Multi-stage SharePoint attack, SmarterMail bypass flaw, AI worries Davos - Cybersecurity Headlines

Cybersecurity Headlines – Episode Summary

Podcast: Cybersecurity Headlines
Host: Steve Prentiss (CISO Series)
Date: January 23, 2026
Episode: Multi-stage SharePoint attack, SmarterMail bypass flaw, AI worries Davos

Overview

This episode presents a rapid-fire analysis of the day’s most pressing cybersecurity stories, ranging from sophisticated phishing and ransomware attacks to the potential challenges posed by AI agents. The discussion addresses vulnerabilities, recent major incidents, industry response, and significant comments from global leaders at Davos on the security risks introduced by artificial intelligence.

Key Stories & Discussion Points

1. Multi-Stage SharePoint Phishing & Business Email Compromise

[00:17]

Summary:
Microsoft Defender researchers uncovered a multi-stage adversary-in-the-middle campaign targeting multiple energy sector organizations via SharePoint file sharing services. The attackers deliver phishing payloads and create inbox rules for maintaining persistence while evading user detection.
Key Technical Details:
- Attack relies on SharePoint as delivery vector.
- Malicious inbox rules are created to evade detection and ensure persistence.
- Merely resetting passwords is insufficient—active session cookies must also be revoked, and attacker-created inbox rules must be deleted.
Notable Quote (Steve Prentiss):

“Password resets alone are insufficient to mitigate this issue. Impacted organizations… must additionally revoke active session cookies and remove attacker created inbox rules.” [00:36]

2. SmarterMail Authentication Bypass Flaw Exploited

[01:10]

Summary:
Attackers are exploiting a recently patched authentication bypass vulnerability in SmarterTools’ SmarterMail platform, allowing unauthorized admin password resets.
Key Details:
- Flaw resides in the “Force Reset Password” API endpoint, which lacked authentication.
- Patch released on January 15, but exploitation occurred within two days, indicating threat actors rapidly reverse engineered the fix.
- Watchtower reported the issue and observed immediate abuse.
Notable Quote:

“Hackers reverse engineered the patch and found a way to leverage the flaw.” [01:36]

3. Spanish Judge Closes Pegasus Spyware Probe

[02:02]

Summary:
The Spanish probe into NSO Group's Pegasus spyware, prompted by allegations of top officials being targeted, has closed due to Israel’s lack of cooperation.
Key Details:
- The investigation centered on zero-click Pegasus compromises of prime minister and defense minister devices.
- Judge cited a repeated failure by Israel to respond to five formal cooperation requests.
- This was described as “breaking the balance inherent in international cooperation and violating the principle of good faith.”
Notable Quote (Judge Statement via Steve Prentiss):

“Breaking the balance inherent in international cooperation and violating the principle of good faith that should govern relations between states.” [02:42]

4. Fake Cell Tower Scam Dismantled in Greece

[03:01]

Summary:
Greek authorities have disrupted scammers running mobile fake cell towers for localized phishing attacks.
Key Details:
- Scammers placed mobile cell towers in cars, forcing nearby phones to downgrade from 4G to less secure 2G.
- Enabled interception of phone numbers and mass phishing via SMS (posing as banks/couriers).
- At least three fraud cases identified; the operation's full scope remains unclear.

5. NIST Staff Cuts and Cybersecurity Resource Constraints

[05:12]

Summary:
NIST is managing mandates on AI and cybersecurity despite major staff and budget reductions.
Key Details:
- NIST has lost over 700 staff members in the last year.
- Lab program’s budget cut by $13 million, causing tight prioritization on new initiatives, including crypto and AI.
Notable Quote (Kevin Stein, NIST):

“Forcing a very focused discussion on prioritization of our activities.” [05:45]

6. Global CVE Allocation System (GCVE) Announced

[06:00]

Summary:
Luxembourg’s Computer Incident Response Center to administer GCVE, an alternative to the Common Vulnerabilities and Exposures (CVE) system, introducing distributed identifier allocation and avoiding single funding source dependency.
Key Details:
- Maintains backward compatibility with current CVE infrastructure.
- Response to the near-shutdown of the original CVE system due to funding and contract issues.

