Risky Bulletin: Phishers Abuse Forgotten Direct Send Feature
Episode Release Date: June 26, 2025
Host: risky.biz
Presented by: Catalyn Kimparnu and Claire Aird

1. Exploitation of Microsoft Exchange Online’s Direct Send Feature

In the opening segment, Catalyn Kimparnu highlights a concerning trend where phishing groups are exploiting a lesser-known feature of Microsoft Exchange Online. The Direct Send feature, originally designed to allow non-human accounts (like printers) to send internal emails without authenticating senders, has been hijacked by cybercriminals.

“[00:04] A phishing group abuses a forgotten Exchange Online feature...” – Catalyn Kimparnu

According to Voronis researchers, over 70 organizations have fallen victim to this technique since May 2025. The malicious emails bypass typical security checks, making them particularly insidious threats to Microsoft 365 customers.

2. Synovus Ransomware Attack and Tragic Consequences

The bulletin sheds light on a tragic outcome linked to a ransomware attack. Last year, the Killin group targeted the UK blood lab Synovus, resulting in severe repercussions.

“[00:04] A patient's death is linked to the Synovus ransomware attack...” – Narrator

A spokesperson for the UK National Health Service revealed that delays in blood result processing due to the attack contributed to the patient's unexpected death. Additionally, Bloomberg reported that two individuals suffered long-term or permanent harm, while over 120 experienced minor injuries.

3. Major Arrests in Breach Forums Leadership

Significant progress has been made in combating underground cybercrime networks. Five high-ranking members of the Breach Forums were apprehended in France, including the site's administrator, Intel Broker—a 25-year-old British man named Kai West.

“[00:04] Five high ranking members of the latest iteration of Breach Forums have been arrested in France...” – Catalyn Kimparnu

U.S. authorities are actively seeking West’s extradition, labeling him a serial hacker. The arrests extend to members using aliases such as Shiny Hunters, Hollow Knocked, and Depressed. Notably, Breach Forums was compromised by a rival platform in April and has been offline since.

4. Western Sydney University Hacking Incident

Australian authorities have taken action against Birdie Kingston, a 27-year-old woman accused of a prolonged hacking spree targeting Western Sydney University. Kingston's activities began in 2021 with attempts to secure discounted campus parking but escalated to altering test results and extorting the university by threatening to leak student data.

5. Glasgow City Council's Cyber Attack

The Glasgow City Council recently experienced a cyber attack that forced several municipal services offline. Authorities have confirmed that customer data may have been compromised, affecting online payments for parking fines and the reporting of school absences.

6. Data Breaches in Financial and Food Sectors

• ABCD Financial App: Hackers have siphoned over $230,000 from 435 user accounts out of a 1.2 million customer base.
• Papa John’s South Korea: A long-standing vulnerability in the website, existing since 2017, was exploited to access customer names, contact details, and delivery addresses. South Korea’s Data Protection Agency is currently investigating the breach.

7. Columbia University Displays Trump Image Amid Breach

In an unusual incident, Columbia University has been breached, with images of former U.S. President Donald Trump displayed across numerous computer screens. The university’s website and student authentication systems have been offline since Tuesday. However, sources indicate there are no signs of ransomware or a broader security breach.

8. Shutdown of Russia’s National Multiscanner and GitHub Clone Projects

Russia's attempt to establish its own cybersecurity tools faced setbacks as the government-backed National Multiscanner, a clone of VirusTotal launched in 2023, has been taken offline due to funding shortages. Additionally, Russia abandoned plans to develop a GitHub clone last year for similar financial reasons.

9. New Russian Legislation Mandates Domestic App Store

A recent law requires all smartphones sold in Russia to include the domestic Roost App Store starting September. Launched by the Russian government, Roost must be fully functional, indirectly challenging companies like Apple, which restrict third-party app stores.

10. Tamil Nadu Upholds New Law on Hacker Detention

In India, the state of Tamil Nadu has upheld a law enabling law enforcement to detain hackers during investigations. Previously, suspects could remain free until investigations concluded, a loophole that often allowed cybercriminals to continue their illicit activities or evade capture.

11. Lyon’s Digital Sovereignty Move: Migrating from Microsoft

The French city of Lyon is embarking on a significant digital transformation by phasing out Microsoft products in favor of open-source alternatives. This includes transitioning from Windows to Linux, using OnlyOffice instead of Microsoft Office, and adopting Postgres for databases.

“[00:04] The French city of Lyon will migrate away from Microsoft products as part of a push for digital sovereignty...” – Catalyn Kimparnu

Lyon is the third-largest city in France and joins Aarhus and Copenhagen in Denmark in similar endeavors. The European Union is also contemplating shifting its cloud infrastructure from Asian to EU-based providers.

12. Microsoft’s Free Windows 10 Extended Security Updates with a Caveat

As Windows 10 approaches its end-of-life in October, Microsoft is offering extended security updates for home users:

• Free for the First Year: Users who opt into syncing their computer settings with their Microsoft accounts can receive one year of free updates.
• Paid Option: After the first year, continued updates will cost $30 per year for an additional three years.

“[00:04] Microsoft is offering free Windows 10 extended security updates to home users, but there's a catch...” – Catalyn Kimparnu

13. Recent Vulnerabilities Across Various Platforms

• OpenVSX Platform: A critical vulnerability that could allow attackers to hijack the infrastructure was patched. This flaw could have affected over 8 million developers by enabling the deployment of malicious code.

• Krio Control Firewalls: A major vulnerability permits attackers to gain root access via the proxy server component. With nearly 300 devices exposed, the lack of a vendor patch prompted researchers to release proof-of-concept code.

• Bluetooth Headphones from Erowa: Vulnerabilities in chips used by popular brands like Sony, Marshall, JBL, and Bayer Dynamic allow attackers within Bluetooth range to extract data or covertly listen through the headphones.

• Printer Security Flaws: Rapid7 identified vulnerabilities in 748 printer models, predominantly from Brother, enabling authentication bypass and potential unauthorized access to device serial numbers and admin credentials.

This episode of Risky Bulletin underscores the evolving landscape of cybersecurity threats, highlighting both sophisticated exploitation techniques and the global responses from authorities and organizations. From the misuse of established features like Direct Send to significant legislative changes aimed at curbing cybercrime, the discussions provide comprehensive insights into current challenges and mitigation strategies in the cybersecurity domain.

For more detailed discussions and updates, tune into the next episode of Risky Bulletin.