Black Hat Europe 2025 | Insights From Phishing-Resistant Authentication
At Black Hat Europe 2025, Okta researcher Faelan presented a novel methodology that treats failed phishing‑resistant authentication attempts as a high‑fidelity sensor for adversary‑in‑the‑middle (AiTM) phishing. By mining FastPass logs that record cryptographic domain‑mismatch rejections, the team quantified a previously invisible threat vector across thousands of mature enterprises. The analysis covered 26 months of data—over 3 billion authentication events, 44,000 mismatched request origins, and 190 confirmed malicious domains. After rigorous expert, AI‑assisted, and customer validation, 170 “evil‑proxy” origins accounted for 310 user‑engagement incidents, translating to an average of 0.12% of organizations experiencing at least one AiTM event each month. Traditional MFA proved ineffective against these attacks, underscoring the unique value of phishing‑resistant mechanisms. Key findings highlighted that attackers rely on commercial cloud and VPS providers (e.g., Akamai, Digital Ocean) and rotate disposable domains to evade detection. Larger U.S. professional‑service firms were disproportionately targeted, and most compromised sessions originated from Microsoft Office 365 applications. The research also demonstrated that many organizations only discovered these events after Okta’s notification, revealing a critical gap in existing security monitoring. The implications are clear: enterprises must adopt phishing‑resistant authentication, continuously monitor failed FastPass signals, and integrate them into incident‑response workflows for IP blocking and SIEM enrichment. The conservative lower‑bound estimate likely understates the true prevalence, making this a compelling call to close a blind spot that could otherwise lead to costly account takeovers.
Black Hat Europe 2025 | From Live Exploitation to Zero-Day Discovery: Investigating Attacks on Gogs
The Black Hat Europe 2025 talk detailed how a routine YARA‑based malware alert uncovered a previously unknown zero‑day vulnerability in the self‑hosted Git service Gogs. Researchers from Wiz traced the infection on a customer’s cloud server, ruled out common entry...
Black Hat Europe 2025 | Network Operations Center (NOC) Report
The Black Hat Europe 2025 Network Operations Center (NOC) report details how organizers rebuild the entire network stack—routers, firewalls, switches, and access points—for each event, enabling instant mitigation of attacks and live visibility into the most hostile conference traffic. Key insights...
Black Hat Europe 2025 | Weaponizing Image Scaling Against Production AI Systems
The presentation at Black Hat Europe 2025 revealed a new class of attacks that embed hidden commands in images uploaded to production AI systems. By exploiting the mathematical properties of downscaling algorithms—particularly the Nyquist‑Shannon sampling theorem—adversaries can craft high‑frequency perturbations...
Black Hat Europe 2025 | You Win Some, You CheckSum: A Kerberos Delegation Vulnerability
The talk unveiled a logical flaw in Kerberos delegation that lets attackers impersonate users across the network. By exploiting the S4U2self and S4U2proxy messages, the researcher demonstrated how legacy MD4‑based checksums (PA‑DATA type 130) remain in Microsoft’s implementation, despite being...
Black Hat Europe 2025 | Flaw And Order: Finding The Needle In The Haystack Of CodeQL Using LLMs
At Black Hat Europe 2025, Simha Cosman of CyberArk Labs presented a novel method for finding software flaws by pairing CodeQL static analysis with large language models (LLMs). He argued that the hype around LLM‑only vulnerability scans is misplaced, as...
SecTor 2025 | Grand Finale: Cutting Through the Cyber Noise
The SecTor 2025 Grand Finale panel wrapped up the conference by reflecting on the dominant themes that emerged over the past two days. Speakers from Quick Intelligence, Ontario’s government, and Citizen Lab highlighted how AI has become the headline topic,...
SecTor 2025 | Chasing Shadows: Chronicles of Counter-Intelligence From the Citizen Lab
The SecTor 2025 talk highlighted the Citizen Lab’s role as a counter‑intelligence hub exposing the worldwide misuse of commercial spyware, especially NSO Group’s Pegasus. Founded in 2001, the Toronto‑based academic team blends political‑science insight with technical forensics to document how...
SecTor 2025 | Invoking Gemini for Workspace Agents with Simple Google Calendar Invite
The SecTor 2025 presentation revealed a novel attack vector: a simple Google Calendar invitation can poison the context of Google’s Gemini for Workspace, turning the assistant into a conduit for malicious actions. Researchers Staf Cohen, Ori Yair, and Ben Sade...
SecTor 2025 | Hackers Dropping Mid-Heist Selfies
The SecTor 2025 session focused on a growing class of information‑stealer malware that not only exfiltrates credentials, wallets and system data, but also takes a screenshot of the victim’s desktop – a “mid‑heist selfie.” Researchers explained how these images...
SecTor 2025 | 5 Years of Attack Surface Analysis in Canada
The SecTor 2025 session highlighted five years of systematic attack‑surface mapping across Canada, led by Patrick and his team at ACFES. Using open‑source tools and a volunteer Discord community, they scanned federal, provincial and municipal domains, cataloguing roughly 60,000 subdomains,...
SecTor 2025 | Exploiting Multi Agent Systems
The SecTor 2025 talk focused on the emerging security challenges of multi‑agent AI systems, especially the ways attackers can exploit prompt injection and tool misuse. The speaker, a ServiceNow red‑team veteran, outlined how agents orchestrate tasks, interact with tools, and...
SecTor 2025 | Signature of Destruction: Outlook RCE Strikes Again
The SecTor 2025 talk by Michael Berik of Morphoscans focused on a new attack chain that leverages Outlook’s roaming signature feature to achieve remote code execution (RCE) without any user clicks. Berik recapped earlier Exchange‑based form‑injection bugs, COM‑object hijacking, and a...
SecTor 2025 | Threat Architecture, Attack Surfaces & Real-World Risk
The SecTor 2025 session introduced "agentic edge AI," a software architecture that embeds autonomous AI agents within edge devices using compact, power‑efficient language models. Trend Micro’s research team described how an on‑device orchestrator breaks goals into tasks, leverages specialized tools,...
SecTor 2025 | Not-So-Secret Agents: Deploying AI to Optimize Security Operations
The SecTor 2025 talk, led by Red Canary’s data‑science head, detailed how the company deploys AI agents to streamline security‑operations centre (SOC) workflows. By integrating large‑language‑model agents into their managed detection and response (MDR) platform, Red Canary processes roughly 350,000...