7. Osiris Ransomware via Vulnerable Drivers

[06:47]

Summary:
Security teams at Symantec and Carbon Black warn of a novel ransomware family, Osiris, weaponizing a malicious driver (“PoorTry”) in a major attack on a Southeast Asian food franchisee.
Key Details:
- Utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools.
- Independent strain from the 2016 Osiris; possibly linked to prior Ink ransomware actors.
- Features hybrid encryption and unique per-file keys.

8. AI Security Risks at Davos

[07:34]

Summary:
At the World Economic Forum in Davos, AI agents and their security implicated as top concern—especially the risk of AI becoming the “ultimate insider threat.”
Highlights from Industry Leaders:
- Dave Treat, Pearson:
  
  “We have enough difficulty getting the humans trained to be effective at preventing cyber attacks. Now I’ve got to do it for humans and agents in combination.” [07:52]
- Michel Zatlin, Cloudflare:
  
  “With agents, you need to think about them as an extension of your team and an extension of your employee base.” [08:08]
- Hatem Dawidar, Etisalat:
  
  “Many years ago we started saying all calls are recorded for quality purposes. We need to create that also for AI agents.” [08:12]
- Michael Maybach, Mastercard:
  
  “Organizations should… collect as many signals as possible from relevant data streams… to determine if activity is safe or malicious.” [08:29]
Tone:
Widespread industry uncertainty on how to properly secure AI agents; emphasis on proactive, data-rich monitoring and controls.

Memorable Quotes & Moments

Steve Prentiss, on SharePoint attacks:

“Password resets alone are insufficient…” [00:36]
Microsoft Defender & Watchtower researchers, on patch exploitation:

“Hackers reverse engineered the patch and found a way to leverage the flaw.” [01:36]
Kevin Stein, NIST, on resourcing:

“Forcing a very focused discussion on prioritization…” [05:45]
Dave Treat, on AI agents:

“Now I’ve got to do it for humans and agents in combination.” [07:52]
Michel Zatlin, on AI as team extension:

“You need to think about them as an extension of your team…” [08:08]
Hatem Dawidar, on AI monitoring:

“We need to create that [monitoring] also for AI agents.” [08:12]
Michael Maybach, on security data:

“Collect as many signals as possible from relevant data streams…” [08:29]

Timestamps for Key Segments

Multi-stage SharePoint Campaign: 00:17–01:09
SmarterMail Authentication Bypass: 01:10–01:57
Spanish NSO Pegasus Probe Closure: 02:02–03:00
Greek Cell Tower Phishing Scam: 03:01–04:16
NIST Staff and Budget Cuts: 05:12–05:59
GCVE System Announcement: 06:00–06:46
Osiris Ransomware Incident: 06:47–07:33
AI Security Challenges at Davos: 07:34–08:34

