YouTube warns of AI-generated video of its CEO used in phishing attacks - Related to video, used, microsoft, apps, risk

Microsoft 365 apps will prompt users to back up files in OneDrive

Starting mid-March 2025, Microsoft will start prompting customers of its Microsoft 365 apps for Windows to back up their files to OneDrive.

These prompts will be displayed in Word, Excel, and PowerPoint, encouraging clients to enroll in OneDrive Known Folder Move (KFM).

As the enterprise explains in a new Microsoft 365 Message Center entry, they'll first roll out in public preview until early April 2025 and will be made generally available worldwide by early May 2025.

"If your organization still has customers who are not enrolled in KFM, the message ("BACK UP THIS DOCUMENT: Share and work with others in this and other files using OneDrive") will encourage them to do it while using familiar desktop apps," Microsoft revealed.

"After customers select the Open OneDrive button, they can select the folders they want to back up in OneDrive."

OneDrive backup prompts in Microsoft 365 (Microsoft).

​Microsoft says these OneDrive backup prompts will not be displayed for customers whose organizations have blocked OneDrive KFM.

The organization added that the rollout will start automatically and advises admins to notify people of this change. Those who don't want their people to see these alerts can block KFM to ensure the rollout doesn't reach their endpoints.

This is part of a broader effort to increase the number of Microsoft clients using the business's OneDrive personal cloud storage service.

For instance, last week, Microsoft also started testing ad-supported versions of its Office desktop apps that allow Windows customers to create and edit documents.

However, these ad-supported Word, Excel, and PowerPoint apps also have limited functions, including only allowing customers to save their documents to OneDrive.

When asked to provide more details, a Microsoft spokesperson told BleepingComputer that the firm "has been conducting some limited testing," and, currently, has no plans to launch an ad-supported version of Microsoft Office.

Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud serv......

Google has introduced the rollout of artificial intelligence (AI)-powered scam detection functions to secure Android device people and their personal inf......

Der IT-Security-Fachmann Tim Philipp Schäfers hat beim Bundesamt für Migration und Flüchtlinge (BAMF) eine schwerwiegende Sicherheitslücke entdeckt, d......

YouTube warns of AI-generated video of its CEO used in phishing attacks

YouTube warns that scammers are using an AI-generated video featuring the enterprise's CEO in phishing attacks to steal creators' credentials.

The attackers are sharing it as a private video with targeted consumers via emails claiming YouTube is changing its monetization policy.

"We're aware that phishers have been sharing private videos to send false videos, including an AI generated video of YouTube’s CEO Neal Mohan announcing changes in monetization," the online video sharing platform warned in a pinned post on its official community website.

"YouTube and its employees will never attempt to contact you or share information through a private video. If a video is shared privately with you claiming to be from YouTube, the video is a phishing scam."

Ironically, the phishing emails also warn that YouTube will never share information or contact customers via private videos, prompting the recipients to findings the channel sending the emails if they look suspicious.

Phishing landing page (BleepingComputer).

The scammers also create a sense of urgency by threatening that their accounts will be restricted for seven days if they fail to confirm compliance with the new rules (these restrictions would allegedly include uploading new videos, editing old videos, receiving monetization, and receiving earned monetization funds).

After entering their credentials, creators are told their "channel is now pending" and to "open the document in the video description for all the necessary information" (even when entering a random email and password).

YouTube consumers have been receiving such emails since late January while the YouTube team says it began investigating this campaign in mid-February.

"Many phishers actively target Creators by trying to find ways to impersonate YouTube by exploiting in-platform attributes to link to malicious content," the firm added. "Please always be aware and make sure not to open untrusted links or files!"

However, many creators have already fallen victim to these attacks, reporting that the scammers hijacked their channels and used them to broadcast live cryptocurrency scam streams.

YouTube provides tips on avoiding and reporting phishing emails in its help center and more details on similar phishing campaigns.

Since August 2024, YouTube has also provided a new support assistant to help people recover and secure hacked YouTube accounts after getting hacked.

A cross-site scripting (XSS) vulnerability in a virtual tour framework has been weaponized by malicious actors to inject malicious scripts across hund......

The [website] Department of Justice (DoJ) has revealed charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme desig......

Der IT-Security-Fachmann Tim Philipp Schäfers hat beim Bundesamt für Migration und Flüchtlinge (BAMF) eine schwerwiegende Sicherheitslücke entdeckt, d......

