In partnership with
⏱️ ≈ 7-minute read
Editor’s Note: This week’s theme is simple: the stuff you trusted to manage, secure, or automate your environment is now doing a pretty solid impression of an attack surface. Firewalls, SharePoint, Intune, ScreenConnect, Salesforce, and AI agents all wanted to be helpful. Security teams, meanwhile, get to read the fine print.
📬 This Week’s Clickables
📌 Big News
Cisco firewalls get burned; Stryker puts Intune in the spotlight
🚨 Can’t Miss
SharePoint exploited; Zimbra breach; Salesforce warning; ScreenConnect flaw; extortion rises
🤖 AI in Cyber
AI across the attack chain; poisoned Rust crates; defenders lag; agents get hijacked
🧪 Strange Cyber Story
FIN7 brings malware to the mailbox
🚨 Big News
🔥 Interlock hit Cisco firewalls before anyone knew the hole existed
Intro:
Sometimes "perimeter security" really means "the first thing to get punched in the face." Amazon threat researchers say the Interlock ransomware gang exploited a Cisco Secure Firewall Management Center zero-day weeks before Cisco publicly disclosed and patched it.
What Happened:
The flaw affected Cisco Secure Firewall Management Center and was reportedly exploited as a zero-day starting in late January. Cisco patched it on March 4, 2026, meaning Interlock had a head start through a product designed to manage security infrastructure.
Why It’s Important:
Centralized security tools are high-value targets, and when they fall, attackers can inherit visibility and control fast. When the thing managing the firewall becomes the problem, defense in depth starts sounding a little too theoretical.
The Other Side:
Cisco did patch the flaw and the reporting points to targeted criminal use, not indiscriminate internet-wide chaos.
👉 Takeaway:
Treat centralized management consoles like Tier 0 assets. The firewall may be your moat, but the control plane is still the drawbridge.
TL;DR:
Interlock exploited a Cisco firewall management zero-day before public disclosure, turning a defensive control point into a ransomware foothold.
Further Reading: The Record
Your AI tools are only as good as your prompts.
Most people type short, lazy prompts because writing detailed ones takes forever. The result? Generic outputs.
Wispr Flow lets you speak your prompts instead of typing them. Talk through your thinking naturally - include context, constraints, examples - and Flow gives you clean text ready to paste. No filler words. No cleanup.
Works inside ChatGPT, Claude, Cursor, Windsurf, and every other AI tool you use. System-level integration means zero setup.
Millions of users worldwide. Teams at OpenAI, Vercel, and Clay use Flow daily. Now available on Mac, Windows, iPhone, and Android - free and unlimited on Android during launch.
🏥 Stryker’s cyberattack turned Microsoft Intune into the bigger warning label
Intro:
A medical device maker got hit, and now the broader lesson is about endpoint management hardening. That is not great news if your org treats Intune like a giant helpful master key.
What Happened:
After the March 11, 2026 cyberattack on Stryker, U.S. authorities urged companies to better secure Microsoft’s endpoint management tooling, especially Intune. Reporting suggests the attackers abused legitimate Microsoft management infrastructure and disrupted parts of Stryker’s operations.
Why It’s Important:
If attackers can hijack the system you use to provision and manage endpoints, they may not need loud malware at all. That makes hardening admin tools and limiting privileged access a resilience issue, not just an IT hygiene task.
The Other Side:
The public reporting is still heavier on guidance than on full attacker tradecraft, so some of the most useful defensive lessons may come later.
👉 Takeaway:
Your endpoint management console is not just an IT tool. It is a potential attack platform with your logo on it.
TL;DR:
The Stryker incident pushed U.S. authorities to warn organizations to secure Microsoft endpoint management tooling, especially Intune.
Further Reading: Reuters
"Complexity is the worst enemy of security." - Bruce Schneier🔥 Can’t Miss
🧩 Critical Microsoft SharePoint flaw now exploited in attacks
Microsoft’s patched SharePoint bug has now crossed into active exploitation territory. SharePoint remains the kind of business critical, internet-adjacent platform that loves turning routine patch delays into incident response.
👉 Key takeaway: If SharePoint is exposed and unpatched, this is how "we’ll get to it" becomes "we need a timeline."🚢 Russian hackers exploit Zimbra flaw to breach Ukrainian maritime agency
Russian hackers exploited a Zimbra webmail flaw to target a Ukrainian maritime agency in a campaign that looks very on-brand for state-backed espionage. It is another reminder that older collaboration platforms still make excellent entry points when patching and monitoring lag.
