CloudGuard AI

Issue 75: Patches and Updates Needed as Hackers Target SonicWall, SysAid and Microsoft SharePoint

Jen Begue — Mon, 28 Jul 2025 07:28:17 +0000

Law Firms Are Falling for These Cyber Traps: Human Error, Deepfakes & More [Video]

Matt Lovell — Wed, 23 Jul 2025 08:42:50 +0000

Summary

Law firms have a cyber problem, and it’s bigger than most people think.

We’re not just talking about ransomware or lost USB sticks. Insider risk, social engineering, and yes, deepfakes, are reshaping the threat landscape. And the legal sector, with all its sensitive data and overworked professionals is firmly in the firing line.

In this episode of Security Done Different, we break down why human error is still the #1 cause of breaches, how compliance fatigue is quietly opening the door to attackers, and why basic security hygiene often gets overlooked until it’s too late. We also get into the legal grey zones around AI and deepfakes. The tech is moving fast, but regulation? Not so much. That’s a problem, especially when your firm’s reputation (and client trust) is on the line.

We talk about culture, communication and the moments of pause that could prevent your next incident. And we ask a tough but necessary question: is your firm secure… or just lucky?

Expect blunt insights, practical takeaways, and a clear message, security doesn’t have to be complicated, but it does have to be intentional.

Issue 74: Co-op Data Breach Hits 6.5M Members, SonicWall Rootkit Enables Ransomware Access and Fortinet WAF Flaw Opens Door to Remote Attacks

Jen Begue — Fri, 18 Jul 2025 13:38:41 +0000

Issue 73: UK Teens Arrested for M&S, Co-op and Harrods Attacks, New Bert Ransomware Emerges & More

Jen Begue — Mon, 14 Jul 2025 12:45:59 +0000

Issue 72: Browser-Based Crypto Theft, Cisco Root Credential Risk and Phishing Multi-Layered Phishing Attacks

Jen Begue — Mon, 07 Jul 2025 07:57:46 +0000

How CloudGuard AI Prevents Account Takeover [Examples]

Atif Chaudry — Fri, 04 Jul 2025 09:18:29 +0000

You’re working late, trying to get through your inbox. You receive an email from what looks like a trusted source, maybe your boss, maybe a vendor, and it asks you to click a link to log in to your company account.

You click it without thinking, and just like that, you’ve been compromised.

Account takeover happens more often than you think, and it’s not just an email that can get you into trouble.

Attackers have a whole playbook of steps they follow to steal your credentials and hijack your accounts.

Let’s break it down and see how these attacks unfold, and how CloudGuard AI stop them in their tracks.

What is Account Takeover?

Account takeover (ATO) is a tactic used by cybercriminals where they gain unauthorised access to a user’s account, often using stolen credentials or exploiting weak passwords. Once they’re in, attackers can do anything: from leaking sensitive data to sending phishing emails or even locking you out of your own account.

Step 1: The targeted research – picking the right victim

Account takeovers often start with research. Instead of sending random phishing emails, attackers will zero in on a specific company or person. They might start with social media profiles or company websites, looking for details that can help them build a profile.

They know that financial services, manufacturing or legal companies are prime targets. Why? Financial data and intellectual property are goldmines for cybercriminals.

Step 2: Finding the personal account

Once the attackers have the target’s details, they don’t go for the corporate account right away. Instead, they often target personal accounts, like Gmail, because these are less protected than your work accounts. They might find this info through a simple Google search or a LinkedIn profile.

From there, they’ll check if your personal email has been involved in any data breaches. If your credentials have been leaked before, they’ll try them on your work accounts. If your password is weak or reused, they might even guess it with a few variations (adding “123” at the end, for example).

Step 3: The breach – getting inside the account

Once the attackers crack the password, they’re in. That’s when the real damage starts. Depending on the account they’ve taken over, they might:

Leak sensitive data (like customer information or intellectual property)
Send phishing emails to colleagues and clients (business email compromise)
Spread malware across the network
Change login credentials to lock you out completely

If it’s a privileged account (like admin access), the damage is even worse. They can gain control of internal systems and spread across the company.

Step 4: How CloudGuard AI steps in

So, how do we stop this attack before it can wreak havoc?

