Normal view

Context on our country-by-country tax footprint

Today we’re publishing our first “Public Country-by-Country Report” for our fiscal year 2025, disclosing our taxes in the period from July 1, 2024, to June 30, 2025. It covers the countries and regions included under European Union rules and shows, for each one, our revenue, profit, number of employees, and income tax accrued and paid during the year.  
 
We have provided this kind of information directly to tax authorities for several years under the Organization for Economic Cooperation and Development (OECD) framework. It is now published to support transparency commitments, and we believe it is important to proactively address any questions these disclosures may raise, recognizing that numbers on a spreadsheet rarely tell the full story.
 
Microsoft pays the taxes we owe in every country where we operateWe know there are strong views about whether companies are paying enough, and we believe providing this context leads to a more informed conversation.

Understanding country-by-country reporting

Country-by-country reporting is not widely understood outside tax and accounting circles. Some figures may look surprising at first, but a number that appears low or high in one country does not, on its own, tell the full story. Tax law differs from country to country, and there are two important things to keep in mind when reading the report.  

First, the numbers are prepared using rules that differ from United States or country-specific financial accounting and tax rules, so they may not match other Microsoft information people have seen. For example, this report combines all Microsoft legal entities in a country and follows the reporting rules required by EU regulations. By contrast, local statutory accounts usually cover just one legal entity, follow local accounting rules, and may use a different fiscal year from Microsoft’s.  

Second, accrued tax is what you owe for the year. Tax paid is the amount actually paid during the year. The two can differ because the timing of owing tax and paying tax doesn’t match exactly. 

France is a good example of why a single line can look unusual without context. In FY25, cash tax paid in France reflects a one-time refund of tax overpaid in an earlier year. That makes this year an outlier. In this specific case, accrued tax may be a better reflection of the taxes borne for the fiscal year. Microsoft paid $374 million in tax in France over the prior three years. 

Variations like these are a normal part of how large companies, both domestic and multinational, are taxed across borders, and they reflect an evolving tax landscape as well as a business that continues to change. We comply with every local rule that applies to us, and as those rules change, our reporting will change with them. Microsoft is committed to a tax structure that reflects where our people work, where we invest, and where functions, assets, and risks occur, and this has been a guiding principle. 

How our investments support local economies

We understand that this discussion is not only about what the law requires or what a single tax line shows in a given year. For many people, it is also about a broader question of contribution: how companies support the countries where they do business. That contribution includes the taxes we pay, the capital we invest, the local jobs and infrastructure we support, and the economic activity created through customers and partners. In the S&P, Microsoft ranks second globally in corporate income taxes paid in the last year, with a total of $28.7 billion. In fiscal year 2025, we paid $6.3 billion in income tax in the EU. Importantly, this does not include payroll, VAT, property, and other taxes paid in addition. 

Taken together, our tax payments, capital investments, and partner ecosystem reflect a long-term commitment to the countries where we operate. We opened our first European office in the UK in 1982, followed by France and Germany in 1983, and then expanded into Denmark, Ireland (our largest hub in the region), Italy, Norway, Spain, and Sweden in 1985. Microsoft is now present in all 27 EU Member States and across the broader region. We have worked in these and many other communities for decades, and thousands of our employees call them home.  

From research and development to digital infrastructure and partnerships with local organizations, we are investing in ways that support these economies beyond our direct commercial activity. At our core, we are building tools that help large enterprises, small and medium-sized businesses, institutions, and individuals become more productive and competitive, which strengthens their business and benefits the people they serve. We only do well when our customers do well. In practice, that means helping customers design and manufacture cars better, helping patients get their next appointment sooner, or making it simpler for someone to find that dream job. 

Our investments in digital infrastructure are not only supporting the local digital economy, they are also contributing meaningfully through both taxation and capital expenditure. Across markets, we continue to invest at scale in datacenters and supporting infrastructure, creating value that extends well beyond the technology sector. In the three years to June 30, 2025, our total capital expenditure amounted to $176 billion, and we spent $89.2 billion on research and  development in the markets where we operate. 

Our customers require local industry- and country-specific expertise, and this is where our partner ecosystem plays an important role. Many of these partners are local businesses themselves. A 2024 IDC study on partner profitability showed that for every $1 of Microsoft revenue, partners that provide services generate $8.45, and partners that develop software generate $10.93. While this varies by country and partner segment, it offers another useful lens on how Microsoft’s business contributes to local economic activity. 

Investments in digital infrastructure are not only investments in technology ecosystems, but in national and local economies as well. They support jobs, strengthen supply chains, create opportunities for companies across many sectors, and help build the foundation for growth and economic competitiveness beyond the digital economy. 

That is the broader context for this report. Tax is one important measure of contribution, but it is not the only one. Our investments, partnerships, infrastructure, and long-term presence in countries around the world also reflect a commitment to helping strengthen the economies and communities where we operate, today and for the future.

 

The post Context on our country-by-country tax footprint appeared first on Microsoft On the Issues.

The other half of the AI SOC: Intezer, now inside your AI workspace

18 June 2026 at 10:50

Two kinds of work you want AI to do in a SOC

  1. Work you want off your plate. Alert triage is the obvious example: every alert deserves a real investigation, most of them turn out to be noise, and they arrive at 3am as happily as at noon. Nobody wants help with this work. They want it gone. That’s the half Intezer has spent years building. Autonomous triage that investigates every alert at forensic depth, around the clock, and only interrupts a human when something actually needs human judgment.
  2. Work you want to keep, but accelerate. Deciding what to do with an escalation. Writing the incident report. Picking apart the weird binary someone found on a build server. Chasing a hunch across five systems. For this work you don’t want a replacement. You want to be a 10x version of yourself.

Today we’re shipping the second half.

We rebuilt the Intezer MCP server from the ground up, and it turns the AI platform your team already lives in, Claude, Codex, Cursor, or any MCP client, into a full security workspace: your cases, your alerts, file and URL verdicts, live SIEM and EDR telemetry, tuning rules, all of it. We had an MCP server before, and it was a fine way to ask Intezer questions from a chat window. This one is built around a bigger idea: your AI workspace should be able to do everything you can do in Intezer, then combine it with everything else you have access to.

If you read our piece on making sense of the 2026 SOC stack, this release is the missing connection between the top two layers. Detection tools are the hardware. The AI SOC is the operating system that turns raw signals into investigated verdicts and institutional memory. AI platforms like Claude are the applications where people actually work. This release plugs the operating system into the applications.

Watch one investigation, end to end

The video walks through one escalated case, but the pattern behind it is the real story. Intezer’s autonomous triage investigates every alert to forensic depth and resolves what it can on its own. What lands in front of a human is the residue. Cases where the technical facts are settled but the decision still needs judgment, usually because it turns on business context no security tool can see. Was this data share authorized? Is this vendor one we actually work with? Escalating those isn’t a triage failure, rather it’s the line where execution ends and judgment begins.

Putting Intezer inside your AI workspace is what makes that handoff productive. Pick up a case in Claude, Codex, or Cursor and you inherit the full investigation Intezer already ran, plus its recommendation, with a partner that can reach the context security tools never had: your email, Slack, the ticket queue. You keep the decision; it does the legwork around you at machine speed, pulling the case, cross-referencing your systems, documenting the verdict, writing a tuning rule. What used to be an afternoon of pivoting between consoles becomes a short, supervised exchange.

That’s the point of the combination: the autonomous half absorbs the scale, the assistive half carries the judgment, and every call you make feeds back as logic that makes the autonomous half smarter. You’re not handing off your work; you’re making judgment calls with the context, evidence, and follow-through already assembled around you.

The same question, with and without Intezer

Triage before and after Intezer

Same alert, two ways to handle it. On the left, Claude on its own takes the impossible-travel sign-in and works it by hand. It reasons well and gets close — managed device, MFA passed, probably real travel — but it can’t collect evidence from the endpoint to confirm, so the last step falls back to a human checking the laptop. And that’s one alert; almost 4,000 more are still waiting behind it. One analyst, one alert at a time, with no way to run it across the whole team. On the right, the same alert inside the AI SOC: Intezer triages every alert around the clock, closes the ~98% that need no action, and escalates only the ~2% that genuinely need a person. Claude is where you pick those up so you can stop grinding the queue and start supervising the few cases that actually need you.

Most of the org knowledge an investigation needs is already centralized in Intezer. That’s the whole point of the platform. But some context only ever lives with you: a procurement thread in someone’s inbox, a Slack message from three weeks ago, a calendar invite. With Intezer connected on one side and your IT and communication stack on the other, your AI workspace can cross-reference both in a single investigation.

Why not plug Claude into all security tools directly?

You could also wire your AI client straight into each security tool yourself. Most of them ship an MCP these days. Two things make that a worse deal than it looks. First, the integration work is now yours: stitching a dozen connectors together, learning each product’s query quirks, and getting back a pile of disconnected results instead of one correlated picture. Second, raw tool access still isn’t investigation. With every EDR, SIEM, and intel feed wired in, the model can read your data, but it can’t collect evidence off an endpoint, run memory forensics, or weigh conflicting signals into a verdict it will actually stand behind, which is exactly where Claude stalls on the left in above image.

