Threat Briefing: August 22, 2025

Recent cybersecurity events highlight evolving threats and strong countermeasures: attackers abuse Microsoft infrastructure for phishing, PyPI strengthens defenses with domain resurrection protections, and law enforcement dismantles major botnets while seizing millions from ransomware groups.

The developments reflect both the ingenuity of cybercriminals and the growing force of global enforcement.

• Hackers Exploit ADFS Redirects to Steal Microsoft 365 Logins – Hackers are stealing Microsoft 365 credentials by exploiting legitimate ADFS redirects, using trusted office.com links to send users to phishing sites. By leveraging a custom Microsoft tenant and conditional loading, attackers bypass security checks to harvest logins. Bleeping Computer
• Nebraska Man Sentenced for $3.5M Cryptojacking Scheme – Charles Parks III of Nebraska was sentenced to one year in prison for fraudulently using cloud computing resources to mine $3.5 million in cryptocurrency. He laundered the illicit proceeds through exchanges and luxury purchases before being caught. Bleeping Computer
• PyPI Blocks 1,800 Expired-Domain Emails to Thwart Account Takeovers – PyPI has blocked 1,800 accounts tied to expired-domain emails to reduce the risk of supply chain attacks. By monitoring domain expirations, the platform prevents attackers from hijacking accounts through password resets, strengthening the security of its package repository. The Hacker News
• Ransomware Gang Hides PipeMagic Backdoor in Fake ChatGPT App – Attackers are disguising the PipeMagic backdoor as a counterfeit ChatGPT desktop app to spread ransomware. Microsoft warns the malware exploits a Windows zero-day and is targeting IT, financial, and real estate sectors worldwide to steal data and launch attacks. The Record
• U.S. Sanctions Garantex and Grinex for $100M in Ransomware-Linked Crypto Transactions – The U.S. Treasury has sanctioned cryptocurrency exchanges Garantex and Grinex for processing over $100 million in ransomware-related illicit transactions. Grinex, a rebranded successor to Garantex following its March 2025 takedown, continued to facilitate cybercrime operations. The Hacker News