Week in Review: Qilin adds lawyers, Iranian spearphishing campaign, Microsoft Direct Send hack

Fri Jun 27 2025

Link to This week’s Cyber Security Headlines – Week in Review is hosted by with guest , operating partner and CISO, . Check out Bil’s page, . Thanks to our show sponsor, ThreatLocker Alert fatigue, false positives, analyst burnout—you know...

Summary

Cyber Security Headlines: Week in Review Summary

Hosted by CISO Series | Episode Released: June 27, 2025

The latest episode of Cyber Security Headlines by CISO Series delves into significant cybersecurity incidents and trends from the past week. Hosted by the CISO Series team, the episode features insightful discussions with returning guest, Bill Harmer, Information Security Advisor at Craft Ventures. Below is a comprehensive summary of the key topics covered, enriched with notable quotes and timestamps for reference.

1. Qilin Ransomware Group Introduces "Call Lawyer" Feature

Overview: The episode kicks off with a discussion on the Qilin ransomware-as-a-service (RaaS) group's innovative yet concerning addition to their toolkit—a "Call Lawyer" button. According to Israeli cybersecurity firm Cyber Reason, this feature allows Qilin affiliates to involve legal counsel in their negotiations with victims, potentially increasing the pressure to secure higher ransoms.

Key Discussion:

Host: Introduces the concept of the "Call Lawyer" feature and its implications for victim negotiations.
[00:00]
Bill Harmer: Raises concerns about how threat actors obtain lawyers' contact information and the potential impact on organizations.
[03:44]
Host: Speculates on whether the involvement of lawyers is a genuine tactic or a superficial threat, expressing curiosity about the effectiveness of such a strategy.
[04:05]
Bill Harmer: Suggests that this move by Qilin is a "new form of ambulance chaser," highlighting the ethical dubiousness of the approach.
[04:43]
Host: Comments on the creativity of threat actors in finding new ways to exploit organizational pain points.
[05:06]

Notable Quote:

Bill Harmer: "Honestly, I think if it happens as a CISO, welcome it and see who shows up."
[04:05]

2. Iranian-Backed Spear Phishing Campaign Targets Cybersecurity Experts

Overview: The podcast highlights a sophisticated spear phishing campaign originating from Iran, aimed at Israeli journalists, cybersecurity experts, and computer science academics. The attackers pose as assistants to technology executives, luring targets into fake meetings to steal credentials via fraudulent Gmail login pages or Google Meet invitations.

Key Discussion:

Host: Emphasizes the manipulation of war-related urgency to deceive targets, questioning how organizations can implement safeguards against such high-pressure tactics.
[06:45]
Bill Harmer: Discusses the challenges of maintaining vigilance during crises, advocating for robust policies and procedures to mitigate the risk of falling prey to such tactics.
[07:24]
Host: Stresses the importance of organizational buy-in for cybersecurity measures, ensuring that protocols are enforced from the top down to prevent immediate, uninformed actions by employees.
[07:48]

Notable Quote:

Bill Harmer: "In times of war, in times of crisis, that's the time to attack. And they're looking for the distracted mind."
[06:45]

3. NHS Confirms Patient Death Linked to Ransomware Attack

Overview: The National Health Service (NHS) in the UK has reported that a ransomware attack from June 2024 led to delays in critical blood tests, contributing to a patient's death. Additionally, the attack compromised data of over 900,000 patients, including sensitive medical information.

Key Discussion:

Host: Questions the broader impact of such incidents on public perception and the balance between highlighting vulnerabilities and acknowledging organizational resilience.
[08:47]
Bill Harmer: Points out that while the death is tragic, the scale of the attack also reflects the NHS's ability to manage a vast majority of operations despite significant breaches. He urges a deeper investigation into all contributing factors before drawing conclusions.
[09:43]
Host: Reflects on the resilience shown by healthcare organizations and the importance of having fallback procedures beyond digital systems.
[10:50]

Notable Quote:

Bill Harmer: "900,000 patient data, 900 data of 900,000 patients affected and this was contributing in one death and one is always too many."
[08:47]

4. Microsoft 365 Direct Send Abused for Phishing Campaigns

Overview: Researchers from Varonis have identified a phishing campaign exploiting Microsoft 365's "Direct Send" feature. Designed for devices like printers and scanners to send emails without authentication, this feature is being manipulated to send malicious phishing emails to over 70 organizations, predominantly in the U.S.