👉 Key takeaway: Legacy mail and collaboration systems remain prime espionage targets.☁️ Salesforce issues new security alert tied to third customer attack spree in six months
Salesforce issued another alert tied to attacks on public-facing Experience Cloud sites, extending a rough six month run for customers. Cloud trust chains stay messy, especially when everyone assumes shared responsibility means someone else handled it.
👉 Key takeaway: Review public Experience Cloud exposure, connected apps, and partner integrations now.🛠️ Critical ScreenConnect Vulnerability Exposes Machine Keys
ConnectWise patched a critical ScreenConnect flaw that could expose machine keys used for authentication and enable server compromise. Remote management tools keep proving the same point: great for admins, great for attackers once a secret slips.
👉 Key takeaway: Patch fast and protect high-value cryptographic material in your remote admin stack.💸 The ransomware economy is shifting toward straight-up data extortion
New ransomware research shows a continued shift away from encryption-first attacks and toward pure data theft and extortion. It is cheaper for attackers, faster to execute, and still plenty painful for victims.
👉 Key takeaway: Backups still matter, but they do not solve a stolen-data problem.
Unlock The $4 Trillion Rent Roll: Compound Your Wealth Like the 1%
Institutional giants use the $4 trillion rental market to compound millions. Now you can too. mogul offers fractional ownership in elite rental properties with 18.8% average IRR and zero property management required. Secure your share of the wealth Wall Street once kept for itself.
Past performance isn't predictive; illustrative only. Investing risks principal; no securities offer. See important Disclaimers
🤖 AI in Cyber
🤖 Microsoft: Hackers abusing AI at every stage of cyberattacks
Microsoft says threat actors are now using AI across the attack chain to accelerate recon, social engineering, scripting, and workflow automation. The real risk is not genius AI. It is faster mediocre attacker output at scale.
👉 Key takeaway: AI is becoming a practical force multiplier for already effective attacker behavior.🧪 Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets
Researchers found malicious Rust crates and an AI bot targeting CI/CD and GitHub Actions workflows to steal secrets and tokens. The software factory remains one of the softest hard targets in security.
👉 Key takeaway: Lock down dependencies, secrets handling, and CI/CD permissions.⚡ Attackers are exploiting AI faster than defenders can keep up, new report warns
A new report says attackers are adopting AI faster than governments and private-sector defenders are deploying AI-enabled protections. Bureaucracy was already slow. Now it has to race generative tooling too.
👉 Key takeaway: Defensive AI strategy cannot stay trapped in pilot mode.🕷️ OpenClaw Vulnerability Allowed Websites to Hijack AI Agents
A flaw in OpenClaw let malicious websites hijack AI agents through a localhost connection and weak password protections. Giving AI agents local power without hard boundaries is already looking like a bad hobby.
👉 Key takeaway: AI agents need the same isolation and authentication controls as any privileged automation service.
🧟♂️ Strange Cyber
📬 FIN7 mailed malware in 2020, and the lesson still holds up
Intro:
This one is older, but still worth dragging back into the light. FIN7, a financially motivated cybercrime group best known for targeting retailers, hospitality firms, and payment card systems, reportedly used physical mail to deliver malware in 2020, because apparently even cybercriminals appreciate a retro channel strategy.
What Happened:
The campaign used snail mail as the lure mechanism, blending physical-world delivery with digital compromise. It was an old-school tactic wrapped around a very modern intrusion goal.
Why It’s Important:
Even though the story is from 2020, the lesson still lands: attackers are not loyal to email, SMS, or any other single delivery channel. If awareness training only teaches people to distrust digital links, threat actors can just reroute the scam through the mailbox.
The Other Side:
Physical delivery is less scalable and more expensive than email, so this was never likely to become the default criminal model. But for targeted campaigns, weird still works, and that part has not aged out.
👉 Takeaway:
Older story, current lesson: threat delivery is omnichannel now, because of course it is.
TL;DR:
A 2020 FIN7-linked campaign reportedly used postal mail as the lure, and it still matters because attackers will go analog whenever digital defenses get inconvenient.
Further Reading: CyberScoop
Enjoying Exzec Cyber? Forward this to one person who cares about staying ahead of attacks
Hate everything you see or have other feedback? Reply back to this email!