Detecting Brute Force & Password Spray Attacks
CloudGuard AI watches for unusual login activity. If an attacker tries several passwords in a short time (a brute force attack), our system flags it instantly. We don’t rely on just static lists, behavioural analytics help us detect deviations from normal login patterns.
Spotting Unfamiliar Logins
Attackers often use VPNs or proxies to hide their location. We can identify this and immediately flag any login attempt coming from an unfamiliar source, whether it’s a new IP address, strange device, or unexpected time.
Real-Time Alerts and Investigation
Once an unusual login is detected, we don’t just stop there. We immediately investigate the IP’s reputation using enterprise-grade threat intelligence platforms, looking at the history of the IP and how often it’s been linked to malicious activity.
Taking Action: Locking Down the Account
If the login attempt is suspicious, we disable the account, force a password reset, and revoke active sessions across all devices. This cuts the attacker off and protects the rest of the network.
Post-Incident Analysis
If the attack was successful, we dig deeper. We review the activities of the compromised account: Did they send phishing emails? Download sensitive documents? We clean up the mess before the attacker can do real damage.

Why this attack matters (And why you should care)

Account takeovers are a growing threat, and they’re not just limited to big companies. Cybercriminals target SMEs, too. And if they’re only relying on traditional antivirus software, they’re leaving themselves wide open to these kinds of attacks.

But with CloudGuard’s 24/7 protection, we can catch these threats before they escalate. Whether it’s through behavioural analysis, anomaly detection, or real-time threat intelligence, we’re ready to stop account takeovers in their tracks.

Other real-world examples of account takeover attacks

These attacks are happening right now. Here’s a recent incident:

May 2025 – Retail giant Marks & Spencer fell victim to a cyberattack after threat actors used social engineering to impersonate employees and trick the IT help desk into resetting internal account passwords. This account takeover enabled access to the company’s Active Directory and led to the deployment of ransomware, disrupting operations and exposing customer data. (Source: The Times)

Picture: M&S

How to protect your accounts

To prevent account takeover, follow these steps:

Enforce Strong Password Policies: Require employees to use long, complex, unique passwords for every account.
Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, even if the password is compromised. However, not all MFA is created equal, and can be bypassed, so keep this in mind.
Monitor for Unusual Login Activity: Watch for unusual locations, IP addresses, or devices attempting to log in to your accounts.
Deploy Advanced Threat Protection: Traditional antivirus won’t cut it. You need a solution that looks for behavioural anomalies and patterns of suspicious activity.

But most importantly, you need a security team that can catch and respond to these attacks quickly, before they get out of hand. If you’d like no obligation, confidential consultation with one of our experts, contact us here and we’ll be in touch.

Issue 71: Citrix Crashes, Microsoft 365 Spoofed, SonicWall and ConnectWise Abused in Coordinated Attacks

Jen Begue — Wed, 02 Jul 2025 08:16:58 +0000

You Paid the Ransom: Inside the War Room (Live IR Teardown)

Thomas Shelton — Wed, 25 Jun 2025 11:16:47 +0000

Issue 70: Linux Kernel Exploit, Chrome Zero-Day and Cloudflare-Based RATs in the Wild

Jen Begue — Fri, 20 Jun 2025 14:53:35 +0000

You’ve been breached. Can you answer these three questions? [Video]

Matt Lovell — Thu, 19 Jun 2025 13:57:45 +0000

Summary

In this talk, Matt Lovell, CEO and Co-founder at CloudGuard, breaks down the modern dynamics of cyber breaches and incident response. He outlines the evolution of attack techniques over the past six months, focusing on multi-channel threats, privilege escalation and data exfiltration. The discussion highlights three critical questions businesses must be able to answer during an incident: how the breach occurred, whether attackers are still present, and what data has been taken. Matt also emphasises the importance of managing communications with regulators, insurers and customers in the wake of a breach.

Transcript

00:01:54:12 – 00:02:30:02
Matt Lovell
The first aspect of incident response is understanding the nature of attacks. So, lessons from the field here. Attacks over the last six months have evolved at the fastest rate we’ve ever seen them. What do we mean by that evolution? Lots of businesses have incident response plans that cover the core scenarios a malware infestation, some element of insider threat, a ransomware attack, a sophisticated phishing email, maybe some social engineering in some of the environments we see.

00:02:30:04 – 00:02:53:15
Matt Lovell
One of the big problems the incident response planning, actually struggles to deal with, and we need to rethink that mindset, is that most attackers think about this as an omni or a multi-channel event now. It’s typical distraction technique first and foremost here. So “I’m over here, but actually I’m over here.” The distraction technique is taking place.

