the most dangerous attackers generate none of that. There are no failed logins, no alerts, and no obvious anomalies. From the system’s perspective, everything is working exactly as expected. The broken assumption Most detection strategies rely on one core idea: malicious activity will lo

Recent research from Atos described a new variant of the ClickFix social engineering technique, where attackers trick users into executing malicious commands through the Windows Run dialog (Win + R). Instead of delivering traditional malware, attackers rely on user interaction with built-in Windows tools. Victims are instructed to copy and run commands that appear to resolve an issue - such as fixing a browser problem or completing a verification step. In reality, these comma

During a recent proactive threat hunting exercise, we identified the presence of OneLaunch on a workstation within a monitored environment. While not classified as malware, OneLaunch falls into the category of Potentially Unwanted Programs (PUPs) - software that often arrives through bundled installers and can introduce unnecessary risk into corporate environments. At first glance, these applications may appear harmless. However, they frequently modify browser settings, intro

Recent research published by SentinelOne highlighted a series of intrusions targeting organizations through compromised FortiOS devices. Edge infrastructure has become an increasingly attractive target for attackers. Firewalls, VPN gateways, and other perimeter devices often sit directly exposed to the internet while maintaining deep visibility into internal networks. Compromise of these systems can provide attackers with a strategic foothold that extends far beyond a single

Remote Monitoring and Management (RMM) tools are widely used by IT teams to support remote administration and system maintenance. Tools such as AnyDesk, TeamViewer, and ScreenConnect provide powerful capabilities for managing endpoints across distributed environments. However, these same capabilities have made RMM tools increasingly attractive to attackers. In many modern intrusions, threat actors deploy legitimate remote access tools after gaining an initial foothold. Becaus

The Rise of Vibe Coding Risks Welcome to the latest dispatch from the front lines of Vibe Coding . If you haven't heard, "vibe coding" is the 2026 trend where we stop wrestling with boring syntax and start "vibing" apps into existence using natural language. It’s fast, it’s magical, and if you aren't careful it's a total security dumpster fire. Think of vibe coding like hiring a brilliant, caffeinated intern who works at 10,000 mph but has absolutely no concept of what a "lo

We have officially entered the era of the Agentic Workforce . Companies are no longer just using AI to write emails; they are deploying AI "agents" to actually do things: manage databases, connect to APIs, and automate entire business workflows. Agentic Workforce is a massive leap in productivity. But it’s also a massive security blind spot. The Problem: When Good AI Goes "Rogue" The very thing that makes an AI agent powerful is its agencies - its ability to take a goal and

As military campaigns and geopolitical tensions involving Iran escalate in early 2026, the conflict has rapidly expanded beyond physical battlefields into cyberspace. State-sponsored espionage, disruptive cyber operations, and hacktivist proxy attacks have surged, going outside the lines between national security and private-sector IT infrastructure. How does this affect Maltese companies and their cyber‑risk posture? We extracted some statistics across some of our clients r

Beyond the "Red Alert": How We Hunt Threats at CyberSift If you wait for a security alarm to go off, you’re already playing catch-up. In the world of cybersecurity, the most dangerous threats are the ones that don't make a sound. That’s why at CyberSift, we don't just "monitor" your systems. We hunt. What do we mean by "Threat Hunting"? Most security setups are like a burglar alarm: they only ring if someone breaks a window. Threat hunting is more like having a security team

In our previous article , we explored why compliance alone does not constitute a security strategy. Regulatory alignment establishes structure, but structure does not automatically translate into operational protection. The next question is where the real vulnerability lies. For many RegTech and payment institutions, it is not insufficient controls – but disconnected ones. RegTech and payment infrastructures are API-driven, cloud-dependent and transaction-intensive. They con

A Reality Check for EU RegTech & Payment Companies The European financial ecosystem - especially RegTech providers and payment institutions - lives under constant regulatory scrutiny. Between PSD2, DORA, NIS2 Directive, GDPR and PCI DSS, security is rarely ignored. Controls are mapped. Documentation is structured. Audit trails are maintained. Reports are submitted. On paper, everything looks robust. But here is the uncomfortable truth: Passing regulation does not mean you are

David Vassallo, CTO, CyberSift August, 2025 According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a data breach reached a record US$4.88 million – up from US$4.45 million in 2023. Strikingly, around 95% of breaches stemmed from unknown or poorly managed digital assets, also known as shadow or unmanaged IT . The Missing Piece: Accurate IT Asset Inventory A modern security strategy begins with visibility. Risk.net ’s analysis of the 2023 Citrix Bleed inciden

Security Operations Centers (SOCs) are under severe pressure to defend organisations due to evolving cyber threats. However, many SOC teams struggle with alert fatigue, slow response times, and fragmented security tools that makes it challenging to manage incidents effectively. Traditional manual incident response processes are inefficient. They require analysts to examine massive amounts of security alerts, correlate data from multiple sources, and respond to threats manuall