Cybersecurity Today: Month in Review – December 5, 2025

Podcast Host: Jim Love
Guests: Laura Payne (White Toque), David Shipley (Beauceron Security)
Release Date: December 6, 2025
Episode Focus: Key cybersecurity trends and threats from December 2025, major breaches and disclosures, software vulnerabilities, and practical security advice for organizations.

Overview

This episode tackles the ever-evolving landscape of cybersecurity attacks facing organizations, focusing on the increasing sophistication of "living off the land" threats using legitimate software tools for malicious purposes, the dangers posed by common productivity tools in phishing and social engineering, significant vulnerabilities in enterprise platforms, and the communication challenges in cybersecurity education and awareness. The team provides practical, nuance-rich advice for businesses and end-users, with lively, relatable anecdotes and frank opinions on current industry shortcomings.

Key Discussion Points & Insights

1. Living off the Land Attacks: Getting More Sophisticated and Ubiquitous

Definition & Background: Using trusted, built-in tools or platforms (like Microsoft PowerShell, WMI, or scheduled tasks) for malicious activity rather than delivering obvious malware (03:25–06:00).
- Quote (Jim Love, 03:04):
  “Living off the land means essentially, you’re using the tools that are natural for that environment, and you stay hidden from most of the things that are used to detect malware and other threats.”
Emergence in Cyberwarfare: Example from the Ukraine war with attackers using Microsoft utilities to avoid detection.
Now Targeting Productivity Tools: Cybercriminals are leveraging new and familiar SaaS tools (Calendly, iCal, Google Cal, DocuSign) for phishing.
- David Shipley (06:35):
  "Living off the land is going to be even more successful in the age of AI ..."
- DocuSign attacks: “People have signed up for legitimate DocuSign accounts and they're loading malicious content into DocuSign.”
Agentic AI Risks – Windows 11:
Microsoft’s new Agentic AI framework could potentially automate and amplify living-off-the-land attacks if misused (05:46–07:52).
- David Shipley (06:01):
  "I have to sweet talk your AI to then go and download a PowerShell script and go from there.”

2. The Dangers of Freemium Services and Social Engineering

Calendly, DocuSign, Google Calendar–The New Attack Vectors

Attackers are abusing trusted SaaS models to deliver malicious content that easily slips through technical filters (06:59–07:39).
- Quote (David Shipley, 07:39):
  “For DocuSign and others that use a freemium model ... this is a whole new level of pressure now, and they're having to expend a lot of money to try and battle this issue, and it's negatively impacting their brand.”
Once these services are allowlisted, they can act as "Trojan horse" vectors for targeted phishing.

Analogy: "Wearing a Uniform to Walk Into a Building"

Laurel Payne likens these attacks to someone impersonating the cleaning staff to bypass physical security (09:44–10:42).
- Quote (Laurel Payne, 09:44):
  "It's the equivalent of somebody dressing up in a uniform of your cleaning crew and walking into the building."

3. Social Media Advertising Fraud & Platform Responsibility

Meta/Facebook’s $16B Scam Ad Problem:
- Reuters headline: 10% of Facebook’s global ad revenue from fraudsters—the majority of which knowingly accepted (13:43–14:19).
  - Quote (David Shipley, 14:19):
    “What does that translate into? Roughly 15 billion scam ads per day in social media platforms.”
Victim Impact:
- Vulnerable users disproportionately affected (15:24–16:13).
Call to Action for Brands and Advertisers:
- Major advertisers must pressure platforms to clean up; otherwise, their brand value will decline (16:13).
  - Laurel Payne (16:13):
    "...there's an opportunity there to really push for change because your brand gets diluted by every crappy scam ad out there."

Positive Examples: Banking Sector’s Consumer Education

Canadian and U.S. banks step up with education campaigns during peak fraud periods (BMO, RBC, JPMorgan Chase) (18:10–18:36).

Practical Advice

Stop clicking ads; visit official websites directly instead (18:48–19:11).

