svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief October 26, 2025

Private VPN — just $1.2/mo

CoPhish Attack Steals OAuth Tokens via Microsoft Copilot Studio

A new phishing technique called CoPhish exploits Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via trusted Microsoft domains. Attackers can hijack session tokens by redirecting victims to malicious URLs while leveraging legitimate Copilot Studio interfaces. Microsoft plans to address the issue in future updates but warns admins to restrict permissions and monitor application consent policies.
Impact: Enables session hijacking via OAuth tokens, potentially compromising email, chat, and calendar access.
Mitigation: Restrict admin privileges, enforce strict consent policies, disable user app creation defaults, and monitor Entra ID logs.
Source: BleepingComputer

OpenAI Atlas Omnibox Vulnerable to Silent Jailbreaks

Researchers found that OpenAI’s Atlas omnibox can be tricked into executing malicious prompts disguised as URLs, bypassing safety checks. Attackers embed instructions in malformed URLs (e.g., https:/ /fake.com/...+delete+files) to trigger actions like credential phishing or file deletion.
Impact: Allows arbitrary command execution, cross-domain actions, and bypass of safety layers.
Mitigation: OpenAI needs to patch input parsing logic to distinguish between URLs and commands. Users should avoid copying suspicious “links.”
Source: SecurityWeek

WhatsApp $1M Exploit Fails at Pwn2Own, Only Low-Risk Bugs Found

A researcher withdrew from Pwn2Own Ireland 2025 after failing to demonstrate a working $1M zero-click RCE exploit for WhatsApp. Meta confirmed only low-risk vulnerabilities were disclosed, none enabling code execution. The incident highlights challenges in exploit reliability for high-value targets.
Source: SecurityWeek

UN Cybercrime Convention to Be Signed in Hanoi

Global leaders will sign the UN Cybercrime Convention in Hanoi to standardize international cooperation against cyber offenses. The treaty aims to streamline cross-border investigations and prosecutions, though specifics on enforcement remain unclear.
Source: DataBreaches

Share this brief: https://svo.bz/Rxwx

If you want to support us, you can donate here: Donate