Risky Bulletin: Phishers abuse forgotten Direct Send feature - Risky Bulletin

Summary5 min read

Risky Bulletin: Phishers Abuse Forgotten Direct Send Feature
Episode Release Date: June 26, 2025
Host: risky.biz
Presented by: Catalyn Kimparnu and Claire Aird

1. Exploitation of Microsoft Exchange Online’s Direct Send Feature

In the opening segment, Catalyn Kimparnu highlights a concerning trend where phishing groups are exploiting a lesser-known feature of Microsoft Exchange Online. The Direct Send feature, originally designed to allow non-human accounts (like printers) to send internal emails without authenticating senders, has been hijacked by cybercriminals.

“[00:04] A phishing group abuses a forgotten Exchange Online feature...” – Catalyn Kimparnu

According to Voronis researchers, over 70 organizations have fallen victim to this technique since May 2025. The malicious emails bypass typical security checks, making them particularly insidious threats to Microsoft 365 customers.

2. Synovus Ransomware Attack and Tragic Consequences

The bulletin sheds light on a tragic outcome linked to a ransomware attack. Last year, the Killin group targeted the UK blood lab Synovus, resulting in severe repercussions.

“[00:04] A patient's death is linked to the Synovus ransomware attack...” – Narrator

A spokesperson for the UK National Health Service revealed that delays in blood result processing due to the attack contributed to the patient's unexpected death. Additionally, Bloomberg reported that two individuals suffered long-term or permanent harm, while over 120 experienced minor injuries.

3. Major Arrests in Breach Forums Leadership

Significant progress has been made in combating underground cybercrime networks. Five high-ranking members of the Breach Forums were apprehended in France, including the site's administrator, Intel Broker—a 25-year-old British man named Kai West.

“[00:04] Five high ranking members of the latest iteration of Breach Forums have been arrested in France...” – Catalyn Kimparnu

U.S. authorities are actively seeking West’s extradition, labeling him a serial hacker. The arrests extend to members using aliases such as Shiny Hunters, Hollow Knocked, and Depressed. Notably, Breach Forums was compromised by a rival platform in April and has been offline since.

4. Western Sydney University Hacking Incident

Australian authorities have taken action against Birdie Kingston, a 27-year-old woman accused of a prolonged hacking spree targeting Western Sydney University. Kingston's activities began in 2021 with attempts to secure discounted campus parking but escalated to altering test results and extorting the university by threatening to leak student data.

5. Glasgow City Council's Cyber Attack

The Glasgow City Council recently experienced a cyber attack that forced several municipal services offline. Authorities have confirmed that customer data may have been compromised, affecting online payments for parking fines and the reporting of school absences.

6. Data Breaches in Financial and Food Sectors

ABCD Financial App: Hackers have siphoned over $230,000 from 435 user accounts out of a 1.2 million customer base.
Papa John’s South Korea: A long-standing vulnerability in the website, existing since 2017, was exploited to access customer names, contact details, and delivery addresses. South Korea’s Data Protection Agency is currently investigating the breach.

7. Columbia University Displays Trump Image Amid Breach

In an unusual incident, Columbia University has been breached, with images of former U.S. President Donald Trump displayed across numerous computer screens. The university’s website and student authentication systems have been offline since Tuesday. However, sources indicate there are no signs of ransomware or a broader security breach.

8. Shutdown of Russia’s National Multiscanner and GitHub Clone Projects

Russia's attempt to establish its own cybersecurity tools faced setbacks as the government-backed National Multiscanner, a clone of VirusTotal launched in 2023, has been taken offline due to funding shortages. Additionally, Russia abandoned plans to develop a GitHub clone last year for similar financial reasons.

9. New Russian Legislation Mandates Domestic App Store

A recent law requires all smartphones sold in Russia to include the domestic Roost App Store starting September. Launched by the Russian government, Roost must be fully functional, indirectly challenging companies like Apple, which restrict third-party app stores.