00:02:53:15 – 00:03:14:13
Matt Lovell
I need to be worried about what’s over here. And I am trying to absorb the resources, whether it’s automation, whether it’s technology, or particularly if it’s human focus within the business in terms of diverting attention to where I don’t want you to be looking. The other scenario here, within the first lens, is actually how attackers try to evade.

00:03:14:15 – 00:03:44:08
Matt Lovell
Some of the most recent sophisticated attacks that we have seen have been omni channel. They’ve involved some element of vulnerability exploitation. They’ve taken into account some aspect of social engineering, and how those are combining together to get to people with elevated rights or rights that can be elevated through privileged access management and privileged identity management. And again, how you take that attack through the organisation without being detected that you’re there.

00:03:44:09 – 00:04:14:07
Matt Lovell
So, living off the land type of attackers, we refer to them. Or indeed how data can be exfiltrated without a level of detection taking place or evading that detection. And both of those scenarios are one of the same. What we’re talking about here is looking into your existing instance response planning and looking at those scenarios. So, I gave you the headline sort of areas that most incident response plans look at.

00:04:14:09 – 00:04:40:03
Matt Lovell
Very few look at data exfiltration. Very few look at the fundamental questions that get asked when a cyber incident is detected within a business. So very simply, there are three questions as a board, as you know, management and operational control in a business that they’re thinking about when a cyber incident is reported. How’s it occurred? Where did they get in?

00:04:40:05 – 00:05:11:22
Matt Lovell
Are they still here? You know, and that’s a very, very common question that many incident response plans, have to be thinking about. And what have they taken? Okay. So, how did they get in? Are they still present? What’s gone? You know, what’s the exposure of the business? The first thing we need to be thinking about is what most incident response plans do. Give you a structure to control the emotion that’s taking place and ensure that you’re methodical in terms of how you breaking down, answering those three questions.

00:05:11:22 – 00:05:47:19
Matt Lovell
And let’s not evade the topic here. There is an immense amount of pressure on security teams at this point in time to try to understand what has actually happened or what is happening. To answer the questions from the various organisations that will need to be informed if data has been proven to be taken within the organiation, and even if it hasn’t, it’s still a reportable incident, particularly to the Information Commissioner’s Office and to your cyber insurer, but also to the stakeholders within the business and the customers of your business or your business businesses.

00:05:47:21 – 00:06:15:21
Matt Lovell
Those are the key areas we need to be focused on. And most people are saying, what is the level of exposure? And we need to work through that as quickly as possible. But these are really difficult questions to actually answer in most businesses, and particularly most incident response plans that we see day in, day out. The key focus here is let’s anticipate the questions and make sure that the incident response plan really focuses on how we’re going to answer that.

00:06:15:21 – 00:06:35:12
Matt Lovell
Okay. So, we’ve got our framework. What are we going to do to answer those questions? How are we going to validate that? And particularly moving into the next question, which is are they still present? And if they’re evading attack, you know, and continuing to evade attack or communicate with us on the internal or external systems, how are we going to manage that?

00:06:35:12 – 00:07:05:11
Matt Lovell
Another adjunct to the incident response plan that needs to be thinking about those elements. Now, we’ve seen organisations large, medium and small, encounter the same issues. The problem is that in smaller organisations, they may not have some of the licenses and some of the technical capabilities available to them to do some of the things that larger organisations do have at their disposal in terms of functionality and in terms of expertise.

00:07:05:11 – 00:07:25:23
Matt Lovell
So, we’ve got to bring in some additional tools. And that’s problematic installing in an environment that may or may not be compromised. We need to think through those parts to the incident response plan. You bring somebody in? Are you going to default to the partners or the incumbent providers incident response plan? And again, who’s going to run that?

00:07:25:23 – 00:07:47:05
Matt Lovell
Who’s going to control it? Those are the things that are really, really key. What we see is, most organisations will obviously adopt the expertise that’s been brought in, whether it’s through your cyber insurer or through a recommendation. But again, these are really important things for businesses to be thinking about. The third aspect of this is what have they taken?

00:07:47:07 – 00:08:13:15
Matt Lovell
What we need to be thinking about here is, “where are the likely channels of exfiltration?” So, file copying services, any kind of physical if you’ve still got on premise service. Email, tt’s obviously a very common environment. As is sort of shadow IT systems that have obviously other file services connected to it or platforms that that transfer data as well.