4. Microsoft Teams: A New Security Misstep

Risky Rollout of External Guest Chat Invites

Issue:
Starting January, external Teams chat invitations are enabled by default for all tenants (19:56–22:25).
- David Shipley (21:16):
  “When you arrive in that environment, all your protections are off. It’s who’s hosting the chat.”
Danger:
Users join another tenant’s Teams environment, potentially losing all organization-enforced security protections.
Best Practice:
Tenant administrators must proactively review and restrict external access policies.
- Laurel Payne (23:29):
  “...as a configuration holder, right, you should be looking into and making sure you have made the right choices.”
Critique:
Feature should not be enabled by default; opt-in with clear warnings is safer (24:28).

5. Oracle E-Business Suite Breach: Patch Management and Executive Accountability

Clop Ransomware Gang Targets Unpatched Enterprise Systems:
- Oracle vulnerability exploited in major organizations (26:32–28:10).
- Patches were available in October; delayed patching led to significant breaches and data theft (including Ivy League universities).
  - David Shipley (28:16):
    “Clop is back, Shady's back, man... This gang picks a software supply chain target and they really think about it and they work it.”
Security Culture Failing:
- University of Pennsylvania incident: Key leaders exempted themselves from MFA, leading to public scrutiny and legal action (29:20).
  - David Shipley (30:10):
    “Some executives were exempted from having to wear the seatbelt because it was too inconvenient... that is going to be a massive problem for them.”
- Executives must be held to the same security standards as everyone else.
  - Laurel Payne (31:13):
    “If you have leadership who resists core controls ... there’s public awareness and understanding. There are very few people I think in the workforce who do not know at least the letters MFA ... So yeah, I don't think there's any excuse anymore for that.”

6. Communicating Cybersecurity: Old Myths, New Approaches (Hacklore Debate)

Context:
Security leaders publish open letter opposing "bad" security advice and advocating MFA, patching, and strong passwords, while challenging outdated myths (juice jacking, QR code paranoia, banning public Wi-Fi) (33:40–35:25).
- Shipley criticizes black-and-white messaging; calls for more context and nuance (35:35).
  - David Shipley (35:35):
    “Sometimes what we communicate requires context and nuance and clarity.”
QR Codes:
Caution is warranted—criminal campaigns using QR codes are real; context matters (36:56–38:03).
- David Shipley (37:52):
  “QR codes from people you don't know in public should be treated extraordinarily cautiously.”
Wi-Fi Security:
Free Wi-Fi can be compromised, especially if authentication is required through social media (44:05).
- Don’t oversimplify the message; “red, yellow, green” risk approach is better than simple dos/don’ts (38:11), (43:06).

Notable Quotes & Memorable Moments

On AI-enabled living off the land:
“I have to sweet talk your AI to then go and download a PowerShell script and go from there.”
—David Shipley (06:01)
Meta Ad Fraud:
“What does that translate into? Roughly 15 billion scam ads per day in social media platforms.”
—David Shipley (14:19)
Calling for Security Baselines:
“If executives are bypassing security ... when we’re hacked—and we will be ... if we have obvious holes in our security or exemptions ... it’s not going to look good for us.”
—Jim Love (32:50)
Philosophy of Education vs Tech Controls:
“People actually do listen to us ... Are we exaggerating stories? Are we giving the right weight to stories?”
—Jim Love (47:32)
Security Communication:
“...you have to remember explaining why is important when you communicate with adults.”
—David Shipley (47:23)
Red-Yellow-Green Risk/Advice:
“It’s not black and white ... It’s at least red, yellow, green.”
—Laurel Payne (38:03)

Actionable Takeaways & Practical Advice

Review Default SaaS and Cloud and Collaboration Settings: Don’t trust the default. Restrict and carefully monitor external invitations and guest access.
Maintain Equal Security Standards for Executives: No more "rules for thee, not for me" on MFA and patching.
Patch Critical, Core Systems—Not Just Workstations: Prioritize patch management equally across backend and user-facing systems.
Don’t Trust Content, Links, or Attachments Solely Based on Platform/Brand: Phishing and fraud campaigns are increasingly using trusted productivity and signature platforms.
Treat QR Codes and Public Wi-Fi with Healthy Skepticism: Don’t panic, but don’t blindly trust.
Communication Matters: Security guidance must respect users’ intelligence and be context-sensitive, not patronizing or overly simplistic.