Intezer already did both jobs. One connector hands the model a SOC’s worth of normalized cases, verdicts backed by real forensic evidence, and cross-tool correlation. An AI platform does its best work standing on a real foundation of security knowledge, not on a dozen raw feeds it has to assemble itself.

Investigate and close the cases Intezer escalates to you

This is where analyst hours should go, so it’s where the MCP goes deepest. Whatever the alert type, the shape is the same: pull the case, build on everything the autonomous triage already found, cross-reference your other systems, decide interactively with you, and close with evidence.

And “pull the case” carries real weight here. A case from Intezer is not a bare ticket. It arrives with everything triage already did: the evidence it collected, the SIEM and EDR queries it ran, the forensic analysis of each artifact, the verdicts it reached. You’re not starting from a blank page; you’re picking up a deep investigation and taking it the last mile.

“Pick up the oldest escalated open case and let’s investigate it together.”

The clip above takes an impossible-travel alert. The MCP brings the full login history including every IP and geo, and who else touched the same address as well as your AI workspace cross-references calendar and Slack for travel context. When the evidence still isn’t conclusive, it can ask the user directly and close on their answer, so the one human check that actually mattered takes seconds instead of becoming a follow-up ticket.

Make tomorrow’s autonomous triage smarter

If a case should never have reached you, closing it is half the job. The other half is making sure it never reaches you again.

“We keep getting this exact false positive. Write a tuning rule so it never escalates again, then retriage the case.”

Claude inspects the alert’s triage indicators, drafts a narrowly scoped tuning rule, and tests the pattern against the real alert object before proposing anything. It checks whether an existing rule should be extended instead of creating a near-duplicate. It asks the question every detection engineer should ask: could an attacker hide inside this rule? Then it pushes the rule to Intezer for your approval and retriages the affected alerts so the fix applies immediately.

Tuning runs both directions, too. The same mechanism can tell the autonomous triage to always escalate a pattern it can’t yet call malicious with confidence, so the genuinely ambiguous cases land in front of a human by design, not by luck.

This is where the two halves of the AI SOC meet. Every rule your AI workspace writes makes the autonomous half smarter, which means fewer escalations next month, which means the time you spend supervising keeps shrinking. The system compounds.

From case to incident report in one prompt

When a case turns into a real incident, the hours after containment go to reconstruction: which alerts were related, which machines were touched, what happened first, and what to tell leadership.

“Write an incident report for the latest case we worked on — timeline, affected assets, and an exec summary I can send to the CISO.”

Your AI workspace pulls the case and its full activity trail from Intezer, expands across the users, devices, and IPs involved, and rebuilds the timeline from the forensic evidence already on file. Then it writes the report with an executive summary up top, technical detail below, in your template if you have one, and finally exports it to a clean, brand-styled PDF you can send as-is. The data was always in Intezer; the report was just assembly. Now assembly is one prompt.

Threat hunting: start from a lead, not an alert

Not every investigation starts in the queue. Sometimes it starts with your CISO forwarding an article about a campaign that’s hitting your industry.

“Here’s a writeup of a new campaign [link]. Check whether any of these IOCs appear anywhere in our environment, and analyze anything you find.”

Your AI workspace extracts the indicators and techniques from the writeup, sweeps your environment through Intezer’s SIEM and EDR query tools, and returns the matching assets, alerts, and artifacts for analysis. When you find something worth a closer look, you can fire deep forensics to go one step further with your hunt.

How it works

How Intezer AI SOC works with Claude and other AI platforms

The Intezer MCP server is hosted by us. You authorize over OAuth from any MCP client: Claude (Desktop, Code, or claude.ai), ChatGPT, Codex, Cursor, or anything else that speaks the protocol.

Under the hood it exposes 66 tools covering the full case lifecycle: search and fetch cases and alerts, file and URL analysis, live queries against more than a dozen SIEM and EDR products in their native query languages (KQL, SPL, XQL, SDL, and the rest, with per-vendor syntax guides built in so the model gets them right), tuning rules and AI instructions, retriage, and case editing.

This architecture is what makes the two halves described above work as one system: the autonomous half clears work off your plate, while the assistive half accelerates the tasks where you still want to stay in the loop.

Getting started

  1. If you’re already an Intezer customer, an Intezer admin creates an MCP OAuth application under Account Settings → MCP OAuth Applications.
  2. Add Intezer as a custom connector in your AI client such as Claude, ChatGPT, or any MCP client. Point it at the hosted server, and authorize with your own Intezer login over OAuth.
  3. Open with one prompt: ask it to pick up your oldest open escalation.

The autonomous half investigates everything, around the clock, so your team only sees what matters. The assistive half makes the time you spend on what matters dramatically shorter. One system of record and detection logic underneath both: your cases, your verdicts, your tuning rules, your institutional memory, working for you whether the investigation runs inside Intezer or inside your AI workspace.

AI executes. Humans supervise. And now the supervising got a lot faster too.

If you’re not an Intezer customer yet, book a demo and we’ll show you both halves at once: autonomous triage working every alert around the clock, and a co-pilot that helps your analysts close the escalations that do reach them 10x faster.

The post The other half of the AI SOC: Intezer, now inside your AI workspace appeared first on Intezer.

Everyone’s Selling AI That Kills Pentesting. We Built One That Doesn’t.

What we built, Fusion AI, runs at about a third the cost of a traditional external pentest, a human tester still signs off on every finding, and it is not here to replace anybody.
We have been hearing that one a lot. So when Melisa from our Business Capture team sat down with Brian Fehrman and me for this episode of AI Security Ops, she started with, “What is this thing you built, and is it the same hype everyone else is selling?”

The post Everyone’s Selling AI That Kills Pentesting. We Built One That Doesn’t. appeared first on Black Hills Information Security, Inc..

Deepfake posting sites depicting famous women taken down by feds

16 June 2026 at 12:31

Thanks to Uncle Sam, anyone trying to find nonconsensual intimate deepfakes on CFake.com and SOCFake.com will be disappointed. The US Departments of Justice (DOJ) and Homeland Security has seized the two domain names under the TAKE IT DOWN Act.

The TAKE IT DOWN Act, signed in May 2025, is the first US federal statute criminalizing the publication of nonconsensual intimate imagery, including AI-generated forgeries. It imposes penalties of up to two years’ imprisonment, gives covered platforms 48 hours to remove flagged content, and grants the forfeiture powers the DOJ just used.

According to the seizure warrants, the digital forgeries depicted “politicians, first ladies of multiple countries, royalty, journalists, television presenters, athletes, entertainers, and others,” and visitors could browse them under tags including “rape,” “forced,” and “degradation”.

The authorities didn’t just snag the sites, though. They got the alleged operator of CFake.com, in an international effort.

The US alerted the Paris prosecutor’s office to a French national in Nice who was allegedly running CFake.com. French investigators counted roughly 300,000 images and 7,000 videos depicting 14,000 people across CFake.com, drawing four million monthly views from 200,000 user accounts.

They then arrested the IT professional, who had no prior criminal record. They also found around $64,000 in Ether cryptocurrency at his home in advertising revenue from the site.

The man will be tried on July 7 in Paris for carrying out illicit transactions online and providing nonconsensual sexual deepfakes. The former offence carries a potential seven years’ imprisonment and a €500,000 (approximately $580,000) fine. The latter could yield three years and a €75,000 ($87,000) fine.

Providers and accused providers of nonconsensual intimate deepfakes have also been held in the US. In April, James Strahler II from Ohio pleaded guilty to cyberstalking, producing child sexual abuse material, and publishing digital forgeries.

Strahler had downloaded produced over 700 images and animations posted to a child sexual abuse site, and had sent deepfake material to at least six adult women, including one sent to a victim’s coworkers.

Last month, the DoJ also arrested Cornelius Shannon and Arturo Hernandez under the TAKE IT DOWN Act for publishing thousands of deepfake images of prominent women and those not in the public eye.

Other countries are also taking action. Anthony Rontondo was arrested by Australian authorities in May last year for posting deepfaked pictures of prominent Australian women. He eventually received an AU$343,000 fine.

How prevalent are deepfakes?

These seizures and prosecutions are encouraging, but prosecutors trying to force non-consensual deepfakes offline face a rising tide of such material. Requests for and sharing of nonconsensual deepfake imagery have risen, with activity migrating across platforms. Deepfake incidents overall jumped 257% in 2024, and girls accounted for 94% of victims in reported AI-generated child sexual abuse cases.

Seizing a distribution point removes a storefront. It does not remove the AI models used to produce the material, the anonymous hosting providers downstream, or the demand that draws visitors in the first place.

What you can do

If you or someone you know are depicted in a nonconsensual deepfake, keep dated screenshots, URLs, and any communications as evidence before filing a takedown request and reporting it to the authorities.

Limit the high-resolution face images you and your children post publicly, since school portraits and social media profile pictures are the raw material these tools need.

