Major Incidents or Breaches

  • Jaguar Land Rover has reportedly experienced a cyber incident resulting in significant financial impact, noted as setting an expensive new record. Details on the specific nature of the breach or attack are not provided.

Newly Discovered Vulnerabilities

  • Researchers have identified a vulnerability in OpenAI’s Atlas browser omnibox, where prompts can be disguised as URLs and are accepted as valid input. This allows for prompt injection/jailbreaks, potentially enabling malicious actors to bypass intended security controls.
  • Two low-impact vulnerabilities were disclosed to Meta in WhatsApp following a failed $1M exploit attempt at Pwn2Own. According to Meta, these vulnerabilities cannot be exploited for arbitrary code execution.

Notable Threat Actor Activity

  • A new phishing technique, ‘CoPhish’, leverages Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests. Attackers use legitimate Microsoft domains to increase the credibility of the phishing attempt and steal OAuth tokens, enabling potential account compromise.

Trends, Tools, or Tactics of Interest

  • The CoPhish attack demonstrates an emerging trend of abusing AI-powered platforms and trusted cloud infrastructure (i.e., Microsoft Copilot Studio) to facilitate phishing and credential theft via OAuth token harvesting.
  • The OpenAI Atlas vulnerability highlights ongoing concerns around prompt injection and the need for robust input validation in generative AI interfaces.

Regulatory or Policy Developments Affecting the Security Industry

  • No significant regulatory or policy developments reported in the reviewed headlines.