Segment Timestamps

[03:25] Living off the land threats in Ukraine and beyond
[05:46] AI/Agentic frameworks and future attack potential
[06:59] DocuSign and SaaS phishing
[09:44] Social engineering physical analogies
[13:43] Meta’s ad fraud problem
[18:36] Bank-led fraud education, practical consumer advice
[19:56] Microsoft Teams external invite risk
[26:32] Oracle E-Business Suite breach & patching challenges
[29:20] University of Pennsylvania MFA exemption fallout
[33:40] The Hacklore debate and security communication
[36:56] QR code-driven scams
[44:05] Evil twin Wi-Fi attacks and risk communication
[47:32] The impact and responsibility of security communicators
[49:20] SonicWall stinky highlight (with call for vendor response)
[51:12] The “Stinkies” award for Meta

Final Thoughts

This spirited, nuanced discussion spotlights cybersecurity’s rapidly shifting threat landscape, emphasizing the importance of practical vigilance—both by organizations and users—combined with clear, context-rich communication, and a commitment to keeping technical controls and human awareness aligned. Brands and tech giants were called out for their responsibilities, as were security leaders for the ongoing need to inform, not patronize, their audiences.

Next up: Annual year-in-review episode with the same expert panel.

For further feedback or real-world stories, listeners are encouraged to connect via technewsday.com or find Jim Love on LinkedIn.

Cybersecurity Today: Month in Review – December 5, 2025

Overview

Key Discussion Points & Insights

1. Living off the Land Attacks: Getting More Sophisticated and Ubiquitous

Definition & Background: Using trusted, built-in tools or platforms (like Microsoft PowerShell, WMI, or scheduled tasks) for malicious activity rather than delivering obvious malware (03:25–06:00).
- Quote (Jim Love, 03:04):
  “Living off the land means essentially, you’re using the tools that are natural for that environment, and you stay hidden from most of the things that are used to detect malware and other threats.”
Emergence in Cyberwarfare: Example from the Ukraine war with attackers using Microsoft utilities to avoid detection.
Now Targeting Productivity Tools: Cybercriminals are leveraging new and familiar SaaS tools (Calendly, iCal, Google Cal, DocuSign) for phishing.
- David Shipley (06:35):
  "Living off the land is going to be even more successful in the age of AI ..."
- DocuSign attacks: “People have signed up for legitimate DocuSign accounts and they're loading malicious content into DocuSign.”
Agentic AI Risks – Windows 11:
Microsoft’s new Agentic AI framework could potentially automate and amplify living-off-the-land attacks if misused (05:46–07:52).
- David Shipley (06:01):
  "I have to sweet talk your AI to then go and download a PowerShell script and go from there.”

2. The Dangers of Freemium Services and Social Engineering

Calendly, DocuSign, Google Calendar–The New Attack Vectors

Attackers are abusing trusted SaaS models to deliver malicious content that easily slips through technical filters (06:59–07:39).
- Quote (David Shipley, 07:39):
  “For DocuSign and others that use a freemium model ... this is a whole new level of pressure now, and they're having to expend a lot of money to try and battle this issue, and it's negatively impacting their brand.”
Once these services are allowlisted, they can act as "Trojan horse" vectors for targeted phishing.

Analogy: "Wearing a Uniform to Walk Into a Building"

Laurel Payne likens these attacks to someone impersonating the cleaning staff to bypass physical security (09:44–10:42).
- Quote (Laurel Payne, 09:44):
  "It's the equivalent of somebody dressing up in a uniform of your cleaning crew and walking into the building."