Take advantage of expert advice to help protect yourself from non-consensual deepfakes:


Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Building an autonomous SOC: core challenges and solutions

15 June 2026 at 20:53

The concept of a completely autonomous security operations center (SOC) — where data collection, analysis of suspicious events, investigations, and incident response happen without human intervention — is extremely compelling. This is especially true for organizations grappling with a chronic shortage of cybersecurity talent and a threat landscape that’s growing faster and more sophisticated by the day. Organizations everywhere would welcome an approach where automation helps relieve analyst workloads, shortens alert triage times, and finally eliminates the backlog of unaddressed alerts — which, by some estimates, accounts for 67% of all security events in the average corporate SOC.

While many vendors are already pitching solutions in this space, real-world implementation remains highly problematic. Practitioners report tangible success when using these tools for alert enrichment and filtering out low-priority noise or false positives. However, when it comes to autonomous decision-making and response, very few organizations have managed to achieve a meaningful return on investment.

Foundational roadblocks of an autonomous SOC: looking beyond AI

While leveraging AI for data analysis and decision-making sounds like a logical and relatively easy-to-implement idea, actually putting it into practice exposes and amplifies the exact same challenges organizations faced with SIEM, XDR, and SOAR platforms:

Source data quality. Issues with coverage, enrichment quality, tagging and normalization, which detection engineering teams in every SOC battle daily, become even more acute when AI is introduced. AI agents are more sensitive to data gaps than human analysts, so incomplete data can magnify the resulting errors.

Data consolidation and tool integration. The very problem SIEM was once invented to solve remains a headache for most organizations today. Interestingly, marketing for AI-driven SOCs often claims that “the SIEM is dead” because “agents can just query the EDR directly for telemetry”. In reality, however, even in a best-case scenario, this just means the SIEM disappears as a user interface while its core functions remain embedded within the data fabric of the agentic SOC.

Analysts’ trust. Even when AI is restricted to preliminary data gathering and recommendations, human analysts frequently don’t trust the output, leading them to waste time re-collecting and re-analyzing the same data. Practitioners frequently point to several flaws in current AI SOC implementations: poor handling of gray-area verdicts (when an alert is suspicious but not definitively malicious), lack of safe escalation workflows, and systems that fail to learn when a human analyst corrects their mistakes.

Context deficit. SOCs and security teams in general naturally rely on scantily documented information, such as business context and tribal knowledge, to accurately assess alerts and incidents. It’s very difficult to populate an AI system with that knowledge in a systematic way.

AI-specific issues critical for a SOC

Beyond traditional operational hurdles, fully autonomous SOCs face inherent flaws deeply rooted in the fundamental architecture of language models and AI agents.

Hallucinations and prompt injections. In a SOC environment, a single manipulated log field can easily become a viable exploit vector aimed directly at the agent. In a semi-autonomous setup, an AI hallucination is just a frustrating distraction that erodes analyst trust. In a fully autonomous SOC, however, a hallucination can trigger instantaneous, harmful actions across hundreds or thousands of endpoints simultaneously. A prime example of this risk is the widely cited incident at a Fortune 50 company, where an AI agent went rogue and rewrote access policies on its own.

Need for control. To combat hallucinations and over-automation, organizations typically rely on a human-in-the-loop (HITL) model to approve an agent’s actions. While this improves safety, it completely defeats the primary selling point of agentic AI: response times.

Compliance, audits, and accountability. The inherently stochastic nature of LLM outputs makes logging problematic. They often lack reproducibility and explanations. Consequently, an autonomous SOC will likely struggle to pass regulatory compliance audits. Simply put, current compliance frameworks were never designed to handle the unpredictable behavior of multiple interacting AI agents.

Strategies to overcome the challenges of an autonomous SOC

Specialized frameworks are emerging to address these built-in flaws of AI agents and language models. For the most part, these solutions focus on enforcing formal boundaries around AI privileges, and validating its actions.

Rigorous context engineering. Assuming source data is correct and properly enriched, the number of hallucinations can be minimized, and agent decision quality significantly improved by feeding the language model structured layers of context — such as alerts, user accounts, asset data, and enrichment data.

Narrowing the scope of work. AI agents are less likely to go off the rails when confined to highly repetitive, narrow tasks. For example, an “agent for collecting additional host data” is going to be more effective than an “autonomous threat hunter”.

Neurosymbolic validations and guardrails for agent actions. An Agent-Lock pipeline cleans untrusted log fields, and verifies proposed actions against existing CMDB/IAM policies. This approach enforces key rules, such as making it impossible for the AI to disable telemetry, while managing “autonomy budgets”.

Tiered autonomy over all-or-nothing automation. The Trusted Autonomy framework maps out progressive levels of AI independence based on human-in-the-loop roles and trust thresholds across monitoring, detection, and response. Low-risk operations like data enrichment and alert deduplication run fully automated, while high-blast-radius actions require mandatory human approval.

Governance-first architecture. The LanG platform, which utilizes a hierarchical approach: Governance → MCP → Agentic AI → Security, is one example. It enforces two mandatory human analyst check-ins, fully aligning the workflow with NIST SP 800-61 guidelines. The trade-off, however, is that this framework significantly scales back the solution’s autonomy.

Deterministic execution for high-risk actions. Triage and investigation are handled by a probabilistic AI model, but high-impact actions — like deciding to isolate a host or terminate a session — are based on deterministic code. This approach allows the system to satisfy the strict requirements of SOC 2 and other major regulatory frameworks.

Stateful admission control. For example, the recently proposed ACP protocol monitors behavioral patterns across agent execution logs. This makes it possible to catch rogue agents that are executing a series of individually harmless requests that add up to a coordinated attack.

Key takeaways and pitfalls

We can already confidently state that an autonomous SOC is highly unlikely to bring any improvements for organizations burdened by significant technical and operational debt in areas like data collection and enrichment or standardized incident response workflows. No layer of AI infrastructure will function without that baseline foundation firmly in place.

It’s also clear that, while AI streamlines analyst workflows, it doesn’t completely replace them. This is why Gartner’s prediction that there will never be an autonomous SOC still rings true in 2026. Deploying autonomous agents into the SOC shifts the center of gravity to complex investigations, but most importantly, to complex engineering. Teams will simply trade fine-tuning detection rules for managing AI agent playbooks, data pipelines, and decision-handling workflows.

For mature SOCs, the core hypothesis for the next one to two years is this: an autonomous SOC should be viewed as a direction rather than a destination. AI is already delivering tangible value today — specifically in correlation, enrichment, draft detection rules, and attack reconstruction — provided that each capability has proper security guardrails. These include a well-balanced human-in-the-loop review process for any action that impacts production environments. Security teams investing now in a structured, verifiable approach — one that actively anticipates emerging regulations — will be able to gradually integrate new agentic features into their SOC pipelines. Conversely, organizations that skip this layer will almost certainly run into roadblocks, likely forcing them to rebuild their systems and processes from the ground up.

Claude Fable 5 and Mythos 5 “abruptly disabled” after US gov. ban

15 June 2026 at 16:32

Anthropic has been ordered by the US government to cut off its newest Claude Fable 5 and Mythos 5 models for fear of abuse by adversaries.

Reuters reports that Anthropic said it will “abruptly ​disable” its most advanced AI models for all users after the US government ordered it to suspend access to the models for foreign nationals, citing national security ‌concerns.

Officials reportedly believe a jailbreak could turn Fable 5 and Mythos 5 into vulnerability-discovery tools for adversaries, so Anthropic says it is disabling them worldwide rather than try to nationality‑filter access, since it is virtually impossible to verify every user’s nationality.

In a statement on its website, Anthropic says:

“The letter did not provide specific details of its national security concern. Our understanding is that the government believes it has become aware of a method of bypassing, or “jailbreaking” Fable 5. We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities. These vulnerabilities all appear relatively simple, and we have found that other publicly-available models are able to discover them as well without requiring a bypass.”

Mythos 5 is the non-public full version, which is currently used only by government agencies and selected corporate partners to harden their systems. Fable 5 is a Mythos-class model that should supposedly be safe for general use.

It makes sense to me that if Fable 5 is easy to jailbreak, that it should fall under the same restrictions as Mythos 5. However, Anthropic maintains that it has built-in safeguards that mean queries on some topics will instead receive a response from the next-most-capable model, Claude Opus 4.8. 

The relationship between the US government and Anthropic had shown signs of easing in parts of the US government after tensions over military use, surveillance, and autonomous weapons. In March, defense Secretary Pete Hegseth designated the San Francisco-based company a “supply-chain risk to national security.”

To understand the nature of the argument, it is necessary to understand that Mythos 5 is described in multiple reports as particularly effective at identifying software vulnerabilities, including long‑standing bugs in complex, legacy systems such as those in banking and other critical infrastructure. Many view this as dual‑use: great for defense hardening, but catastrophic in the wrong hands.

In recent updates from major software vendors like Microsoft and Google, we’ve seen a growth in numbers of patched vulnerabilities after the vendors began using AI-guided search for new vulnerabilities in their own software. We also know that Mozilla found over 270 Firefox vulnerabilities with the aid of Anthropic’s new Claude Mythos model. 