10. Tamil Nadu Upholds New Law on Hacker Detention

In India, the state of Tamil Nadu has upheld a law enabling law enforcement to detain hackers during investigations. Previously, suspects could remain free until investigations concluded, a loophole that often allowed cybercriminals to continue their illicit activities or evade capture.

11. Lyon’s Digital Sovereignty Move: Migrating from Microsoft

The French city of Lyon is embarking on a significant digital transformation by phasing out Microsoft products in favor of open-source alternatives. This includes transitioning from Windows to Linux, using OnlyOffice instead of Microsoft Office, and adopting Postgres for databases.

“[00:04] The French city of Lyon will migrate away from Microsoft products as part of a push for digital sovereignty...” – Catalyn Kimparnu

Lyon is the third-largest city in France and joins Aarhus and Copenhagen in Denmark in similar endeavors. The European Union is also contemplating shifting its cloud infrastructure from Asian to EU-based providers.

12. Microsoft’s Free Windows 10 Extended Security Updates with a Caveat

As Windows 10 approaches its end-of-life in October, Microsoft is offering extended security updates for home users:

Free for the First Year: Users who opt into syncing their computer settings with their Microsoft accounts can receive one year of free updates.
Paid Option: After the first year, continued updates will cost $30 per year for an additional three years.

“[00:04] Microsoft is offering free Windows 10 extended security updates to home users, but there's a catch...” – Catalyn Kimparnu

13. Recent Vulnerabilities Across Various Platforms

OpenVSX Platform: A critical vulnerability that could allow attackers to hijack the infrastructure was patched. This flaw could have affected over 8 million developers by enabling the deployment of malicious code.
Krio Control Firewalls: A major vulnerability permits attackers to gain root access via the proxy server component. With nearly 300 devices exposed, the lack of a vendor patch prompted researchers to release proof-of-concept code.
Bluetooth Headphones from Erowa: Vulnerabilities in chips used by popular brands like Sony, Marshall, JBL, and Bayer Dynamic allow attackers within Bluetooth range to extract data or covertly listen through the headphones.
Printer Security Flaws: Rapid7 identified vulnerabilities in 748 printer models, predominantly from Brother, enabling authentication bypass and potential unauthorized access to device serial numbers and admin credentials.

This episode of Risky Bulletin underscores the evolving landscape of cybersecurity threats, highlighting both sophisticated exploitation techniques and the global responses from authorities and organizations. From the misuse of established features like Direct Send to significant legislative changes aimed at curbing cybercrime, the discussions provide comprehensive insights into current challenges and mitigation strategies in the cybersecurity domain.

For more detailed discussions and updates, tune into the next episode of Risky Bulletin.