3. Social Media Advertising Fraud & Platform Responsibility

Meta/Facebook’s $16B Scam Ad Problem:
- Reuters headline: 10% of Facebook’s global ad revenue from fraudsters—the majority of which knowingly accepted (13:43–14:19).
  - Quote (David Shipley, 14:19):
    “What does that translate into? Roughly 15 billion scam ads per day in social media platforms.”
Victim Impact:
- Vulnerable users disproportionately affected (15:24–16:13).
Call to Action for Brands and Advertisers:
- Major advertisers must pressure platforms to clean up; otherwise, their brand value will decline (16:13).
  - Laurel Payne (16:13):
    "...there's an opportunity there to really push for change because your brand gets diluted by every crappy scam ad out there."

Positive Examples: Banking Sector’s Consumer Education

Canadian and U.S. banks step up with education campaigns during peak fraud periods (BMO, RBC, JPMorgan Chase) (18:10–18:36).

Practical Advice

Stop clicking ads; visit official websites directly instead (18:48–19:11).

4. Microsoft Teams: A New Security Misstep

Risky Rollout of External Guest Chat Invites

Issue:
Starting January, external Teams chat invitations are enabled by default for all tenants (19:56–22:25).
- David Shipley (21:16):
  “When you arrive in that environment, all your protections are off. It’s who’s hosting the chat.”
Danger:
Users join another tenant’s Teams environment, potentially losing all organization-enforced security protections.
Best Practice:
Tenant administrators must proactively review and restrict external access policies.
- Laurel Payne (23:29):
  “...as a configuration holder, right, you should be looking into and making sure you have made the right choices.”
Critique:
Feature should not be enabled by default; opt-in with clear warnings is safer (24:28).

5. Oracle E-Business Suite Breach: Patch Management and Executive Accountability

Clop Ransomware Gang Targets Unpatched Enterprise Systems:
- Oracle vulnerability exploited in major organizations (26:32–28:10).
- Patches were available in October; delayed patching led to significant breaches and data theft (including Ivy League universities).
  - David Shipley (28:16):
    “Clop is back, Shady's back, man... This gang picks a software supply chain target and they really think about it and they work it.”
Security Culture Failing:
- University of Pennsylvania incident: Key leaders exempted themselves from MFA, leading to public scrutiny and legal action (29:20).
  - David Shipley (30:10):
    “Some executives were exempted from having to wear the seatbelt because it was too inconvenient... that is going to be a massive problem for them.”
- Executives must be held to the same security standards as everyone else.
  - Laurel Payne (31:13):
    “If you have leadership who resists core controls ... there’s public awareness and understanding. There are very few people I think in the workforce who do not know at least the letters MFA ... So yeah, I don't think there's any excuse anymore for that.”

6. Communicating Cybersecurity: Old Myths, New Approaches (Hacklore Debate)

Context:
Security leaders publish open letter opposing "bad" security advice and advocating MFA, patching, and strong passwords, while challenging outdated myths (juice jacking, QR code paranoia, banning public Wi-Fi) (33:40–35:25).
- Shipley criticizes black-and-white messaging; calls for more context and nuance (35:35).
  - David Shipley (35:35):
    “Sometimes what we communicate requires context and nuance and clarity.”
QR Codes:
Caution is warranted—criminal campaigns using QR codes are real; context matters (36:56–38:03).
- David Shipley (37:52):
  “QR codes from people you don't know in public should be treated extraordinarily cautiously.”
Wi-Fi Security:
Free Wi-Fi can be compromised, especially if authentication is required through social media (44:05).
- Don’t oversimplify the message; “red, yellow, green” risk approach is better than simple dos/don’ts (38:11), (43:06).