What this means

In the wrong hands these vulnerabilities could definitely do a lot of harm. So, it looks like it will take some time before regular consumers and developers will gain access to Fable 5 and Mythos 5 entirely. However, existing Anthropic models (older Claude variants) remain available.

For home users who were simply chatting with Claude or using it to help with basic scripting, the change will mostly show up as “this specific version is unavailable” rather than a broader AI blackout.

Removing a high‑end vulnerability‑finding model from broad circulation increases the effort required for less‑resourced cybercriminals to automate discovery of complex bugs in consumer‑facing software and services only by so much. There are other models available on the black market that might be just as effective. And for most cybercriminals, turning a vulnerability into a method they can utilize in an exploit is much more relevant.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Deepfake porn sites are going offline (re-air) (Lock and Code S07E12)

15 June 2026 at 16:32

This week on the Lock and Code podcast…

If you weren’t taking deepfakes seriously before, it’s too late now to ignore them.

According to new research from Malwarebytes, one in three people who use AI every day said it’s okay to generate pornography of people without their consent.

Nearly 10 years ago, “deepfake” technology provided hobbyists and film editors with artificial intelligence (AI) tools to swap the face of one person onto the body of another. In its infancy, this technology brought silly film experiments like swapping Tom Cruise in Mission Impossible with Keanu Reeves. Today, this same technology produces something far more harmful—fake nude images of teenagers.

On the Lock and Code podcast today with host David Ruiz, we are re-visiting an interview from 2024, in which we spoke with a lawyer named David Chiu about his lawsuit against 16 deepfake nude generation websites.

The websites named in that lawsuit often needed just one image of a person to generate fake pornography. And while nearly everyone has at least one image of themselves online, even if they had hundreds, the path towards deletion is somewhat understood—start by deactivating and deleting popular social media accounts. But for teenagers today, raised mostly online, and who share images directly with friends and boyfriends and girlfriends and exes, it’s likely impossible to remove every visual trace of themselves. Also, they shouldn’t have to face this problem alone.

The Lock and Code podcast frequently discusses structural problems that require individual management. You have to skirt corporate data collection. You have to find the automated license plate readers in your hometown. You have to review every single message you get with a certain antagonism, to guard yourself against scams.

So, it’s rare to encounter a solution that benefits more than one person.

Chiu serves as the City Attorney for San Francisco, which means his department can file a lawsuit on behalf of not just the people of San Francisco, but also California, and that’s what his team did in going after the deepfake websites.

Since then, Chiu’s department has shut down 10 deepfake nude websites, and it received a settlement agreement from a company called Briver LLC to no longer operate any website that creates nonconsensual deepfake pornography.

And, as California goes, so goes the nation.

In May of last year, the Take It Down Act became effective as law in the United States, which criminalizes “revenge porn” and AI-generated nonconsensual intimate imagery. The law is not perfect but so far it is being used as intended. Last month, two men in the US were among the first to be charged with violating the Take It Down act for allegedly creating deepfake nudes that, according to the AP, “included both celebrities as well as private women, including recent high school graduates.”

Today, we revisit our conversation with San Francisco City Attorney David Chiu about the important fight against deepfake porn and the clear threat that his department found against the public.

“At least one of these websites specifically promotes the non-consensual nature of this. So, and I’ll just quote, ‘Imagine wasting time taking her out on dates when you can just use website X to get her nudes.'”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

Google can be liable for false AI Overviews, court rules

11 June 2026 at 18:09

A German court has ruled that Google can be held directly responsible for defamatory claims produced by its AI Overviews. Basically, the court said that telling people they should double-check AI search results is not enough to deny liability for what those results say.

This kind of warning may not be enough.
This kind of warning may not be enough

The Munich Regional Court issued a preliminary injunction against Google after two German publishers discovered that AI Overviews falsely portrayed them as involved in scams and “dubious business practices,” even though the linked articles did not support those claims.

The decision could echo far beyond Germany. The court effectively found that Google can be held directly liable for defamatory content generated by its AI Overviews. The court cut through the usual “it’s just AI, don’t trust it too much” messaging and made one thing clear: If you build a system that confidently smears people or companies, you may be responsible for what it says, even when the content was “hallucinated” by AI.

AI Overviews are not harmless suggestions. In this case, the court treated them as Google’s own statements, with all the legal baggage that comes with that.

When the publishers sent a cease-and-desist letter, Google did not promptly stop similar claims from appearing. That detail turned out to be crucial in the ruling. The court noted that, unlike traditional search results, which simply list third-party content, AI Overviews generate “independent, new, and substantive statements.”

And since only Google can adjust the models and the logic that create those statements, only Google can reliably stop the system from repeating the same or similar falsehoods. In this case, the court found that Google can be held responsible.

For years, search engines have enjoyed broad protection under the logic that some harmful content is unavoidable when indexing the open web at scale. Showing a search result does not mean endorsing it. The search engine is a channel, not a publisher.

That changes when an AI Overview summarizes, rephrases, and sometimes invents facts, then publishes them at the top of search results.

AI Overviews are an extra feature, not essential to how search works. However, the appeal of AI summaries is their fast, confident answers, which is exactly what makes them dangerous. When those answers are wrong, many users may not click through to check the sources.

The ruling is preliminary and may be appealed, but the signal is clear: AI search output is not magic dust that makes liability disappear. Disclaimers about possible mistakes may not be enough when a system is deployed at scale, creates new content, and is designed to be trusted.

By the numbers

Google AI Overviews are powered by Gemini, Google’s AI model. Like other AI systems, it can produce confident answers that are wrong or poorly supported.

Pew Research studied browsing data from hundreds of users and found that when an AI Overview appears on a Google results page, clicks to traditional search results drop from around 15% to about 8%. 

A New York Times analysis of AI Overviews found that they were accurate roughly nine out of ten times. But with Google processing more than five trillion searches a year, even a small error rate could mean millions of wrong answers.

And those mistakes are not always due to bad sources. Even when Google links to a page with the correct information, its AI can still produce a false answer. More than half of the accurate responses were classified as “ungrounded,” meaning the websites cited by the AI Overview did not fully support the information it provided.

The main lesson here is to double-check AI search responses. Don’t trust an answer just because it’s presented confidently and includes links.

Users can be steered toward real threats, or away from effective protections, simply because an AI system sounded convincing on a search page.

If you find false or defamatory AI summaries about yourself or your company, document them thoroughly. Take screenshots, save the search terms, file correction requests, and keep records of the platform’s response. Or the lack of one.


Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

AI, jobs, and the next generation

10 June 2026 at 15:00

In 1838, the invention of the camera sparked predictions that photography would make artists obsolete. When the noted French painter Paul Delaroche first saw an early photograph on a metal plate, he declared that “From today, painting is dead!” As he reasoned, why would anyone pay an artist to slowly and laboriously paint a scene when a camera could do the job more accurately, more quickly, and at a lower cost? 

This question has echoed through technological shifts and has resurfaced with intensity in recent weeks, as university students graduated on campuses across the United States. Today’s topic obviously is not photography but the societal impact of artificial intelligence. And as graduates booed the mention of AI during commencement addresses, they have provided a powerful reminder of several important truths. To start, people will insist on having a say in deciding when and how AI is used. 

The student message to tech leaders  

The reactions of this year’s graduates are a powerful wake-up call for the tech sector. Hopefully, leaders across our industry will listen and seek to learn from this reaction. For the past half century, the youngest generation of people and workers has led the way in adopting new digital technologies. A new Microsoft study shows this trend is true with AI. Counties with large college towns and outsized populations between the ages of 18 and 24 have the highest rates of AI adoption in the United States. When people who use a new technology complain about it, we had better take notice. 

It’s perhaps no surprise that college campuses are among the best places to learn about these emerging views firsthand. Over Memorial Day weekend at Princeton University, I found no shortage of discussion and even examples of student action. Graduating seniors have long donned “beer jackets” for celebrations, each class selecting its own unique design. This past year, however, a brief controversy emerged until class officers, responding to a student petition, rejected a popular design because it had been created with the help of AI. In its place, graduates wore jackets labeled both “100 percent cotton” and “100 percent human.” 

The rejection of artificial fibers and artificial intelligence illustrates how human tastes shape market economics even as efficiency and productivity advance. Machines don’t buy products. People do.  

Students and graduates recognize AI’s benefits. But they want to keep AI in its proper place. They rightly believe in the indispensable role of human agency. They want the future to be determined by humans deciding the role of machines, not by machines deciding the role of humans. And they want these decisions to reflect input from a broad community, especially the next generation of the workforce, rather than just a narrow group of elites. 

Today’s graduates are sending another powerful message as well: the American Dream has always stood for even more than a better job and greater economic opportunity, although that has been at its core. The American Dream has been founded on the dignity of work and the critical role it plays in giving life purpose. Great countries are built on great economies and great jobs. To those in the tech sector who seemingly want to pursue a future where computers replace jobs and AI becomes more capable than people, the next generation of people has offered a compelling response: “not so fast.” 

