GoSecure Blog
Microsoft 365 Direct Send Abuse Enables Internal Email Spoofing
Cybercriminals are exploiting a lesser-known Microsoft 365 feature called Direct Send, originally intended to support internal devices like printers, to send emails that appear to come from trusted coworkers. These spoofed emails often bypass standard security checks, making them especially dangerous.
Microsoft SharePoint Emergency RCE Patches
Microsoft has released Out of band security patches to fix two actively exploited SharePoint Remote code execution (RCE) zero-days. These zero days are CVE-2025-53770 and CVE-2025-53771 which are being called “ToolShell”. Attackers are using these vulnerabilities to gain full control of vulnerable SharePoint servers.Threat Hunt of the Month: External Remote Services Exploited for Initial Access and Persistence
In March 2025, GoSecure Threat Hunters investigated a growing threat targeting external remote services—such as VPN access points, Remote Desktop Protocol (RDP), and firewall management interfaces—frequently exposed to the public internet. Recent activity has revealed threat actors exploiting Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472) to gain unauthorized access and create persistent admin accounts through automation scripts. These tactics mirror methods used by ransomware groups like Play and LAPSUS$, who rely on stolen credentials and unprotected remote services to infiltrate corporate networks.
Identifying and Investigating Suspicious Outbound TLD Traffic
Cybercriminals are constantly finding new ways to bypass traditional security measures, and one of their latest tactics involves using obscure Top-Level Domains (TLDs) to facilitate malicious activities. From data exfiltration and phishing to command-and-control (C2) operations, these domains provide attackers with an easy way to evade detection.
Oracle Cloud Breach: A Strategic Response to an Identity-Layer Threat
On March 21, 2025, security researchers identified a threat actor, operating under the alias rose87168, attempting to sell over six million records allegedly exfiltrated from Oracle Cloud’s Single Sign-On (SSO) and LDAP services. This breach is suspected to stem from a vulnerability within the login infrastructure of login.(region-name).oraclecloud.com.