Key Discussion:

Host: Criticizes Microsoft for maintaining an insecure feature, suggesting it should have been disabled or secured given current cybersecurity standards.
[13:37]
Bill Harmer: Expresses astonishment and frustration over Microsoft's oversight, contemplating legal actions against the company for negligence.
[14:35]
Host: Highlights the ease of exploitation due to the feature's lack of authentication and the relatively simple mitigation steps available for organizations.
[14:54]

Notable Quote:

Bill Harmer: "This is just unacceptable. [...] if I found this in my environment as a CISO, I would be looking at a contract to see if I could go after them and sue them for this."
[13:37]

5. Judge Warns of Persistent Attacks on PACER System

Overview: Federal Judge Michael Scooter addressed the House Judiciary Committee regarding the vulnerabilities of the Public Access to Court Electronic Records (PACER) system. He revealed that approximately 200 million harmful cyber events were thwarted in fiscal 2024, underscoring the urgent need to modernize the platform to protect sensitive legal documents.

Key Discussion:

Host: Reflects on PACER's integral role in the legal system and the potential fallout from its compromise, including financial impacts on law firms and the broader judiciary.
[16:46]
Bill Harmer: Predicts that PACER will soon become a prime target for advanced persistent threats (APTs) and opportunistic breaches, exacerbated by systemic underfunding and technological debt within public infrastructures.
[16:46]
Host: Agrees on the inevitability of breaches, emphasizing the deep-rooted challenges in overhauling such entrenched systems.
[17:48]

Notable Quote:

Bill Harmer: "If you can get in there and compromise anything that could be used in an evidentiary proceeding, if you can disrupt the court system... this bodes horribly for what may happen."
[16:46]

6. Denmark Proposes Personal Copyright to Combat Deepfake Exploitation

Overview: Denmark is moving forward with a pioneering legal framework that grants individuals copyright over their own facial features, voice, and bodily likenesses. This legislation aims to prevent unauthorized use of AI-generated deepfakes, marking a first in Europe.

Key Discussion:

Host: Compares the proposed law to a "Blade Runner vibe," pondering the complexities of aligning copyright law with personal identity rights amidst advancing AI technologies.
[19:44]
Bill Harmer: Raises practical concerns regarding the law's applicability, such as identical twins or individuals whose appearance changes over time, and whether existing frameworks like copyright are sufficient or adaptable for such personal rights.
[20:47]
Host: Suggests the need for a more tailored legal approach to personal identity protection, rather than repurposing copyright law, to address the unique challenges posed by deepfakes.
[21:05]

Notable Quote:

Bill Harmer: "We're going to have to. Well, I guess we don't have to because we could just live in a dystopian nightmare."
[20:47]

Closing Remarks and Additional Insights

Towards the end of the episode, Bill Harmer shares his new venture, Kill Switch Advisory, and provides contact information for listeners interested in cybersecurity expertise. The host reiterates the importance of community engagement through the CISO Series' chat rooms and events, encouraging listeners to join future shows for ongoing cybersecurity discussions.

Notable Quote:

Host: "If you can't join us live, send us an email feedback@cisoseries.com with your comments on the news of the week or about just feedback for the show. We'd love to share some of those on the show."
[Various]

Conclusion

This episode of Cyber Security Headlines offers a deep dive into emerging threats and strategic responses within the cybersecurity landscape. From innovative ransomware tactics to the legislative battle against deepfakes, the discussions provide valuable insights for CISOs and cybersecurity professionals aiming to stay ahead in an ever-evolving threat environment.

For more detailed stories and daily updates, listeners are encouraged to visit CISOseries.com.

Summary

Cyber Security Headlines: Week in Review Summary

Hosted by CISO Series | Episode Released: June 27, 2025

1. Qilin Ransomware Group Introduces "Call Lawyer" Feature

Key Discussion:

Host: Introduces the concept of the "Call Lawyer" feature and its implications for victim negotiations.
[00:00]
Bill Harmer: Raises concerns about how threat actors obtain lawyers' contact information and the potential impact on organizations.
[03:44]
Host: Speculates on whether the involvement of lawyers is a genuine tactic or a superficial threat, expressing curiosity about the effectiveness of such a strategy.
[04:05]
Bill Harmer: Suggests that this move by Qilin is a "new form of ambulance chaser," highlighting the ethical dubiousness of the approach.
[04:43]
Host: Comments on the creativity of threat actors in finding new ways to exploit organizational pain points.
[05:06]

Notable Quote:

Bill Harmer: "Honestly, I think if it happens as a CISO, welcome it and see who shows up."
[04:05]

2. Iranian-Backed Spear Phishing Campaign Targets Cybersecurity Experts

Key Discussion:

Host: Emphasizes the manipulation of war-related urgency to deceive targets, questioning how organizations can implement safeguards against such high-pressure tactics.
[06:45]
Bill Harmer: Discusses the challenges of maintaining vigilance during crises, advocating for robust policies and procedures to mitigate the risk of falling prey to such tactics.
[07:24]
Host: Stresses the importance of organizational buy-in for cybersecurity measures, ensuring that protocols are enforced from the top down to prevent immediate, uninformed actions by employees.
[07:48]