The ambitions of people 

The good news is that human ambition is irrepressible. It has been almost 300 years since the start of the first industrial revolution, and technology has changed many times over. But there is more human creativity at work in the world today than ever before. 

A trip to an art museum shows this is true even for the impact of the camera on painting. The invention of the camera initially led to a decline in portrait painting. But even that made a comeback. More remarkable was the way accurate photos spurred new forms of artistic expression. By the 1870s, photography’s “artificial eye” led a new generation of artists to portray emotion rather than detail. Impressionist artists captured the effects of light, color, and atmosphere in ways that a camera shutter could not. New artistic movements followed – Post-Impressionism, Fauvism, Cubism, and Surrealism – and continue today, expanding what it means to be an artist. As it turns out, few things are as resilient as human creativity. 

In 1986, I insisted on having a computer on my desk before I accepted a job at a leading law firm in Washington, D.C. For most of the past 40 years, I’ve been part of the tech sector – first as an outside lawyer, then a Microsoft attorney, and since 2001, in the company’s leadership ranks. I’ve long been an informal “liberal arts representative” among a group of extraordinary computer scientists and engineers.  

As I’ve followed technologists across our industry, I’ve often marveled at their vision, intellectual dexterity, and engineering prowess. But I’ve also seen many insightful individuals across the industry repeat two mistakes. First, they frequently overestimate the arrival of new technology, especially the pace of its impact. And even more importantly, they underestimate the capabilities of people. 

Human capability is neither fixed nor finite. Each discovery creates a stronger foundation that enables people to stand taller and reach higher. People have been proving this for millennia. There came a day when people discovered that a horse could run faster than a human. People learned how to ride horses.  

Real causes for concern 

None of this is meant to dismiss the anxiety of today’s graduates. They’re right to raise concerns and ask hard questions, including about AI and its impact on their future. They face multiple headwinds as they enter the job market. This includes AI automation of tasks in current entry-level positions and, especially in the tech sector, corporate pressure to reduce headcount to help pay for AI’s enormous capital expenditures. It also involves other factors, including geopolitical uncertainty, trade tensions, and correction from over-hiring in the early years of the decade. Like a perfect storm, the wind is blowing from multiple directions. 

Today’s graduates have been through a lot. They spent much of their high school years living through a pandemic while studying and socializing at home through a screen. They are digital natives, with all the good and bad that social media, ubiquitous mobile devices, and other technologies have created. Now AI is coming, and they worry that jobs will start to disappear.  

So, what should the next generation – and all the rest of us – do about AI? 

AI in context 

First, we should put AI in context. No one has a crystal ball for the future, but we all can learn from the past. AI is the latest in a list of technologies that will reshape the economy and society. It has become the next “General Purpose Technology,” a term economists apply to technologies that, like electricity, are applied across the economy. Some of these technologies, including ironworking, machine tools, and digital computing, have profoundly reshaped not just job categories but economic power among nations. AI likely will be one of the most important general purpose technologies of the next quarter century. And like previous general purpose technologies, AI will displace some jobs, even as it creates others and changes many of the ways we currently work. 

But it takes time for technology to diffuse across an economy and around the world. There are some who look at the power of AI and predict its massive diffusion in just a few years. It’s always possible that this time will be different, but the world has never previously seen technology diffusion at that pace. The reason is not grounded in technology. It’s people. As Professors Arvind Narayanan and Sayash Kapoor have written, “diffusion is limited by the speed of human, organizational, and institutional change.”  

Put in historical context, broad AI transformation over the next quarter century would itself be remarkable. That pace of change appears to be reflected in Microsoft’s own recent data. Our most recent AI Diffusion Report estimates that 17.8 percent of the world’s working age population currently uses generative AI. The rate in the United States is higher than the global average, but still only at 31.3 percent. And as Professor Narayanan has shown, the impact of new technology across a high percentage of work typically lags well behind this type of initial usage rate.  

As the legendary UCLA basketball coach John Wooden, who led his teams to 10 national championships, advised his players two generations ago, we should “be quick, but don’t hurry.” In other words, we should act quickly and decisively and with preparation and purpose. But we need not – and should not – rush in a way that creates mistakes or panic.  

The key is to think things through. One good way to start is to consider some of the insights that have emerged already. For each of us as individuals. For companies and organizations. And for society.  

The implications for individuals 

In the three-and-a-half years since the release of ChatGPT, one initial insight is profound yet unsurprising. AI often is at its best when we use it to strengthen existing human capabilities and endeavors. In short, people can use AI to make themselves better.  

I see this every day in the work of Microsoft’s AI for Good Lab, which works with non-profits and governments around the world. Firefighters in California are using AI to help spot wildfires more quickly. Legal professionals in Africa are using it to help provide advice to women who don’t have access to a lawyer. Teams in Ukraine are using AI to help identify and remove landmines that threaten civilians. And conservationists around the world are using it to help farmers develop more productive and sustainable agricultural practices. 

There is a clear pattern in these examples. People are acting with ambition. They are using AI not to replace their subject matter expertise but to give it more impact. They are taking their knowledge, passion, and sense of purpose and using AI to help solve problems they care about.  

My colleagues Ryan Roslansky and Aneesh Raman have been focusing on these issues in recent years, based on their longstanding work at LinkedIn. They recently published an important book on the topic, Open to Work: How to Get Ahead in the Age of AI. In my view, it’s the first book that combines a view on where AI is going with practical advice for individuals.  

The more I’ve thought about it, two of their themes are particularly important. The first is for each of us in the workforce today to think about our job not as a title but a bundle of tasks. Their advice is to write down a list of your tasks and put them into three buckets: the bucket of tasks that AI can do; the bucket of tasks that you can do with AI; and the bucket of tasks that humans must do by themselves.  

If almost everything is in the first bucket, then one should think about pursuing a different type of job. But for most people, most tasks fall into the second bucket. In other words, if I can get AI to do the tasks in the first bucket, then I can focus my attention on the second and third buckets and consider how to use AI as a tool to help become more productive and impactful.  

There’s a second insight in the book that is even more important. In an Age of AI, there are perhaps even more opportunities to distinguish ourselves based on the soft skills that are uniquely human. Ryan and Aneesh point to five, all of which start with the letter C – curiosity, creativity, compassion, communications, and courage. Even when AI automates multiple tasks, people must continue to oversee its work. This creates the need for additional human observation and insight. In short, human judgment remains essential. 

All this speaks to one of the questions I hear repeatedly from students and their parents. What should people study to prepare for the future? Call me old fashioned, but I believe people should continue to pursue their passions. Develop expertise in an important field that fascinates you. Keep working hard to master it. At the same time, develop AI fluency so you can use AI to help apply your expertise better than has ever been possible before. This doesn’t mean the future will be easy. It seldom is. But it’s a recipe that will continue to prepare you for success. 

The impact on companies and organizations 

These insights apply as much to organizations as to individuals. After all, employers must thrive for employees to thrive. And successful businesses, like successful individuals, rely on distinctive and often deep expertise – about products, business processes, operating rhythms, and a deep understanding of customers. AI should not replace this foundation; it should strengthen and extend it. 

This can build on where AI technology is going. Organizations can now move beyond chat-based assistants to a network with AI agents that can help employees reason, make decisions, and run workflows across their data and systems.  

Organizations can implement their own AI systems that harness the power of multiple AI models and access their own unique enterprise knowledge. They can strengthen the effectiveness of these systems through AI tools that provide evaluations (“evals”) of a system’s performance and constantly make incremental improvements to it. Like climbing up a hill, each organization can manage an AI system that moves towards better outcomes and higher performance over time. Instead of solely consuming a frontier AI model, organizations can build their own “hill climbing machine” and participate more fully on their own terms in the AI ecosystem. 

By taking this approach, organizations can use AI to accelerate learning rather than replace it. Leaders can use AI to add capabilities inside their organizations, ensuring that their human expertise and judgment remain key competitive differentiators.  

This points to an age-old necessity. Business leaders and individual entrepreneurs must harness the latest technology while protecting their expertise and intellectual property, including through patents, copyrights, and trade secrets. AI adds a new dimension here. The benefits of AI for a business will be short-lived if it transfers and trains someone else’s AI model using a firm’s unique knowledge and expertise. This helps explain why each company needs to develop its own internal AI capabilities and control its own data.  

This is emerging as a critical issue not only for organizations but for today’s graduates, our economies, and even nations. The best way to promote broad economic and job growth is to ensure that every economic sector can harness the power of AI without surrendering its unique expertise. Sovereignty must be preserved not only for countries but for companies. And privacy must be protected not only for individuals but for organizations.  

A broader public conversation 

For individuals and organizations alike, the key is to harness AI’s benefits while preserving timeless human values and economic needs. Given the magnitude of the AI transformation, we’ll need innovative and collaborative efforts that bring the public and private sectors together to help prepare people for success in the Age of AI. This should start with a sobering recognition. The technological, economic, and societal transformations of the past three decades have left too many people behind. We’ll need to try different approaches, built on more shared responsibilities, if we’re going to do better as we move forward.  

