Embedded Login advancements: Put your apps in control of identity

LastPass confirms data breach in Klue supply chain attack

LastPass xác nhận dữ liệu khách hàng trong môi trường Salesforce bị truy cập sau cuộc tấn công chuỗi cung ứng nhằm vào Klue hôm 12/6. Nhóm tống tiền Icarus đã xâm nhập hạ tầng Klue bằng thông tin đăng nhập cũ, đánh cắp token OAuth kết nối Klue với Salesforce của khách hàng. Dữ liệu bị lộ bao gồm tên, số điện thoại, email, địa chỉ, thông tin hỗ trợ và dữ liệu CRM. LastPass cho biết sản phẩm cốt lõi, dịch vụ và kho dữ liệu khách hàng không bị ảnh hưởng.

Lập trình viên nên đọc bài này để hiểu rõ về cách tấn công supply chain attack hoạt động như thế nào, từ đó nâng cao kiến thức bảo mật cho các ứng dụng và hệ thống của mình, đặc biệt là khi sử dụng các dịch vụ cloud như Salesforce.

Next-Gen Phishing Tactics Users Aren’t Ready For

Modern phishing attacks have evolved far beyond misspelled domains and fake login pages. Attackers now use ClickFix (tricking users into running malicious terminal commands via fake CAPTCHAs), Browser-in-the-Browser (BitB) attacks that render convincing fake browser windows inside real pages, OAuth consent phishing (ConsentFix) that steals authorization codes without ever asking for a password, device code phishing that abuses legitimate OAuth flows to authorize attacker devices, and fake video conference overlays that prompt malware downloads under the guise of driver updates. Each technique systematically eliminates traditional red flags, weaponizing users' own habits and trusted infrastructure against them. Huntress SAT offers simulated scenarios replicating these exact tactics to build behavioral muscle memory before users encounter the real thing.

From Code to Coverage (Part 6): What netlogon.log Sees That Event 1644 Never Will

A deep technical investigation into ldapnomnom, a tool that claims to generate no Windows audit logs while brute-forcing Active Directory usernames via LDAP Ping (cLDAP). Source code analysis reveals the tool actually uses TCP (not UDP), making it detectable via Event 5156 from the Windows Filtering Platform. The post explains why Event 1644 structurally cannot log LDAP Ping traffic (it bypasses the LDAP engine entirely, routing to netlogon.dll instead), while netlogon.log with debug logging captures every queried username. A key defender advantage: netlogon.log distinguishes disabled accounts from nonexistent ones, while attackers see identical responses for both. True UDP cLDAP (demonstrated with a custom cldap_ping.py) does evade Event 5156 but still appears in netlogon.log without source IP attribution. Microsoft Defender for Identity (MDI external ID 2437) can detect both TCP and UDP variants via packet capture but is threshold-based and bypassable with throttling. The recommended detection approach correlates netlogon.log usernames with Event 5156 source IPs using a 5-second timestamp window.

Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress

Huntress discloses it was among multiple victims of a supply chain attack targeting Klue, a market intelligence platform. The threat actor, dubbed Icarus, compromised Klue's backend systems on June 11, 2026, injecting code to steal OAuth tokens used by Klue's customers to connect their CRM tools. This allowed the attacker to directly query and exfiltrate Salesforce data from Huntress and other companies including Recorded Future, Tanium, and Jamf. The stolen Huntress data includes business contact info, pricing, subscription details, and sales communications — no product telemetry, passwords, or payment data was affected. Huntress shares IOCs (IP addresses, User-Agent strings), threat actor attribution details linking to the Icarus extortion group, and five recommended investigation steps for other potentially impacted organizations. The post is being updated in real time as the situation evolves, with a secondary unauthorized party also claiming access to breach data as of June 24.

We Need to Talk About Device Code Phishing

Device code phishing abuses Microsoft's OAuth 2.0 device authorization grant flow, allowing attackers to generate device codes and trick users into authorizing them on legitimate Microsoft login pages. This bypasses MFA by stealing valid OAuth tokens directly. The attack has surged recently, with campaigns like Storm-2372 targeting governments and NGOs, and phishing-as-a-service platforms like EvilTokens and Kali365 now offering it as a commodity service. Key mitigations include enabling Microsoft Entra Conditional Access policies to block device code flow, monitoring new device registrations in Entra, watching for suspicious token exchanges in logs, and disabling device code flow where operationally feasible. Notably, around 25% of organizations that have paid for Conditional Access have not yet configured it, leaving a significant gap.

Hacked Klue says criminals are deleting stolen customer data, but now other hackers are making threats

Market research company Klue, breached on June 12, is communicating with the hacking group Icarus and believes they are deleting stolen customer data. However, a second unnamed hacker group has emerged, claiming to have obtained Klue's customer data from Icarus and threatening to leak it unless a ransom is paid. The second group alleges 195 affected Klue customers and claims Klue paid Icarus. Klue advises customers contacted by this second group to demand a data sample as proof before taking any action. The original breach involved a 2022 third-party credential that was never revoked, which attackers used to steal OAuth tokens and access customer clouds and databases. Affected companies include Gong, Jamf, HackerOne, Huntress, LastPass, Snyk, and others.

Why Your Organization Needs ISPM

Identity Security Posture Management (ISPM) continuously assesses and hardens Microsoft 365 identity environments by evaluating configurations, permissions, and policies against a security baseline. Unlike one-time audits or visibility-only tools, ISPM addresses 'drift' — the gradual degradation of security posture as users, roles, and Microsoft defaults change over time. Huntress data shows over 60% of evaluated tenants were missing more than half of recommended controls, and 55% allowed standard users to perform admin-level functions. Key risks include weak MFA, overprivileged accounts, and stale permissions that enable account takeover and BEC attacks. Microsoft data shows attackers can move laterally within 48 minutes of initial intrusion, making daily scan cycles insufficient. Huntress Managed ISPM addresses this by deploying and enforcing controls continuously, detecting drift within minutes of a change, and offering a Learning Mode to preview user impact before policy rollout.