It's been an incredibly busy few weeks over here, I haven't had much time to get outside and touch some grass. But the weather is getting warming and I am so ready for it! I hope you enjoy this weeks email! I would love if you would reply and tell me which parts you liked or didn't care for. It won't hurt my feelings, I promise!

🩺Threat Pulse

​Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts​

• Cybercriminals are deploying fake Microsoft OAuth applications disguised as Adobe and DocuSign apps to infiltrate Microsoft 365 accounts.
• These apps request permissions that, if granted, allow access to users’ personal information, including names, email addresses, and profile pictures.

This is one of those social engineering techniques that can be pretty sneaky if users are not paying attention or don’t know the red flags. Definitely incorporate education and awareness to users around these attacks.

​Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension​

• Researchers have discovered malicious Chrome extensions capable of morphing into other extensions, including password managers and banking apps, to steal sensitive data.
• You should check out Matt Johansen’s video on this. This technique is seriously sneaky.

If you’re a defender, you have got to have a strategy for browser extensions. They should be strictly controlled. Don’t allow users to install them on their own if at all possible. I’d also recommend incorporating this into security awareness programs.

​Red Report 2025: Unmasking a 3X Spike in Credential Theft and Debunking the AI Hype​

• Picus Labs’ Red Report 2025 reveals a threefold increase in malware targeting credential stores, rising from 8% in 2023 to 25% in 2024.
• Attackers are using advanced “SneakThief” infostealers that conduct multi-stage, precision attacks, often combining data theft with ransomware tactics.

Credentials have been king for a while now, and they will continue to be until the world moves away from passwords, which I don’t believe is anytime soon. Protecting credentials and the authentication process is paramount to defensive security.

​Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice​

• Threat actors are increasingly using legitimate Remote Monitoring and Management (RMM) tools as initial payloads in email-based cyberattacks.
• Once deployed, these RMM tools can be exploited for data collection, financial theft, lateral movement within networks, and the installation of additional malware, including ransomware.

This trend of leveraging legitimate software for malicious purposes is not new. LOLBins (living off the land binaries) have been abused by threat actors for some time now. That being said, RMM usage is going up. Take it from someone who uses this exact strategy for internal pentests. It’s incredibly effective. Best defense here is to use application control to block any and all RMM that are not in use in your organization.

​New York sues Allstate and subsidiaries for back-to-back data breaches​

• The New York State Attorney General has filed a lawsuit against Allstate’s subsidiary, National General, for failing to report data breaches in 2020 and 2021 that exposed driver’s license numbers of nearly 200,000 individuals.
• The company is accused of inadequate cybersecurity measures, allowing hackers to exploit vulnerabilities in their online auto insurance quoting tools.

What’s the lesson here? You’ve got to take this cybersecurity stuff seriously, especially when a security incident occurs. Yes, there are very real short term consequences but I dare say the long term consequences of getting caught in this kind of a situation is much worse.

🔐Securing the Stack

LAPS: The Quick Fix for a Huge Security Problem

What You Need

​Microsoft Local Administrator Password Solution (LAPS) (Now called Windows LAPS) is used to enforce unique, randomly generated local admin passwords on every machine. Yes even servers.

Why You Need It

Many organizations still use the same local admin password across multiple machines. If an attacker gets that password, they can use it to move laterally across the network, escalate privileges, and deploy ransomware. LAPS fixes this by ensuring that every machine has a unique, automatically rotating password.

How to Do It

1. Install and configure LAPS.
   • Available natively in Windows (Windows 10 and later).
   • Key Group Policy Settings
     • Enable LAPS in Computer Configuration > Administrative Templates > LAPS
     • Set “Enable Local Admin Password Management” to Enabled
     • Define password complexity and rotation frequency.
       • Use 15+ characters with complexity and rotate every 30 days
2. Secure access to LAPS passwords.
   • LAPS self-manages and stores passwords securely in Active Directory (under the ms-MCS-AdmPwd attribute).
   • You restrict who can retrieve these passwords using Active Directory ACLs (only domain admins and helpdesk should have access).
   • Create a group called “LAPS Password Readers” to help simplify management

LAPS-Related Defensive Advice

1. Disable unnecessary local admin accounts.
   • If an account isn’t needed, remove it or restrict its permissions.
   • Avoid using domain admin accounts for everyday tasks.
2. Monitor local admin logins & changes to the local admins group
   • Set up event log monitoring for local admin authentication attempts & group changes
   • Investigate any unexpected admin logins—this could be an early sign of an attack.

LAPS is simple, free, and effective. If you haven’t deployed it, now’s the time.

🔐Memes & Mayhem

Compliments to @CheddarB0b42 for this one. Not the first time I have seen this, but it never stops being funny. 😂

👨‍💻Behind the Console

Working on increasing the amount of content I am putting out there. This newsletter is one of those initiatives. I’m also posting more on LinkedIn and will be reviving my LinkedIn Behind The Hack newsletter. I’d like to share more behind the scenes pentesting content there. Still aimed at helping IT/security people!

Also, I have some cool and fun content being cooked up with support from NinjaOne. Some of which will be social media posts, but what I am really excited for is the longer form YouTube style stuff and a few things I can’t talk about yet! 😊

If you made it this far, I super appreciate you. I hope the emails I send you, bring you value. If you'd like to return the favor, I have a 15% off sale on my Etsy store and FREE shipping on all orders over $35!

Check out the cool shirts, hoodies and stickers here --> https://swag.ethicalthreat.com​

​That’s all for now. Hope you have a super awesome week!​

All the best​
Spencer Alessi

"Spirit of a hacker heart of a defender"
​All My Links | super cool cybersecurity shirts & stickers​