Even in a time of fractured public discourse, it will be critical to find more ways to bring more people together to develop common solutions. This requires a big tent with a breadth of perspectives. We need to make room not only for technology companies, employers, and governments, but for non-profits, students, the world’s religions, labor leaders, and workers themselves. As Liz Shuler, the President of the AFL-CIO, said recently, “Who knows best how workplaces function and how work gets done than people who work for a living?” 

Our role at Microsoft 

As a company, we’re committed to playing an active part and constructive role in addressing these issues. We bring not only new technologies and ways of working, but perspective born of experience. For more than 50 years, Microsoft has helped workers and organizations adapt to technological changes, whether in offices, labs, classrooms, or factories. Our mission has been to build products to empower people and organizations to achieve more. And then help them put those tools to work.  

Our experience gives us determination and even a dose of optimism. We remember when people worried that word processing would lead to the end of jobs for people who typed for a living. But what came next – knowledge work and entirely new industries to support the computer age – transformed what “work” was. When spreadsheets automated calculations, people didn’t do less math. They built more sophisticated financial models. When emails made communication instant, people didn’t write less. They communicated more frequently and with more people. When technology increases supply, human ambition often generates more demand. As humans, we don’t plateau. We expand. 

This isn’t just philosophical. It’s our business model. Workers have been Microsoft’s lifeblood from the start. If the world’s people don’t have jobs, then neither do we. And if we’re not doing our part to help people use technology to pursue better jobs, then we’re not doing the job we were born to do. 

Heeding the next generation’s call 

This context shapes our reaction to recent commencement ceremonies. Graduating students who grimace or even boo at references to AI are telling us what we need to hear, that it’s time once again to raise the bar. That has been a frequent refrain from students for decades. The key is always to channel uncertainty into purposeful steps that build a better future. Across the tech sector and in business, non-profits, and government, we can do precisely that. 

I would add a second message for today’s graduates: you’re in a unique position to have a positive impact. You’ve lived through significant challenges. While it may feel unfair that the job market is so uncertain, you were made for this moment. Technology is second nature to your generation. Constant change has taught you how to adapt quickly. As AI reshapes how we work, you don’t need to unlearn decades of habits the way some of us do. You are better equipped to move forward.   

Technology will change, but you can stand firmly and speak loudly for values that are timeless. Agency. Ambition. Dignity. All fulfilled through work and technology that gives us purpose.  

Do everything you can to help advance these values.  

The post AI, jobs, and the next generation appeared first on Microsoft On the Issues.

88% of people struggle to tell what’s real online

10 June 2026 at 13:45

What would you trade for a technology that can do almost anything? For many people, the answer is clear: Everything they thought they could trust.

In a few, short years, Artificial Intelligence (AI) tools have granted people unfettered access to easier writing, faster image generation, quicker coding, and near-instantaneous answers, advice, and information—advantages they value and want. But the same tools that can spruce up a dating profile or reimagine an old photograph can also manipulate the broader world online, and people are noticing.

According to new research from Malwarebytes, 88% of people said it’s becoming harder to tell what content online is genuinely human or real, with 84% saying that “convincing video evidence” no longer feels like proof. Further, 85% said it can be hard to tell scams apart from the real thing—a major uptick from the 66% who said the same thing last year.

Statistics from the Face Value report

These are the first signs of AI’s counterfeit world. Replete with fake websites, fake products, fake videos, fake pictures, fake voices, and even fake people, it is threatening to swallow the web.

The latest report from Malwarebytes, Face value: How AI is reshaping trust, identity, and scams exposes the hidden cost of AI on the public: an excess of fraud that is dismantling trust in reality and in one another.

The damage arrives in large moments and small, from the US parent who said they “received a voicemail that sounded exactly like my son’s voice, saying he was in trouble and needed money for legal fees,” to the two entirely unrelated respondents fooled by the same AI-generated video of rabbits bouncing on a trampoline, to the individual worried about “my grandfather showing me AI slop and he thought it was real.”

For this research, Malwarebytes surveyed 1,500 adults aged 18 and older across the US, UK, Austria, Germany, and Switzerland about their uses, feelings, and concerns regarding AI. The sample was equally split for gender with a spread of ages, geographical regions, and race groups, and weighted to provide a balanced view.

The complete findings can be found in the full report:

Here are some of the key takeaways and findings:

  • 88% said it’s becoming harder to tell what content online is genuinely human or real
  • 84% said convincing video evidence no longer feels like proof 
  • 85% of people said it’s hard to tell a scam from the real thing (up from 66% last year)
  • 50% have experienced some form of AI fraud or scam, such as being misled by AI-generated photos of products or receiving a highly personalized scam message
  • 19% have specifically experienced some form of AI-driven identity harm, including the 10% who have had someone use AI to generate sexually explicit content of them without permission
  • 81% fear someone stealing their family’s likeness, yet only 13% have created a family codeword to guard against it
  • 67% worry about voice cloning, yet only 19% have turned off voicemail recordings to prevent it
  • 45% say it’s okay to use AI for personal emotional tasks (like writing wedding vows or a eulogy)
  • 34% say it’s okay to use AI to help create or improve a dating profile
  • One in three self-avowed daily users of AI said it’s okay to generate explicit images of someone without their consent 

Defeat would be the wrong lesson to take from all this. It is true now that the internet requires assistance, but there are plenty of safe places to seek help.

While Malwarebytes works to provide new tools, we’d like to remind both the AI anxious and the eager about the first rule of the internet: Remember the human. People’s voices, bodies, choices, and agency belong to them and them alone. 

As for every fake video, product, website, and image, understand that there’s help. No one needs to navigate an artificial internet alone. Whether through scam detection, identity protection, and simple awareness, people have more options than they may realize.

The guide on blocking ChatGPT, Gemini, Claude, and other AI tools at work | Kaspersky official blog

10 June 2026 at 13:53

Unchecked AI in the workplace quickly becomes a massive loophole for data leaks and security breaches. All too often, employees drop sensitive company data into public chatbots, or install rogue AI assistants on their own — in the process handing over way too much access. In a previous post, we broke down the different types of risky AI systems, and later shared some tips on how to turn off the built-in AI features on major tech platforms. Today let’s take a look at practical ways to block or restrict the unauthorized “helpers” employees might be using — from ChatGPT and Grammarly, to meeting bots like Fireflies and Read AI.

How to detect and restrict ChatGPT

ChatGPT is the biggest culprit when it comes to unauthorized AI use worldwide. A quick word of warning, though: an outright ban only sends users hunting for sketchy third-party sites or messaging app chatbots that hook into the same service. That’s why it’s always a good idea to offer an approved alternative before pulling the plug.

Detecting it: keep an eye on the NGFW or web filter for traffic heading to chat.openai.com, chatgpt.com, oaistatic.com, oaiusercontent.com, or cdn.oaistatic.com. It’s also smart to use EDR/EPP tools to scan browser histories, installed apps, and browser extensions across corporate devices.

Locking it down: use the firewall or web filter to block the entire AI Services category, and set up DNS to reroute traffic away from those OpenAI domains. Browser policies can also be used to ban ChatGPT-powered extensions. Better yet, block all extensions not on a pre-approved allowlist. Finally, use application controls and EPP solutions to stop users from installing the official desktop app (ChatGPT.exe or com.openai.chat).

How to detect and restrict Claude and Claude Code

Detecting it: use the NGFW or web filter to track traffic going to claude.ai, anthropic.com, *.anthropic.com, and api.anthropic.com. EDR/EPP or application control tools can also be used to scan employee computers for the desktop app (claude.exe).

Locking it down: drop a blanket block on the AI Services category through the NGFW or web filter, and tweak DNS settings to reroute traffic away from the aforementioned Anthropic domains. Next, use browser policies to shut down Claude-powered extensions. Finally, use application controls and the EPP platform to prevent users from installing the desktop app.

How to detect and restrict Perplexity AI

Detecting it: keep tabs on the NGFW or web filter to flag any traffic heading to *.perplexity.ai or pplx.ai.

Locking it down: just like the others, add the AI Services category to the NGFW or web filter blocklist, and use DNS routing to redirect traffic away from those domains.

Configure the browser to block third-party extensions from being installed. If Firefox is used in the organization, be aware that recent versions come with Perplexity built in. Luckily, these AI features can be turned-off company-wide using enterprise policies — specifically, by setting SidebarChatbot = blocked. The full list of tweaks can be found in the Firefox documentation.

How to detect and restrict DeepSeek

Detecting it: keep an eye on the NGFW or web filter for traffic hitting deepseek.com, chat.deepseek.com, api.deepseek.com, or platform.deepseek.com. For better precision, analyze the SNI (server name identification) in TLS connection requests. For mobile devices, look out for the official app (com.deepseek.chat).

Locking it down: blocklist the AI Services category on the NGFW or web filter, and reroute traffic to DeepSeek’s domains via DNS settings. Use browser policies to block third-party extensions, and lean on MDM/EMM tools to restrict the mobile app.

