Threat Briefing: June 13, 2025

Artificial intelligence (AI) is becoming increasingly widespread, with emerging use cases across industries—from enhancing business operations to enabling new methods of cybercrime. In a recent scheme, scammers leveraged AI to enroll in college and collect refund checks fraudulently.

Check out our recent article about “ghost students” and steps to avoid this fraud.

• AI-Powered Financial Aid Scams Target U.S. Colleges – Scammers are increasingly exploiting U.S. higher education institutions by using stolen identities and AI-driven chatbots to fraudulently enroll in online courses and collect financial aid. Many victims discover thousands of dollars in student loans taken out in their names, often without their knowledge. These “ghost students” may briefly participate in classes before dropping out and cashing refund checks. In 2024 alone, California reported 1.2 million fake applications, leading to over $11 million in unrecoverable aid from community colleges. In response, the U.S. Department of Education now requires first-time aid applicants to verify their identity using a government-issued ID. SecurityWeek
• EchoLeak: Critical Copilot Vulnerability Exposed User Data – A newly discovered vulnerability dubbed EchoLeak allowed sensitive data to be exposed through AI prompt injection—without any user interaction. The flaw exploited markdown-formatted content, such as emails, to manipulate Copilot into leaking internal information via Microsoft Teams and SharePoint. Although there is no evidence of active exploitation, Microsoft has issued a patch as part of its June 2025 Patch Tuesday release. This incident underscores the growing risks of how AI systems handle untrusted content and the urgent need for stronger safeguards in LLM-powered tools. The Hacker News
• INTERPOL’s Operation Secure Dismantles Global Malware Infrastructure – INTERPOL’s Operation Secure led to the takedown of over 20,000 malicious IP addresses and domains linked to infostealer malware active across 26 countries. Conducted in early 2025, the operation resulted in 32 arrests, 41 server seizures, and the collection of more than 100 GB of critical data. Authorities reached out to over 216,000 victims, urging them to take protective measures. Major enforcement actions took place in Vietnam, Sri Lanka, and Nauru. Hong Kong Police identified 117 command-and-control servers hosted by over 80 internet service providers. INTERPOL
• TeamFiltration Tool Powers Widespread Entra ID Account Takeover Campaign – Cybersecurity researchers have uncovered a large-scale account takeover campaign, UNK_SneakyStrike, targeting Microsoft Entra ID accounts. Active since December 2024, the campaign has hit over 80,000 accounts across hundreds of cloud tenants using password spraying and user enumeration techniques. Attackers leveraged Microsoft Teams, OneDrive, and Outlook, while rotating IP addresses through AWS infrastructure to avoid detection. At its peak, the campaign targeted 16,500 accounts in a single day. Most activity originated from U.S.-based IP addresses, with additional traffic traced to Ireland and Great Britain. The Hacker News
• FIN6 Targets Corporate Recruiters with MoreEggs Malware via Fake Job Applications – The FIN6 cybercriminal group has shifted tactics, using the MoreEggs malware to target corporate recruiters by posing as job seekers on platforms like LinkedIn and Indeed. The group sends phishing emails that link to resume-themed landing pages hosted on trusted platforms such as AWS. These pages use CAPTCHA and traffic filtering to bypass detection and ensure only real recruiters are exposed. Once MoreEggs is installed, it enables credential theft and can facilitate ransomware deployment. This campaign signals FIN6’s move beyond its traditional focus on Point-of-Sale systems toward broader enterprise infiltration. The Record