✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Management Consulting
Breach intelligence, attack campaigns, and threat reports targeting the Management Consulting sector.
Explore Other Sectors
Management Consulting Threat Reports
Salesforce Disables Klue App Integration Following OAuth Token Abuse Incident
In June 2026, Salesforce detected unauthorized access to customer data through the Klue Battlecards app integration. Threat actors exploited OAuth tokens associated with the app to gain access to sensitive information within Salesforce instances. Upon discovery, Salesforce promptly disabled the Klue app integration to prevent further data exposure and initiated a comprehensive investigation into the breach. This incident underscores the escalating threat posed by OAuth token abuse, a technique increasingly leveraged by cybercriminals to bypass traditional authentication mechanisms. Organizations must remain vigilant and implement robust security measures to safeguard against such sophisticated attacks.
6 days ago
Kill Chain
Klue OAuth Breach 2026: A Wake-Up Call for Third-Party Integration Security
In June 2026, market intelligence platform Klue experienced a security breach where attackers, identified as the 'Icarus' group, exploited OAuth tokens to access and exfiltrate Salesforce CRM data from multiple organizations. The attackers infiltrated Klue's backend systems, deployed malicious code to harvest OAuth tokens, and utilized these tokens to query and extract sensitive data from connected Salesforce instances. This incident led to significant data theft and subsequent extortion attempts targeting the affected organizations. This breach underscores the critical vulnerabilities associated with third-party integrations and the exploitation of OAuth tokens. It highlights the necessity for organizations to implement stringent security measures, including regular audits of third-party applications, prompt revocation of compromised tokens, and continuous monitoring of API activities to detect and mitigate unauthorized access promptly.
1 week ago
Kill Chain
UNC3753's 2026 Data Theft Campaign: A Blend of Vishing and Physical Intrusions
Between January and May 2026, the threat actor UNC3753, also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG), targeted numerous U.S. organizations in the professional, legal, and financial sectors. Utilizing voice phishing (vishing) and social engineering tactics, they impersonated IT support to gain remote access via screen-sharing sessions and remote monitoring tools. In some cases, attackers physically infiltrated offices, posing as IT technicians to exfiltrate data using USB devices. Stolen information included proprietary legal agreements, personally identifiable information (PII), and financial records. The group rapidly demanded ransoms, threatening to publish the stolen data if payments were not made promptly. This incident underscores the evolving tactics of cybercriminals, combining traditional social engineering with physical intrusion methods. The rapid execution of these attacks, often completed within a single business day, highlights the need for organizations to enhance their security awareness training and implement robust verification processes for IT support interactions.
2 weeks ago
Kill Chain
Silent Ransom Group Exploits Law Firms with Sophisticated Social Engineering Attacks
In early 2026, the Silent Ransom Group (SRG), also known as Luna Moth and Chatty Spider, targeted U.S. law firms and professional services organizations through sophisticated social engineering attacks. The group initiated contact via invoice-themed phishing emails, followed by phone calls impersonating corporate IT staff. They convinced employees to join remote support sessions, leading to the installation of remote monitoring tools like AnyDesk and Zoho Assist, granting attackers access to sensitive legal and financial documents. Data exfiltration was conducted using tools such as WinSCP and Rclone, with ransom demands issued within 30 minutes of the attackers' departure. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/silent-ransom-group-targets-law-firms-with-fake-it-support-calls/?utm_source=openai)) This incident underscores a concerning trend of cybercriminals employing direct social engineering tactics, including in-person impersonation, to infiltrate organizations. The rapid escalation from initial contact to data theft and extortion highlights the need for enhanced employee training and robust verification procedures to counter such evolving threats. ([techcrunch.com](https://techcrunch.com/2026/06/05/google-and-fbi-warn-of-ransomware-group-that-sends-fake-it-workers-to-hack-victims-in-person/?utm_source=openai))
2 weeks ago
Kill Chain
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
In April 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect, and CVE-2026-32202, a protection mechanism failure in Microsoft Windows Shell. CVE-2024-1708 allows remote code execution or unauthorized access to sensitive data, while CVE-2026-32202 enables network-based spoofing attacks. Both vulnerabilities have been actively exploited by threat actors, including the China-based group Storm-1175 deploying Medusa ransomware and the Russian APT28 targeting Ukraine and EU countries. Federal agencies are mandated to remediate these vulnerabilities by May 12, 2026. ([thehackernews.com](https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html?utm_source=openai)) The inclusion of these vulnerabilities in the KEV catalog underscores the persistent threat posed by state-sponsored actors exploiting known flaws. Organizations must prioritize patching and enhance monitoring to mitigate risks associated with these and similar vulnerabilities.