Conclusion

This episode delivers concise analysis on several emerging threats and systemic cybersecurity challenges, from multi-phased phishing in critical sectors to fundamental debates about AI’s insider risks at the highest levels. The commentary captures the urgency and complexity of protecting evolving infrastructure, even as budget and staffing pressures mount and new technologies introduce novel attack vectors.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Friday, January 23, 2026. I'm Steve Prentiss. Multi Stage adversary in the middle Phishing and business email Compromise campaign abusing SharePoint researchers at Microsoft Defender have uncovered this multi stage campaign targeting multiple organizations in the energy sector resulting in the compromise of various user accounts. This campaign targets SharePoint file sharing services and delivers phishing payloads, relying on inbox rule creation to maintain persistence and evade user awareness. The researchers state that password resets alone are insufficient to mitigate this issue. Impacted organizations in the energy sector must additionally revoke active session cookies and remove attacker created inbox rules used to evade detection. Smarter Mail Auth bypass flaw now exploited despite patch following up on a story we covered on December 31, threat actors are now exploiting an authentication ByPass vulnerability in SmarterTools Smarter Mail Email server and collaboration tool that allows resetting admin passwords. Specifically, the issue quote resides in the Force Reset Password API endpoint, which is intentionally exposed without authentication. The issue was reported by Watchtower on January 8, and SmarterMail released a fix on January 15. The Watchtower researchers found evidence of exploitation just two days later. This suggests, they say, that hackers reverse engineered the patch and found a way to leverage the flaw. Spanish judge closes NSO Group spyware probe the reason for the closure of a probe into the use of Pegasus spyware to snoop on top government officials has been reported as a lack of cooperation from Israel. The probe started in 2022, when the court looked into the alleged spying on devices belonging to Spain's prime minister and defense minister, allegedly using zero click spyware known as Pegasus, manufactured by Israel's NSO Group. Israel has not responded to five cooperation requests, the judge said, breaking the balance inherent in international cooperation and violating the principle of good faith that should govern relations between states. Fake cell tower scam uncovered in Greece Back in September, we reported on scammers who use mobile cell towers packed into cars to blast phishing messages to phone users in a selected city. Police in Athens have now taken down such an operation after stopping a car at a checkpoint east of the city. The mobile computing system was hidden in the car's trunk. The device forced nearby mobile phones to connect to the suspect's system and downgraded them from 4G to the less secure 2G network, exploiting long known vulnerabilities. This allowed the thieves to harvest identifying data such as phone numbers and then send scam text messages posing as banks or couriers companies. Three fraud cases have now been uncovered in Greece, but authorities said the full scope of the operation remains unclear. Huge thanks to our sponsor, Dropzone AI. All week we've talked about alert fatigue, MTTR and the math that's breaking your sock. Here's the proof. DropZone AI is trusted by over 300 global enterprises and MSSPs, named a Gartner Cool Vendor, recognized in the Fortune Cyber 60 and backed by $37 million in Series B funding. But they're not stopping at a single agent. They're building toward fully agentic SOC teams where human engineers are augmented with specialized AI agents for threat hunting, detection, engineering and forensics. Your team deserves a backup that never sleeps. Book a demo at Dropzone AI that is D R O P Z O N E AI NIST Officials describe impact of staff cuts At a meeting on Wednesday of the Information Security Privacy Advisory Board, NIST officials described how they are dealing with current mandates on AI, cybersecurity and post quantum encryption. The director of the Information technology laboratory at NIST, Kevin Stein, said the agency has lost more than 700 people in the last year through personnel initiatives like resignations and voluntary deferments. The agency is facing further constraints, including a Congress led cut of $13 million from NIST's labs program. Such constraints, he said, are forcing a very focused discussion on prioritization of our activities. An alternative to CVE appears. The Global CVE Allocation System, or gcve, will be maintained by the Computer Incident Response Center Luxembourg as an alternative to the traditional Common Vulnerabilities and Exposures program, which narrowly avoided shutdown last April when CISA initially failed to renew its contract with Mitre, which operates the CVE system. Although collapse was averted, it exposed the program's dependence on a single funding source. The proposed GCVE avoids reliance on a centralized system allowing independent numbering authorities to allocate identifiers. The system will maintain a backward compatibility with the existing CV infrastructure through a technical accommodation OSIRIS ransomware emerges in Vulnerable driver attack Researchers at the Symantec and Carbon Black Threat Hunter are warning of a new ransomware family called Osiris Osiris that targeted a major food service franchisee operator in Southeast Asia in November of 2025. This campaign used a malicious driver named Poor Try P O O R T R Y as part of a known technique called Bring your own vulnerable driver BYOVD to disarm security software. This is a brand new ransomware strain, not related to the one of the same name that was present around December 2016. It is thought that the actors who deployed this ransomware may have been previously associated with ink ransomware, and it is being described as an effective encryption payload that makes use of a hybrid encryption scheme and a unique encryption key for each file. The problem of AI agents emerges at Davos at the annual World Economic Forum meeting, better known by the Swiss resort that hosts it, the topic of AI agents and how to secure them against becoming the ultimate insider threat took center stage. The chief technology officer of the training company, Pearson Dave Treat, stated, we have enough difficulty getting the humans trained to be effective at preventing cyber attacks. Now I've got to do it for humans and agents in combination. It seemed no one had a good response to this. Cloudflare co founder and President Michel Zatlin said, with agents, you need to think about them as an extension of your team and an extension of your employee base. Hatem Dawidar Group, CEO of Emirati company Etisalat, suggested more guardrails with human agents. Many years ago we started saying all calls are recorded for quality purposes. We need to create that also for AI agents, he said. And MasterCard CEO Michael Maybach said organizations should take a page from the banking industry's security and threat intelligence practices and collect as many signals as possible from relevant data streams and other indicators to determine if activity is safe or malicious. Do you want to keep up with all the CISO Series events that we have planned for 2026? Then subscribe to our events calendar. Just head on over to the events page@cisoseries.com and click the subscribe button. Our calendar keeps you up to date on all of our live streams like Super Cyber Friday and the Department of no, as well as in person events that we feature across the country. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedback@cisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.