Notable Quote:

Bill Harmer: "In times of war, in times of crisis, that's the time to attack. And they're looking for the distracted mind."
[06:45]

3. NHS Confirms Patient Death Linked to Ransomware Attack

Key Discussion:

Host: Questions the broader impact of such incidents on public perception and the balance between highlighting vulnerabilities and acknowledging organizational resilience.
[08:47]
Bill Harmer: Points out that while the death is tragic, the scale of the attack also reflects the NHS's ability to manage a vast majority of operations despite significant breaches. He urges a deeper investigation into all contributing factors before drawing conclusions.
[09:43]
Host: Reflects on the resilience shown by healthcare organizations and the importance of having fallback procedures beyond digital systems.
[10:50]

Notable Quote:

Bill Harmer: "900,000 patient data, 900 data of 900,000 patients affected and this was contributing in one death and one is always too many."
[08:47]

4. Microsoft 365 Direct Send Abused for Phishing Campaigns

Key Discussion:

Host: Criticizes Microsoft for maintaining an insecure feature, suggesting it should have been disabled or secured given current cybersecurity standards.
[13:37]
Bill Harmer: Expresses astonishment and frustration over Microsoft's oversight, contemplating legal actions against the company for negligence.
[14:35]
Host: Highlights the ease of exploitation due to the feature's lack of authentication and the relatively simple mitigation steps available for organizations.
[14:54]

Notable Quote:

Bill Harmer: "This is just unacceptable. [...] if I found this in my environment as a CISO, I would be looking at a contract to see if I could go after them and sue them for this."
[13:37]

5. Judge Warns of Persistent Attacks on PACER System

Key Discussion:

Host: Reflects on PACER's integral role in the legal system and the potential fallout from its compromise, including financial impacts on law firms and the broader judiciary.
[16:46]
Bill Harmer: Predicts that PACER will soon become a prime target for advanced persistent threats (APTs) and opportunistic breaches, exacerbated by systemic underfunding and technological debt within public infrastructures.
[16:46]
Host: Agrees on the inevitability of breaches, emphasizing the deep-rooted challenges in overhauling such entrenched systems.
[17:48]

Notable Quote:

Bill Harmer: "If you can get in there and compromise anything that could be used in an evidentiary proceeding, if you can disrupt the court system... this bodes horribly for what may happen."
[16:46]

6. Denmark Proposes Personal Copyright to Combat Deepfake Exploitation

Key Discussion:

Host: Compares the proposed law to a "Blade Runner vibe," pondering the complexities of aligning copyright law with personal identity rights amidst advancing AI technologies.
[19:44]
Bill Harmer: Raises practical concerns regarding the law's applicability, such as identical twins or individuals whose appearance changes over time, and whether existing frameworks like copyright are sufficient or adaptable for such personal rights.
[20:47]
Host: Suggests the need for a more tailored legal approach to personal identity protection, rather than repurposing copyright law, to address the unique challenges posed by deepfakes.
[21:05]

Notable Quote:

Bill Harmer: "We're going to have to. Well, I guess we don't have to because we could just live in a dystopian nightmare."
[20:47]

Closing Remarks and Additional Insights

Notable Quote:

Host: "If you can't join us live, send us an email feedback@cisoseries.com with your comments on the news of the week or about just feedback for the show. We'd love to share some of those on the show."
[Various]

Conclusion

For more detailed stories and daily updates, listeners are encouraged to visit CISOseries.com.

wavePod

Week in Review: Qilin adds lawyers, Iranian spearphishing campaign, Microsoft Direct Send hack

Powered by Wave AI

Summary

1. Qilin Ransomware Group Introduces "Call Lawyer" Feature

2. Iranian-Backed Spear Phishing Campaign Targets Cybersecurity Experts

3. NHS Confirms Patient Death Linked to Ransomware Attack

4. Microsoft 365 Direct Send Abused for Phishing Campaigns

5. Judge Warns of Persistent Attacks on PACER System

6. Denmark Proposes Personal Copyright to Combat Deepfake Exploitation

Closing Remarks and Additional Insights

Summary

1. Qilin Ransomware Group Introduces "Call Lawyer" Feature

2. Iranian-Backed Spear Phishing Campaign Targets Cybersecurity Experts

3. NHS Confirms Patient Death Linked to Ransomware Attack

4. Microsoft 365 Direct Send Abused for Phishing Campaigns

5. Judge Warns of Persistent Attacks on PACER System

6. Denmark Proposes Personal Copyright to Combat Deepfake Exploitation

Closing Remarks and Additional Insights