When you shouldn’t patch: Managing your risk factors

So imagine my surprise when attending Qualys QSC24 in San Diego to hear a number of conference speakers say that patching shouldn’t be an automatic reaction. In fact, they say, there are times when it is enhanced not to patch at all.

No, you don’t need to fix everything, says Dilip Bachwani, Chief Technology Officer with Qualys.

“It’s not practical,” Bachwani adds. “Even if there is a vulnerability, it may not apply in your environment.” It could be an application that isn’t an internet-facing asset or something secured through other controls.

The knee-jerk reaction when a new patch is released is to get it installed as quickly as possible to prevent a vulnerability from turning into a cyber incident. However, Bachwani and his Qualys colleagues stress that security teams need to take a step back and evaluate their organization’s risk threshold.

What that evaluation will first discover is a lot of vulnerabilities across their infrastructure. A study by Coalition expects the total number of common vulnerabilities and exposures (CVEs) to increase by 25% in 2024 to 34,888 vulnerabilities, or nearly 3,000 per month.

“New vulnerabilities are ,” Tiago Henriques, Coalition’s Head of Research, says. “Most organizations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk.”.

With the steady increase in the number of CVEs, it is easy to think that every vulnerability is critical — and if every vulnerability is given an equal risk value, patching becomes overwhelming. The researchers at Qualys recommend prioritizing the risk involved with each vulnerability so that you can determine what should be patched first and what might not need to be patched at all.

How to prioritize your organization’s vulnerabilities.

To prioritize vulnerabilities, it requires knowing all of your assets across the organization and identifying and monitoring the attack surface. However, Qualys research found that only 9% of companies are actively monitoring 100% of their attack surface. Shadow IT, third-party vendors and risks, a digital transformation made too quickly and without an assessment of technologies and assets added and not recognizing emerging threat vectors are just some of the reasons why organizations are unable to properly monitor their attack surface.

Deploying an attack surface management program will identify what technologies are attached to your network and where and what assets need protection. The critical requirements of an attack surface management program are:

Dynamic cybersecurity needs with rapid identification.

Unauthorized software tracking in real-time.

The more familiar you become with the systems accessing your network, the easier it will be to know your corporate assets and prioritize their importance. When levels of risk tolerance are assigned to these assets, it will then be easier to prioritize critical and non-critical vulnerabilities to be patched or, in some cases, not patched.

Patching protocols should be unique to your organization, based on your internal measures of mission-critical and risk tolerance. Whereas one organization may decide that the most critical vulnerabilities must be patched immediately, another may find that seven days is the ultimate time frame to reduce risk for the most critical assets. Patch management programs will tier their assets, beginning with the most critical and can’t afford downtime if something goes wrong and down through secondary tiers with longer wait times.

But there are times when it is smart to slow down or even eliminate the patching process. They include:

An crucial and time-sensitive project is in progress and requires uninterrupted computer time.

Reports of bugs in the patch or it creates compatibility problems with the application in a testing sample.

The vulnerable software is limited in scope within the organization and can be isolated.

Other mitigating controls can be put in place.

The application never uses the functions with the known vulnerability.

The costs of patching outweigh the benefits. If the code is outdated and needs to be rewritten, for example, then it doesn’t make sense to take the time and expense to apply the patch.

With the increase of CVEs and the always looming threat of a cyber incident, many organizations are looking at how to maximize their cybersecurity insurance. With the strict rules and audits in place to be eligible for cybersecurity insurance, is taking an approach to only patch when it is truly necessary going to downgrade your organization with insurance companies?

Bachwani says no. “I actually think a solution like this will enable cyber insurers to be more effective.”.

The way the insurance marketplace works today is that it is less focused on the business’s internal data and more on the organization’s overall cybersecurity posture.

“If I’m able to clearly demonstrate that we internally have really good hygiene, my insurance should be lower,” says Bachwani.

In the end, the decision on whether or not to patch will come down to one singular issue: What is the value to the business by patching or not patching? And that is determined by the organization’s risk tolerance. Recognizing the consequences of downtime or a cyber incident will help prioritize critical vulnerabilities that require time and resources to patch. But also being willing to accept that you can’t patch everything will give your team the space to focus on bigger risk threats.

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero......

The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that h......

Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic (aka ToxicPanda), indicating that the threat actors ......