Notable Quotes & Memorable Moments

On AI-enabled living off the land:
“I have to sweet talk your AI to then go and download a PowerShell script and go from there.”
—David Shipley (06:01)
Meta Ad Fraud:
“What does that translate into? Roughly 15 billion scam ads per day in social media platforms.”
—David Shipley (14:19)
Calling for Security Baselines:
“If executives are bypassing security ... when we’re hacked—and we will be ... if we have obvious holes in our security or exemptions ... it’s not going to look good for us.”
—Jim Love (32:50)
Philosophy of Education vs Tech Controls:
“People actually do listen to us ... Are we exaggerating stories? Are we giving the right weight to stories?”
—Jim Love (47:32)
Security Communication:
“...you have to remember explaining why is important when you communicate with adults.”
—David Shipley (47:23)
Red-Yellow-Green Risk/Advice:
“It’s not black and white ... It’s at least red, yellow, green.”
—Laurel Payne (38:03)

Actionable Takeaways & Practical Advice

Review Default SaaS and Cloud and Collaboration Settings: Don’t trust the default. Restrict and carefully monitor external invitations and guest access.
Maintain Equal Security Standards for Executives: No more "rules for thee, not for me" on MFA and patching.
Patch Critical, Core Systems—Not Just Workstations: Prioritize patch management equally across backend and user-facing systems.
Don’t Trust Content, Links, or Attachments Solely Based on Platform/Brand: Phishing and fraud campaigns are increasingly using trusted productivity and signature platforms.
Treat QR Codes and Public Wi-Fi with Healthy Skepticism: Don’t panic, but don’t blindly trust.
Communication Matters: Security guidance must respect users’ intelligence and be context-sensitive, not patronizing or overly simplistic.

Segment Timestamps

[03:25] Living off the land threats in Ukraine and beyond
[05:46] AI/Agentic frameworks and future attack potential
[06:59] DocuSign and SaaS phishing
[09:44] Social engineering physical analogies
[13:43] Meta’s ad fraud problem
[18:36] Bank-led fraud education, practical consumer advice
[19:56] Microsoft Teams external invite risk
[26:32] Oracle E-Business Suite breach & patching challenges
[29:20] University of Pennsylvania MFA exemption fallout
[33:40] The Hacklore debate and security communication
[36:56] QR code-driven scams
[44:05] Evil twin Wi-Fi attacks and risk communication
[47:32] The impact and responsibility of security communicators
[49:20] SonicWall stinky highlight (with call for vendor response)
[51:12] The “Stinkies” award for Meta

Final Thoughts

Next up: Annual year-in-review episode with the same expert panel.

For further feedback or real-world stories, listeners are encouraged to connect via technewsday.com or find Jim Love on LinkedIn.

Cybersecurity Today Month In Review - December 5th, 2025

Powered by Wave AI

Summary

Cybersecurity Today: Month in Review – December 5, 2025

Overview

Key Discussion Points & Insights

1. Living off the Land Attacks: Getting More Sophisticated and Ubiquitous

2. The Dangers of Freemium Services and Social Engineering

Calendly, DocuSign, Google Calendar–The New Attack Vectors

Analogy: "Wearing a Uniform to Walk Into a Building"

3. Social Media Advertising Fraud & Platform Responsibility

Positive Examples: Banking Sector’s Consumer Education

Practical Advice

4. Microsoft Teams: A New Security Misstep

Risky Rollout of External Guest Chat Invites

5. Oracle E-Business Suite Breach: Patch Management and Executive Accountability

6. Communicating Cybersecurity: Old Myths, New Approaches (Hacklore Debate)

Notable Quotes & Memorable Moments

Actionable Takeaways & Practical Advice

Segment Timestamps

Final Thoughts

Summary

Cybersecurity Today: Month in Review – December 5, 2025

Overview

Key Discussion Points & Insights

1. Living off the Land Attacks: Getting More Sophisticated and Ubiquitous

2. The Dangers of Freemium Services and Social Engineering

Calendly, DocuSign, Google Calendar–The New Attack Vectors

Analogy: "Wearing a Uniform to Walk Into a Building"

3. Social Media Advertising Fraud & Platform Responsibility

Positive Examples: Banking Sector’s Consumer Education

Practical Advice

4. Microsoft Teams: A New Security Misstep

Risky Rollout of External Guest Chat Invites

5. Oracle E-Business Suite Breach: Patch Management and Executive Accountability

6. Communicating Cybersecurity: Old Myths, New Approaches (Hacklore Debate)

Notable Quotes & Memorable Moments

Actionable Takeaways & Practical Advice

Segment Timestamps

Final Thoughts