00:08:13:15 – 00:08:54:10
Matt Lovell
And we’ve seen that with the MOVEit issues a few years ago. More and more organisations, particularly in financial services, particularly in legal services, business services, need to be thinking about the ability to have secure independent file transfer capability outside of email within this scenario. Most incident response plans don’t necessarily focus on what if we can’t confirm that there isn’t presence still from the attacker within the business, particularly if you’ve got tens of thousands of employees here or people have multifunctional roles, as lots of people do in businesses today.

00:08:54:12 – 00:09:36:21
Matt Lovell
And again, what is normal behaviour? And you trying to break this down to understand what is normal business behaviour or not suspicious? What is suspicious? So, you can go and investigate that. There are a lot of data points to be thinking about here. And again, most incident response plans don’t actually take that into consideration. They’ve got the headlines towards it all, we’ve got some simple tests that we can run, but they’re not looking at how is the business going to minimise the impact and look at safe operations whilst we are in this interim period of risk. Then we have to validate what data has been taken.

00:09:37:01 – 00:09:59:14
Matt Lovell
We’ve got to have some form of audit trail. Some businesses have logs available to them, some don’t. We’ve got to look at that and we’ve got to find some way of validating it. There are many bad actors out there who will allude to having data. And, it’s actually really quite challenging to prove whether they do have the data they say that they have.

00:09:59:16 – 00:10:29:06
Matt Lovell
And indeed, when it was taken. Okay. And what route has been exfiltrated through. It could be insider risk and that includes, you know, everything from physical transmission of data to obviously a snapshot or photograph, some form of digital imaging that takes place on the third party device, which is outside of your control. What we do have to be thinking about there, from a security point of view, what data does that involve?

00:10:29:06 – 00:11:00:01
Matt Lovell
What’s the sensitivity of that data? What’s the impact to customers? What’s the impact to the individuals involved within that, and how are we going to help and how are we going to manage that situation? There’s an awful lot of questions around data exfiltration management that need to be included inside your incident response plan. If you don’t already do that, then please feel free to reach out to us or any other cyber services provider that has expertise in this area that can help you move that forward.
00:11:00:03 – 00:11:22:00
Matt Lovell
The key part to this is making sure that firstly, the people involved in doing that analysis within your business really understand that data and understand the user behaviours, because that really helps in ascertaining whether or not something is suspicious and where data may have left the business, whether it was, you know, done maliciously or not within the business.

00:11:22:00 – 00:11:46:12
Matt Lovell
And there’s obviously accidental human error that does take place within businesses from time to time. And again, where that data has been copied to and who, you know, may or may not have that data. There are many areas of the dark web that we can’t monitor . And they may be, you know, marketplaces that most of the search engines don’t necessarily have access to or they’re new and they’re very restricted.

00:11:46:12 – 00:12:14:04
Matt Lovell
It isn’t always immediately clear whether or not data has been exfiltrated. And you know that there is a reference point on the dark web, or anywhere else for that matter, as to the fact data has left your organisation. That isn’t a reliable mechanism to base any judgment on, and I have to say that. I think most importantly, the business will be trying to understand this as early as possible so it can manage customer communications

00:12:14:04 – 00:12:35:00
Matt Lovell
Customers are very, very eager to understand, you know, what is taken place and what data has potentially been exposed, you know, to other people and what the impact to customers is. And we’ve seen that with a range of attacks that have taken place over the last six months. For us, it’s about very clear risk communication to customers.

00:12:35:01 – 00:13:02:05
Matt Lovell
Being very specific about the type of information we think that has been exfiltrated and the impact to the customers, and making very clear recommendations. The majority will say password resets, monitor for suspicious behaviour yourselves. There’s always an elevation to some other form of attacks. Largely phishing to those customers. But there can also be attacks in terms of how system data gets aggregated on the dark web.

00:13:02:05 – 00:13:28:20
Matt Lovell
The more information is exfiltrated from different attacks, the more information gets concatenated in much larger databases where they will correlate, say, a primary field like an email address, personal or business-related, and then you may collect a number of passwords. And what they’re trying to do is use AI, automation, generative techniques, in order to build up a deeper history of password complexity and different passwords and systems.

00:13:28:20 – 00:13:55:14
Matt Lovell
They might do a spray and prey type attack with that information. They might do a brute force attack to organisations. And we commonly see that. A secondary activity that takes place through supply chains, for example. They’re all very key points to be looking at in terms of incident response. As I say, if you would like more information or like to talk your incident response plans through and perhaps gaps and have an assessment of that, please feel free to reach out to us at CloudGuard.