How to detect and restrict Mistral, xAI Grok, and Character.ai

The playbook for these tools is exactly the same as DeepSeek, so here’s the quick list of domains to watch for and block: chat.mistral.ai, mistral.ai, console.mistral.ai, grok.com, x.ai, api.x.ai, character.ai, beta.character.ai, and c.ai.

A quick word of warning on Grok: because Grok is baked into X, blocking this specific AI access point means blocking the entire social media platform.

How to detect and restrict Slack AI

Detecting it: in the Slack workspace admin dashboard, look under AnalyticsSlack AI usage. If an enterprise plan is used, the detailed Slack logs can be searched for any events starting with the ai_ prefix.

Blocking it with policies: in the organization’s Slack settings, click through the Workspace settingsRoles & permissionsFeature access, and change the permission to “no one”. Slack has a step-by-step guide in their help center.

Locking it down: shutting this down at the network level is tricky; it can be pulled off with a finely tuned CASB solution in place. Also, don’t forget the importance of blocking rogue integrations and keeping external AI services from tapping into Slack data in the first place. We covered how to lock this down using OAuth controls in a previous post.

How to detect and restrict Zoom AI Companion

Detecting it: if a corporate Zoom subscription is in use, just head to Admin CenterReportsAI Companion usage. Detecting Zoom’s AI when employees join external meetings or use free accounts is a lot tougher, but email filters can be set up to flag incoming AI-generated meeting notes by scanning for subject lines or text containing “Meeting summary” or “Meeting assets”.

Blocking it with policies: for the company’s own Zoom subscription, go to the Admin PortalAccount ManagementAccount SettingsMeetingAI Companion and toggle it OFF for everyone.

Locking it down: unfortunately, AI Companion is baked into Zoom’s DNA, so the only real option is blocking Zoom altogether.

How to detect and restrict Grammarly

What looks like an innocent spellchecker is actually one of the biggest culprits for workplace data leaks.

Detecting it: check the NGFW or web filter logs for traffic hitting grammarly.com, *.grammarly.com, and gnar.grammarly.com. EDR and MDM/EMM tools can also be used to hunt down the standalone desktop apps (Grammarly Desktop.exe and the macOS version), as well as the Grammarly browser extension.

Locking it down: use firewalls to block those domains at the network level, and EPP to stop employees from installing the desktop app, browser extensions, or the Grammarly add-ins for Microsoft Word and Excel.

How to detect and restrict meeting assistants: Fireflies, Read.ai, Tactiq, Fathom, and Granola

This massive category of third-party SaaS tools records and analyzes meetings — creating a massive risk for data leaks. The trickiest part? Outside clients or vendors can bring these bots into a meeting just as easily as employees can.

Detecting them: run an audit on calendar invites, and look for bot participants using email domains like @fireflies.ai, @read.ai, @tactiq.io, @fathom.video, or @granola.ai. Zoom, Teams, or Google Meet logs can also be used to review external participants who joined past calls.

Locking them down: since it’s impossible to control what outsiders do, blocking these bots comes down to tightening meeting rules. The best moves are: blocking users from granting OAuth permissions for bots to join calls, restricting employees from inviting unapproved external participants, or locking down meeting recording access for external users. That last option is usually the least painful way to keep bots out without disrupting business.

How to detect and restrict AI code editors: Cursor, Windsurf, and the like

Detecting them: use EDR/EPP tools to scan for executables like cursor.exe or windsurf.exe. It’s also worth monitoring network traffic heading to cursor.com and windsurf.com, as well as traffic hitting various AI model API providers. Keep in mind that there’s a pretty extensive list of API hosts to monitor here, since these editors aren’t tied to just one specific AI vendor.

Blocking them with policies: these apps can be prevented from being installed by setting up filters based on the developer’s digital signature certificate. Alternatively, a strict application allowlist can be employed where only pre-approved software is allowed to run.

Locking them down: rely on the EPP/EDR platform to actively detect and block these applications from running.

How to detect and restrict local AI tools: Ollama, LM Studio, and GPT4All

On one hand, this category carries fewer data leak risks because the AI models run completely locally on the user’s machine. On the other hand, it opens up a whole new can of worms: these apps themselves aren’t always highly secure, and can become targets for cyberattacks. Plus, it still means that employees can misuse models or process data in unauthorized ways.

Detecting them: EDR/EPP tools are the best line of defense here. They should be used to flag known local AI files and processes like ollama.exe, ollama serve, lmstudio.exe, LM Studio.app, jan.exe, or gpt4all.exe. From a network perspective, it’s worth scanning for open ports on local devices — typically port 1234 for Ollama and LM Studio, or port 8080 for WebUIs (using an additional fingerprint check of the server response). Another massive red flag is the presence of large files (often several gigabytes) containing language model weights. Look out for extensions like .gguf, .bin, or sometimes .safetensors.

Locking them down: use EPP/EDR platforms or windows AppLocker to block these applications by name, or switch to an application allowlist.

How to detect and restrict autonomous agents: OpenClaw, NemoClaw, and NanoClaw

This is easily one of the most dangerous categories of AI tools out there. These agents mix high-level independence with access to untrusted data, making them a massive security headache.

Detecting them: use EPP/EDR tools to sniff out active processes like openclaw, nanoclaw, nemoclaw, or clawdbot. Also keep an eye out for devices running Node.js that suddenly start launching Bash or Python scripts. Another dead giveaway is the appearance of system folders like ~/openclaw, ~/nanoclaw, ~/.claw*, or ~/clawhub. At the network level, monitor connections to the AI model APIs we mentioned earlier, as well as traffic hitting servers like openclaw.ai, nanoclaw.dev, or clawhub.*.

Locking them down: the safest bet is to use strict application allowlisting (only allowing approved software to run), or to specifically ban the known agent apps listed above. On top of that, consider blocking non-developers from installing Node.js and Docker, neither of which they need on their computers anyway.

Americans lost nearly $900 million to AI-powered scams, FBI says

8 June 2026 at 17:02

The 2025 Federal Bureau of Investigation (FBI) Internet Crime Report shows that Americans reported $893,346,472 in AI‑related scam losses.

Those losses stem from 22,364 AI-related complaints. And these figures represent only the reported losses, which may well be the proverbial tip of the iceberg.

The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos, and AI‑generated scripts. These tools have supercharged classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers, and government impersonation.

Michael Machtinger, deputy assistant director of the FBI Cyber Division, told the Wall Street Journal:

“AI-created fraudulent communications can look very official and very legitimate to even the most trained individuals.”

The FBI and financial institutions recommend verifying identities via official contact channels. One of their biggest concerns is government impersonation scams, which have evolved from crude IRS gift‑card phone calls into sophisticated, multi‑channel operations that combine spoofed caller ID, stolen agency logos, and AI‑generated audio and video of public officials.

This report, and others like it, shows how AI is being weaponized to automate research on victims, generate convincing scripts, and create highly believable deepfake personas at scale.

AI is also increasingly used in business email compromise (BEC), romance scams, and impersonation fraud. In BEC cases involving AI, losses have already reached tens of millions of dollars for businesses alone.

For a broader look at why AI is simultaneously fueling scams like these and becoming indispensable to defending against them, see my article AI: Threat, tool, or both?

It explains how both defenders and criminals use AI to find vulnerabilities, and why security vendors increasingly rely on AI to process vast amounts of telemetry, detect anomalies, and keep pace with threats that “no longer move at human speed.”

How to stay safe

Consumer protection agencies have documented a growing list of the ways scammers are using AI to try to rip people off. The main problem is that we can no longer take it at face value that the person we’re talking to is who they claim to be.

Government agencies and financial institutions recommend that you:

  • Be skeptical of urgent payment demands, especially those involving cryptocurrency or gift cards
  • Limit the amount of voice and video content you share publicly, as it can be reused by scammers
  • Report incidents quickly to your bank(s) and IC3.gov

Pro tip: Malwarebytes Scam Guard can help you determine whether a message is a scam and guide you through the next steps.


Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

AI: Threat, tool, or both?

5 June 2026 at 10:56

Public attitudes toward Artificial Intelligence (AI) are changing, and we wanted to understand why.

A recent Pew Research survey found that about half of adults say the increased use of AI in daily life makes them more concerned than excited, and that concern has grown over the last few years. People tend to worry most about long‑term social effects (jobs, creativity, relationships, misinformation), even while many do use AI tools and see some practical benefits, particularly for data analysis and routine tasks.

Data from an older UK survey already showed something similar. Awareness of highly visible AI technologies, such as driverless cars and facial recognition is high, but awareness of AI in welfare assessments, loan decisions, or care services is much lower. Concern about many of these use cases has risen since 2022. In other words, people feel AI is everywhere, but don’t always understand where or how it’s being used, and that makes people cautious.

The concern is usually less about science‑fiction extinction scenarios and more about social and economic harm. People worry about their jobs disappearing, a loss of creativity, the spread of disinformation, and increased surveillance, more than about killer robot scenarios.

Research into public attitudes towards AI repeatedly finds that people hold conflicting views, shaped by narratives of admiration and hype on one side and threat and dystopia on the other.

They see genuine benefits in the technology, but are increasingly wary of how companies, governments, and criminals might use it. Basically, people aren’t scared of AI itself, but about who’s using it and for what purpose.

Cybersecurity

AI in cybersecurity is a special case. When asked in which field of AI research they would invest an unlimited amount of money, people chose the fields of medicine and cybersecurity.

People increasingly recognize that AI is now a tool used by both defenders and cybercriminals. Few would feel comfortable with defenders refusing to use AI while attackers continue to adopt it.

Security products use machine learning to process huge volumes of data, detect unusual behavior, prioritize alerts, and identify threats faster than human analysts could alone.

At the same time, cybercriminals are using AI to create more convincing phishing emails, clone voices, generate fake images and videos, automate research on victims, and develop malware that can evade traditional detection techniques.

Both sides use AI-assisted tools to find software vulnerabilities that could be exploited to defraud people or breach systems, so vendors want to patch them before cybercriminals exploit them.

While studies consistently show that cybersecurity is one of the AI applications people worry about most, they also see that AI is increasingly necessary to keep pace with modern threats. A 2025 study focusing on AI in cybersecurity found that the public widely recognizes the technical benefits of AI‑driven defenses (speed, scale, accuracy), while remaining concerned about privacy, bias, and job displacement in security operations.

That is why the AI debate in cybersecurity feels different from the debate in many other fields. People may be uneasy about AI, but they also understand that the threat landscape no longer moves at human speed. Attackers already use automation, scale, and increasingly AI‑assisted workflows, so defensive teams that refuse to adapt would simply be slower and less effective.

Our mission at Malwarebytes is twofold: reduce the risks created by AI, and use AI to prevent, detect, and respond to threats. We’ve been using machine learning in our security products for nearly two decades, developing proprietary detection systems that help identify malicious code and suspicious behavior at a scale and speed that would be impossible manually.

Coming soon: How AI is changing trust online

Malwarebytes recently surveyed 1,500 adults across the US, UK, Austria, Germany, and Switzerland about their experiences with AI. The findings reveal a growing uncertainty about what people can trust online, alongside increasing concern about scams, impersonation, and AI-generated deception.

Stay tuned for the full Malwarebytes report on how AI is reshaping trust, identity, and scams.

Use AI safely

If you use AI in a security context, keep your data hygiene strict. Don’t paste passwords, customer data, or sensitive incident details into public AI tools. Treat AI-generated outputs as untrusted until verified, especially when they touch code, logs, indicators, or policy decisions.

AI can be useful for summarizing information, indentifying patterns, and producing first drafts, but keep a human in the loop for anything that affects access, containment, legal decisions, or public communications. Where possible, prefer enterprise or local deployments with logging, access control, and clear data-retention rules.

Also remember that AI can hallucinate confidently. In security work, that means every output needs validation against logs, documentation, source code, or other primary evidence before you act on it.


Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

A guide to disabling Copilot, Gemini, and Apple Intelligence | Kaspersky official blog

4 June 2026 at 21:16

Lately, software developers have been baking AI features straight into everyday work tools, operating systems, and browsers. In some cases, they’re genuinely handy. However, their presence introduces specific risks, which means plenty of companies are hesitant to give employees access to these tools. In a previous post, we categorized these unwanted AI systems, looked at how to spot them at the network and endpoint levels, and covered the ultimate universal kill switch: managing OAuth access across major corporate platforms. In this deep dive, we’re getting tactical: breaking down how to disable or restrict the AI built into popular platforms.

A quick heads-up: major software vendors occasionally change the names of their AI settings and tweak how they function. If any of the options mentioned below are missing or aren’t working as expected, a quick web search for the setting’s name will usually point you to its new location or branding.

How to turn off Microsoft 365 Copilot

Detection: you can check actual Copilot usage in the logs by going to Microsoft 365 admin →  Copilot usage report.

Disabling via policies: in the Microsoft 365Admin Center, go to Settings →  Integrated Apps, find Copilot in the Available Apps list, and select Block. More granular configuration policies are available under Customization →  Policy Management. The Policies page here contains over two thousand entries, so you’ll want to filter them by the keyword “Copilot” (detailed guide). Given that Copilot is a paid add-on for Office, another way to block it — and save money by doing so — is to simply avoid assigning users SKUs that include Copilot.

We recommend separately blocking Copilot Chat, which is available in Teams, Edge, Outlook, and several other services. Yes, it’s not Copilot itself. And yes, it has to be blocked separately by following this guide.

Additional layer of protection: you can block the domains copilot.cloud.microsoft and m365.cloud.microsoft/chat at the web filter or NGFW level. However, Microsoft explicitly advises against this, warning that it could break other Microsoft 365 features.

How to turn off Windows Copilot

Beyond the Office version of Copilot, you also need to manage its consumer-facing cousin.

Detection: look through your NGFW or other network logs for traffic hitting copilot.microsoft.com, bing.com/chat, or edgeservices.bing.com.
Disabling via policies: in Windows Group Policy, navigate to Computer Config →  Admin Templates →  Windows Components →  Windows Copilot. In Microsoft 365 Group Policy, go to Admin center →  Block consumer Copilot for organizational accounts.

Additional layer of protection: block the Copilot.exe executable from running entirely.

How to turn off the Copilot sidebar in Edge

Detection: look through your NGFW or other network logs for traffic hitting copilot.microsoft.com, bing.com/chat, or edgeservices.bing.com.

Blocking: configure the following MS Edge Group Policies: HubsSidebarEnabled = false, EdgeShoppingAssistantEnabled = false, CopilotPageContext = Disabled (false), CopilotNewTabPageEnabled = false, Microsoft365CopilotChatIconEnabled = false, GenAILocalFoundationalModelSettings = 1 (note that disabling this unexpectedly requires a 1 instead of a 0).

Second layer of protection: block the domains copilot.cloud.microsoft and m365.cloud.microsoft/chat at the web filter or NGFW level. However, Microsoft explicitly advises against this, warning that it could break other features.

How to turn off the Gemini Assistant in Google Workspace

Detection: check the Workspace Admin Console (admin.google.com), Gemini usage report section.

Blocking via policies: in the Admin Console, navigate to Apps →  Additional Google services → > Gemini app, and set it to OFF. Then, go to Manage Workspace smart feature settings →  Smart features in Google Workspace, and set it to OFF.

Second layer of protection: block network traffic to the domains gemini.google.com, bard.google.com, and aistudio.google.com.

How to turn off Gemini in Google Chrome

Detection: check your Chrome Enterprise reports (Chrome management →  Reports), or look through network traffic logs for connections to the previously mentioned domains.

Blocking via policies: in your Chrome Enterprise policies, configure the following settings: GenAILocalFoundationalModelSettings = 0, HelpMeWriteSettings = 2 (disabled), TabOrganizerSettings = 2, CreateThemesSettings = 2, DevToolsGenAiSettings = 2.

Additional layer of protection: block network traffic to the domains gemini.google.com, bard.google.com, and aistudio.google.com. Additionally, block unauthorized Chrome/Chromium installations (those outside your policy management) with the help of host-based application control tools like EPP/EDR or AppLocker.

How to turn off Apple Intelligence

Detection: on your NGFW and web filters, traffic hitting apple-relay.apple.com and *.apple-cloudkit.com is a clear indicator that Apple Intelligence is active.

Blocking via policies: any managed Apple device allows you to disable individual AI features, though there isn’t a master switch you can flip to shut down “all AI”. In your MDM profile, you need to set the following keys to false (disabled): allowWritingTools, allowMailSummary, allowGenmoji, allowImagePlayground, allowImageWand, allowPersonalizedHandwritingResults, allowExternalIntelligenceIntegrations, allowExternalIntelligenceIntegrationsSignIn, allowNotesTranscription, and allowNotesTranscriptionSummary. Here is a brief configuration example:

<dict>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>allowWritingTools</key>
<false/>
<key>allowMailSummary</key>
<false/>
</dict>

Despite Apple’s shift toward declarative device management, these AI features still need to be managed through traditional MDM payload settings.

Second layer of protection: block network traffic to the hosts mentioned above — though the obvious downside for mobile devices is that this won’t work once they leave the corporate network.

Meta&#8217;s AI support bot happily handed Instagram accounts to hackers

4 June 2026 at 11:09

Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.

Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.

How the trick worked

The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.

Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.

To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.

In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.

Meta hoisted on its own AI petard

Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.

The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.

Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.

What actually worked

Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.

Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.

What can you do to protect yourself?

A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.

That doesn’t make MFA perfect, but it adds an important layer of protection.

So the practical advice is unglamorous:

  • Open Instagram’s Settings
  • Navigate to your Meta Accounts Center
  • Turn on Two-factor authentication. An authenticator app is better than SMS, but either is better than nothing.

Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.

Expect more snafus from “helpful” bots

This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.

The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.


Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

❌