1 month ago
Kill Chain
VENOM Phishing Campaign: A Wake-Up Call for Executive Security
Between November 2025 and March 2026, a sophisticated phishing campaign utilizing the previously undocumented VENOM phishing-as-a-service (PhaaS) platform targeted C-suite executives across over 20 industries. Attackers impersonated Microsoft SharePoint notifications, embedding QR codes to lure victims into credential theft schemes. The campaign employed advanced evasion techniques, including adversary-in-the-middle (AiTM) attacks and device code abuse, effectively bypassing multi-factor authentication (MFA) and establishing persistent access to compromised accounts. ([abnormal.ai](https://abnormal.ai/resources/venom-phaas-c-suite-microsoft-credential-theft-report?utm_source=openai)) This incident underscores a growing trend of highly targeted phishing attacks against high-level executives, highlighting the need for organizations to reassess their security postures. The emergence of sophisticated PhaaS platforms like VENOM indicates an evolution in cybercriminal tactics, emphasizing the urgency for enhanced defenses against such advanced threats. ([abnormal.ai](https://abnormal.ai/resources/venom-phaas-c-suite-microsoft-credential-theft-report?utm_source=openai))
2 months ago
Kill Chain
Critical Zero-Click RCE Vulnerability in FreeScout: Immediate Action Required
In March 2026, a critical zero-click remote code execution (RCE) vulnerability, identified as CVE-2026-28289, was discovered in FreeScout, an open-source help desk platform. This flaw allows unauthenticated attackers to execute arbitrary code on servers by sending a specially crafted email to a FreeScout-configured mailbox. The vulnerability arises from a Time-of-Check to Time-of-Use (TOCTOU) flaw in the filename sanitization function, enabling the upload of malicious .htaccess files with zero-width space characters to bypass security checks. Exploitation can lead to full server compromise, data breaches, and potential lateral movement within networks. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers/?utm_source=openai)) The emergence of CVE-2026-28289 underscores the evolving sophistication of cyber threats, particularly those requiring no user interaction. Organizations utilizing FreeScout are urged to update to version 1.8.207 immediately to mitigate this risk. This incident highlights the critical need for continuous monitoring and prompt patch management to defend against rapidly developing vulnerabilities.
3 months ago
Kill Chain
LinkedIn Phishing Campaign Delivers RAT via DLL Sideloading—2026 Incident Analysis
In January 2026, security researchers identified a sophisticated phishing campaign exploiting LinkedIn direct messages to deliver weaponized WinRAR self-extracting archives targeting high-value individuals. Attackers used social engineering to establish trust, convincing victims to download an archive containing a legitimate open-source PDF reader, a malicious DLL, the Python interpreter, and a decoy file. Upon execution, the PDF reader sideloaded the malicious DLL, which deployed the Python interpreter, created persistence via a Registry Run key, and executed Base64-encoded shellcode in memory. This led to covert remote access, data exfiltration, and enabled attackers to move laterally across networks. The incident underscores a broader trend of attackers abusing social media platforms for initial access, bypassing traditional email-centric defenses, and leveraging open-source tools with advanced evasion techniques like DLL sideloading. As social engineering campaigns diversify across communication channels, all business sectors face amplified risks of stealthy malware delivery and long-term compromise.