Loading summary

Transcript1 lines

[00:04]
Catalyn Kimparnu
A phishing group abuses a forgotten Exchange Online feature A patient's death is linked to the Synovus ransomware attack, France arrests the breach forum's leadership and Microsoft offers free Windows 10 Extended Security Updates with a catch. This is the risky bulletin prepared by Catalyn Kimparnu and read by me, Claire aird. Today is the 27th of June and this podcast episode is brought to you by Authentic in today's top story, a feature in Microsoft Exchange Online is being abused to send phishing emails to Microsoft 365 customers. The little known Direct Send feature allows non human accounts such as those used by printers to send internal emails. It does not authenticate senders. Phishing groups have been sending malicious emails via Direct Send which are then delivered without any other security checks. Voronis researchers said more than 70 organisations have been targeted with this technique technique since May. In other news, one person died during last year's ransomware attack on a major UK blood lab. A spokesperson for the UK National Health Service said the long wait for blood results contributed to the patient's unexpected death. The Killin group ransomed UK blood lab Synovus last year. Bloomberg reported that two people suffered long term or permanent harm due to the attack and more than 120 people suffered minor harm. Five high ranking members of the latest iteration of Breach Forums have been arrested in France. The site administrator Intel Broker was arrested in February and has since been identified as 25 year old British man Kai West. US authorities have described him as a serial hacker and are seeking his extradition. Four more members who used the monikers Shiny Hunters, Hollow Knocked and Depressed were arrested this week. Breach Forums is one of many underground sites trading in hacked data. Confusingly many. Many of these share similar names and lineage. Breach Forums was allegedly hacked by a rival platform in April and has since been offline. Australian police have arrested a 27 year old woman accused of hacking the Western Sydney University Birdie Kingston allegedly began by hacking the school in 2021 to get discounted parking on campus. She escalated her hacks to alter test results and later extorted the university by threatening to sell student data on the dark web. The hacking spree continued until this year. The Glasgow City Council has taken several services offline following a cyber attack on Thursday. Officials said customer data may have been stolen. The attack has impacted online payment of parking fines and reporting school absences. Hackers have stolen more than $230,000 from customer accounts of Indian financial app ABCD. The company says the breach affected 435 users. The app had more than 1.2 million customers and as of last year, hackers have exploited a vulnerability in the South Korean website of pizza franchise Papa John's. The company says stolen data included customer names, contact details and delivery addresses. The flaw that exposed the data has existed in the website since 2017. South Korea's data Protection Agency is investigating. Meanwhile, hackers have breached Columbia University and displayed an image of US President Donald Trump on numerous computer screens. The school's website and student authentication system have also been down since Tuesday. Sources told the Record there were no signs of a ransomware attack or a wider breach. Russia's government backed clone of VirusTotal has gone offline. The Minister of Digital Development launched the service in 2023. The clone, named the National Multiscanner, was shut down this month due to a lack of funding. Russia also abandoned building a GitHub clone last year for the same reason. Meanwhile, all smartphones sold in Russia must include the country's domestic app store from September. The Roost store was launched by the Russian government and carries local apps. Device manufacturers must also not limit the store's functionality. The new requirement was passed into law this week. It indirectly targets Apple, which strongly restricts third party app stores. A new Indian law has been upheld in the state of Tamil Nadu that allows law enforcement to detain hackers to during investigations. Previously, suspects remained free until investigations were concluded. Officials say the new law is needed as cybercrime suspects often continue their hacking sprees or abscond. The French city of Lyon will migrate away from Microsoft products as part of a push for digital sovereignty. Windows will be replaced with Linux Office with an open source version named OnlyOffice and Microsoft databases with Postgres. Lyon is the third largest city in France by population. Danish cities Aarhus and Copenhagen are also attempting to replace US tech products with open source alternatives. The EU is considering migrating away from Asia to an EU based cloud provider. Microsoft is offering free Windows 10 extended security updates to home users, but there's a catch. Home users can claim the first year free, but only if they opt into syncing their computer settings to their Microsoft accounts. Otherwise it costs $30 per year. Extended security updates will be available for paying customers for three years. Windows 10 will reach end of life in October. The OpenVSX platform has patched a vulnerability that could have allowed attackers to hijack its infrastructure. The platform is an independent marketplace for Visual Studio code extensions. According to COIS Security, attackers could have abused the access to deploy malicious code to more than 8 million developers. A major vulnerability has been discovered in Krio Control firewalls. The vulnerability allows attackers to gain root access to the device through its proxy server component. Researchers published details and proof of concept code after the vendor failed to release a patch. There are almost 300 kareo control firewalls currently exposed on the Internet. Bluetooth headphones using chips from Taiwanese vendor Erowa are vulnerable to attacks. The vulnerability allows attackers to extract data from paired smartphones or turn the headphones into listening devices. Security firm Ernw says the vulnerabilities only require an attacker to be within Bluetooth range. Bluetooth audio gear from Sony, Marshall JBL and Bayer Dynamic is impacted. And finally, vulnerabilities impacting 748 models of printer have been discovered across five different vendors. 689 of the affected models are from Chinese vendor brother. Security firm Rapid7 says the worst flaw is an authentication bypass that can be used to leak a printer's serial number. The serial number can then be used to generate a device's default admin password. And that is all for this podcast edition. Today's show is brought to you by Authentic. Find them@goauthentic IO. Thanks for your company.