Huntress

One of our EMEA cybersecurity advisors, Muhammad Yahya P., got a vishing call yesterday. He gave them a fake name and let it roll. The scammer claimed to be from HMRC (the UK tax office). Said someone was using Mo's National Insurance number in Birmingham...an urgency play and identity threat lure. Mo gave the name "Guatemala Patel" and started asking questions. The scammer hung up. This call wasn't sophisticated. There was no deepfake voice or spoofed email. Just someone trying to get you to panic and react. Scammers know that identity is a high-value target and they're counting on you not knowing what to do when someone official-sounding calls. If you get a call like this, slow down and ask questions. If anything feels off, tell them you'll call back on the number listed on their official website.

Your kid's online activity is someone's attack plan. Here's what parents can actually do about it: Their games, apps, and social feeds are all fodder for attackers. They collect it, connect the dots, and use that info against you. Their class. Their teacher. Their grade. All details that make for a convincing phishing email. Of course you'd click. But here's what you can do: - Talk to your kids about what's out there. An open conversation goes a long way. - Turn off DMs on their gaming accounts. Roblox lets you do it in settings. - Freeze their credit. Hackers can use a kid's identity for years and most families don't find out until they turn 18. Catch the full episode where Caitlin Sarian details how this works in practice and what else you can do to make your family a harder target. Watch here: https://okt.to/FL8uKE

There's a phishing campaign making the rounds right now. Here's what makes it different: The emails aren't coming from sketchy domains. They're coming from real companies whose SendGrid accounts were already compromised. Borrowed sender reputation. Legit infrastructure. Lands right in your inbox. The emails vary, but the lure is simple: log in to SendGrid to "fix an issue." This isn't spray-and-pray. Victims tend to be employees who actually use SendGrid at work. The goal? Compromise more SendGrid accounts. Some of the links redirect to dns-settingsendgrid[.]com and sendgrid-export[.]com, both of which were hosted on Cloudflare but are currently down. This campaign started roughly a week ago and appears much broader than a similar wave four months back. Keep your eyes peeled for emails that pretend to be from SendGrid. Here are a few examples of what they look like.

Detection isn't enough anymore. Your EDR fired but the attacker already moved. Here's what that looks like in practice: An infostealer runs on one of your endpoints and now your credentials are gone. Your team scrambles to figure out which accounts were logged in and which identities are at risk. Meanwhile, the attacker is already using what they took. That lag between compromise and response is where the damage happens. Huntress EDR and ITDR close that gap automatically. The moment EDR detects an attack, it correlates the compromised machine to the M365 identities active on it. Sessions are revoked and accounts are disabled. When it comes to business email compromise and account takeover, seconds matter. Get the full breakdown: https://okt.to/6EZiHe

During Early Access, we ran ISPM across hundreds of Microsoft 365 environments. What we found wasn't surprising...but it was bad. 66% of orgs didn't have recommended MFA configurations. 59% were missing key restrictions on admin accounts. 55% had standard users who could perform admin functions. 25% were missing basic password management policies. When identity posture is this weak, threat actors don't need a sophisticated attack. They just jiggle handles until they find an open door. On June 16, we're walking through what Early Access taught us, which misconfigurations matter most, and how lean teams can close identity gaps before attackers find them. Save your spot: https://lnkd.in/gPnhZShD

One Instagram post with a flight ticket stub is all it took to hack Australia's Prime Minister. Alex Hope wasn't a professional hacker. He saw a baggage receipt in a photo on Tony Abbott's Instagram that had a booking reference number. Qantas only needs a booking reference and a last name to log in. So he did. Not much to see at first besides some frequent flyer mile numbers. But then, he right-clicked the page and opened the source code... Passport details. Phone numbers. Staff comments. All sitting in the HTML of a major airline's website. Alex spent the next six months figuring out how to report it without getting arrested. If a zero-day isn't needed to pull this off, think about what your team is posting publicly.

Here we go again 😏 Huntress has been named to Inc. Magazine's 2026 Best Workplaces list for the third year in a row! We love the flowers, but here's what the recognition really means: We're creating an environment that attracts and develops the best people to do what THEY do best. Check out the deets: https://okt.to/IA8EOD #BestPlacesToWork #IncBestWorkplaces

An NTLM leak in the Windows Snipping Tool got some attention in April with a patch for CVE-2026-33829. Then a technically similar one showed up in another URI handler with no CVE and no fix. A single link click using the Windows search: URI handler can leak a victim’s Net-NTLMv2 hash to an attacker-controlled server before the error is thrown. The clearest defensive move here? Block outbound SMB on hosts that don’t need it. If your patching strategy depends on CVEs as the signal, this kind of gap can turn into an unwanted interruption fast. Principal Detection Engineer Andrew Schwartz breaks it down: https://okt.to/gDtmqT

On Valentine's Day 2025, Storm-2372 used device code phishing to hijack Microsoft Entra device registration, steal Primary Refresh Tokens, and get persistence through Windows Hello for Business. In March 2026, the EvilTokens campaign automated the same attack at scale using Railway. No fake login page, no malicious link, just a legit OAuth flow doing exactly what it was designed to do. On June 9, Huntress researchers Jenko Hwong and Dave Kleinatland are breaking down the tradecraft: PRT hijacking, Windows Hello for Business persistence, QR code lures, smishing, BITM/MITM bypasses, and how attackers get around the 15-minute expiration window. Save your spot: https://okt.to/mgGPuM

Find us at Booth 501 at #GartnerSRM. We're running live demos, bringing experts onsite, and yeah...we're also talking about why the latest AI-enabled hack isn't as important as nailing the basics. 👀