5 months ago
Kill Chain
Pax8’s 2026 MSP Partner Data Exposure: Lessons from a Cloud Email Mishap
In January 2026, cloud marketplace giant Pax8 disclosed that it inadvertently exposed sensitive business information related to approximately 1,800 managed service provider (MSP) partners. The incident occurred when a Pax8 EMEA account manager mistakenly emailed a spreadsheet—intended for internal use—to under 40 UK-based partners. The file contained details such as partner and customer organization IDs, Microsoft product SKUs, license counts, renewal dates, booking data, and internal pricing. While the leaked data reportedly did not include personally identifiable information, it revealed confidential customer portfolios and licensing metrics, with over 56,000 entries potentially providing valuable intelligence to competitors or cybercriminals. Pax8 moved quickly to recall the emails, directly requested deletion, and launched an internal review to address the flaw. This breach highlights the persistent risks linked to accidental data disclosures, especially within cloud ecosystems and partner networks. Data leaks through misdirected emails are increasingly exploited by threat actors for social engineering, competitive maneuvering, and phased cyberattacks, driving renewed urgency for zero trust controls and robust data-handling processes.
5 months ago
Kill Chain
DarkSpectre Espionage Wave: 8.8 Million Impacted by Malicious Browser Extensions
Between 2018 and 2025, a sophisticated Chinese threat actor known as DarkSpectre orchestrated a series of malicious browser extension campaigns that compromised over 8.8 million users globally across Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. The group leveraged deceptive add-ons disguised as productivity, conferencing, and media tools to harvest sensitive data, hijack web sessions, and facilitate massive corporate espionage. Through delayed activation tactics and compromised legitimate extensions, attackers exfiltrated confidential meeting details, user credentials, and organizational intelligence in real time. Much of the operation leveraged trusted marketplaces, building user bases over years before weaponizing extensions via silent code updates. The scale, persistence, and supply-chain focus of this campaign highlight a shift toward data-centric, espionage-motivated browser attacks. As hybrid work and cloud platforms proliferate, organizations face heightened supply chain and insider risk pressure—and regulators increasingly expect stringent controls on extension governance and data privacy.
5 months ago
Kill Chain
BRG Ransomware Breach: How a 2025 Attack Unveiled Legal Sector’s Vendor Risk
In March 2025, Berkeley Research Group (BRG), a prominent consulting and legal advisory firm, suffered a devastating ransomware attack attributed to the RansomHub cybercriminal group. Attackers leveraged persistent dwell time to infiltrate BRG’s network, exfiltrated sensitive data including M&A intelligence and confidential client materials, and encrypted key systems. The breach occurred during BRG's $700 million buyout by TowerBrook Capital Partners, amplifying the incident’s impact and resulting in exposure of information related to hundreds of active deals and thousands of individuals. The attackers’ extortion included threats of blackmail and public data leaks, leveraging their knowledge of both firm structure and sensitive client engagements. This attack spotlights a surge in professional services sector targeting—especially legal and advisory firms—by highly organized ransomware groups in 2024–2025. Threat actors like RansomHub have adopted prolonged infiltration tactics, optimized affiliate compensation, and leveraged industrialized extortion, mirroring broader ransomware trends and underscoring urgent vendor risk management needs.
5 months ago
Kill Chain
Dentsu Subsidiary Employee Data Stolen in 2024 Breach: What Enterprises Must Know
In June 2024, a subsidiary of global marketing and PR giant Dentsu experienced a significant data breach in which unidentified threat actors accessed and stole sensitive employee information. The breach reportedly targeted internal personnel data, potentially exposing names, contact information, and other personally identifiable details, though Dentsu has not publicly shared whether client data was affected. The precise entry vector has not been disclosed, but the attack highlights vulnerabilities in east-west traffic inspection and data-in-transit encryption within subsidiary environments. Dentsu's management responded by initiating a comprehensive forensic investigation and notifying affected employees while enhancing internal security protocols. This breach accentuates the growing targeting of large holding companies and their subsidiaries, as attackers increasingly seek weak links in global enterprise ecosystems. With regulatory pressure mounting and privacy violations facing stiffer penalties worldwide, all large organizations must urgently reassess how they secure internal traffic and control access across decentralised operational units.
5 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports