Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software. This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.
Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024. According to Satnam Narang at Tenable, this year marks the second consecutive year that Microsoft patched over one thousand vulnerabilities, and the third time it has done so since its inception.
The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions. The weakness resides in a component called the βWindows Cloud Files Mini Filter Driverβ β a system driver that enables cloud applications to access file system functionalities.
βThis is particularly concerning, as the mini filter is integral to services like OneDrive, Google Drive, and iCloud, and remains a core Windows component, even if none of those apps were installed,β said Adam Barnett, lead software engineer at Rapid7.
Only three of the flaws patched today earned Microsoftβs most-dire βcriticalβ rating: Both CVE-2025-62554 and CVE-2025-62557 involve Microsoft Office, and both can exploited merely by viewing a booby-trapped email message in the Preview Pane. Another critical bug β CVE-2025-62562 β involves Microsoft Outlook, although Redmond says the Preview Pane is not an attack vector with this one.
But according to Microsoft, the vulnerabilities most likely to be exploited from this monthβs patch batch are other (non-critical) privilege escalation bugs, including:
Kev Breen, senior director of threat research at Immersive, said privilege escalation flaws are observed in almost every incident involving host compromises.
βWe donβt know why Microsoft has marked these specifically as more likely, but the majority of these components have historically been exploited in the wild or have enough technical detail on previous CVEs that it would be easier for threat actors to weaponize these,β Breen said. βEither way, while not actively being exploited, these should be patched sooner rather than later.β
One of the more interesting vulnerabilities patched this month is CVE-2025-64671, a remote code execution flaw in the Github Copilot Plugin for Jetbrains AI-based coding assistant that is used by Microsoft and GitHub. Breen said this flaw would allow attackers to execute arbitrary code by tricking the large language model (LLM) into running commands that bypass the userβs βauto-approveβ settings.
CVE-2025-64671 is part of a broader, more systemic security crisis that security researcher Ari Marzuk has branded IDEsaster (IDEΒ stands for βintegrated development environmentβ), which encompasses more than 30 separate vulnerabilities reported in nearly a dozen market-leading AI coding platforms, including Cursor, Windsurf, Gemini CLI, and Claude Code.
The other publicly-disclosed vulnerability patched today is CVE-2025-54100, a remote code execution bug in Windows Powershell on Windows Server 2008 and later that allows an unauthenticated attacker to run code in the security context of the user.
For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS Internet Storm Center. As always, please leave a note in the comments if you experience problems applying any of this monthβs Windows patches.
Last week, a friend of mine reached out with a query: a contact in his address book had sent him a suspicious email. As it turns out, it was. In this blog post, we'll have a quick look at an Office 365 phishing campaign, which turned out to be massive. This type of phishing has been on the rise for a while now (at least since 2017), and it's important to point out, as seemingly attacks are only increasing.
Analysis
As mentioned earlier, Office 365 (O365) phishing isn't new, but it is definitely prevalent. A high-level overview of a typical attack is as follows:
Figure 1 - High-level overview of typical O365 phishing
A typical flow of such an attack may be as follows:
An attacker sends an O365 spearphishing email, likely from a spoofed or fake email address;
The user is enticed to click on the link, or open the attachment which includes a link;
The user will then unknowingly enter their credentials on the fake O365 page;
Credentials get sent back to the attacker;
Attacker will access the now compromised user's mailbox; and,
The cycle repeats: the attacker will send spearphish emails to all of the compromised user's contacts - with this difference, it's coming from a legitimate sender.
This is exactly what happened to a friend of mine: he got sent an email from a legitimate email address, which was a contact in his address book - only the sender never intentionally sent this email!Β
Let's have a look at the infection chain.
The initial email
The initial email sent looked as follows:
Figure 2 - "P.AYMENT COPY"
Clicking on the "OPEN" button would redirect you to a legitimate but compromised Sharepoint (part of O365) webpage. Seeing as a legitimate business has been compromised, I won't post the link here. Its web administrators have been notified.
Figure 3 - "Access OneDrive"
The PDF document
Next step is hosting a PDF named "INVOICE.PDF", which entices the user to access OneDrive to view the shared file. If the user were to click on "OPEN PDF HERE":
Finally, clicking on "Login with Office 365" will redirect the user to the final phishing page, which will look as follows:
Figure 5 - Final landing page
The final landing page is as follows: https://happymachineit[.]info/Michael/b4fb042ba2b3b35053943467ac22a370/7hsfabvj2b0b9rguzbzw910d.php
When entering credentials, they will be sent off to the attacker, and the cycle from Figure 1 will repeat itself. Note that other scenarios are possible, for example:
The attacker may try to (re-)sell credentials that have been gathered so far on criminal forums
The attacker may send more targeted spearphishes to potentially interesting victims
The attacker may attempt to access other services or accounts using the same user/password combination
In short, there's countless other possibilities.
The phishing infrastructure
Avid readers will have noticed the phishing website uses a valid SSL certificate, which has the following details:
This means the certificate is a local and self-signed one. In other words, if you are accessing a secure website, and you see "server.localhost.com" as the SSL certificate, do NOT trust it. This is sometimes from an automatic setup from the hosting provider.
Performing a search with RiskIQ's PassiveTotal as well as VirusTotal, and after filtering results, we obtain a whopping total of 875Β uniqueΒ Office 365 phishing sites, hosted on that IP alone! It appears this campaign has been active since December 2018.
Searching a bit further, it appears the whole ASN (which is a collection of IP prefixes controlled by a single entity, typically an ISP), AS48666 is in fact riddled with Office 365 as well as other phishing sites. Using URLscan.ioΒ we can quickly gauge the ASN is hosting multiple phishing sites for Office 365 as well as Adobe:
Figure 6 -Β AS48666 hosting badness
General Info:
Geo: Russian Federation (RU) βΒ
AS: AS48666 - AS-MAROSNET Moscow, Russia, RUΒ
Registrar: RIPENCC
As shown in this blog post, one IP address can host tons of phishing instances, while the ASN controls multiple IPs. Bonus bad IP:Β 178.159.36[.]120.Β
Detection
For the phishing websites itself, any network traffic that resolves to the IP above.
I've noticed there are countless similar PDFs from this same campaign. Due to the way these are created (likely in bulk), a simple Yara rule can be developed as follows:
The Yara rule can be found on PastebinΒ hereΒ or on Github Gist here.
Note: in specific instances, this rule may false-positive - so use at your own will.
The following MITRE ATT&CK techniques are relevant:
There isn't much to disinfect, since there's no actual malware involved.
However, if you have been affected by this phishing campaign, do the following immediately:
Contact your network and/or system administrator or managed services provider if you have one and wait for their response - if not;
Note down the phishing page/URL, then close any open phishing pages - in fact, close the whole browser;
Perform an antivirus scan with your installed product, and a scan with another application, for example Malwarebytes (better be safe than sorry);
Change your O365 password immediately;
Change passwords on other websites where you used the same combination;
Reach out to the people in your address book you were compromised and they are not to open your email(s) or at least not any attachments or links from your email(s);
Verify your "Sent" emails folder (or "Outbox") for any suspicious activity. If there are no Sent emails - the attacker may have deleted them, or you may have a full compromise on your hands.;
Verify any (newly) created rules in your mail application (in this case O365), for example, verify there are no new forwarding rules or perhaps rules that delete new incoming emails - forwarding rules and deletion rules are sometimes set up by an attacker to gather more information or as an attempt to remain hidden; and,
File a complaint with your CERT, local police station, or whichever authority would handle such cases. If you are unsure how to do so, have a look here for assistance.
Prevention
Block the IP (or whole subnetΒ 178.159.36[.]0/24)Β mentioned in this report in your firewall or proxy or other appliance;
Use strong and preferably unique passwords (use a password manager);
Set up 2FA for accounts or, preferably, MFA (multi-factor authentication);
Enable, deploy or implement anti-spam and anti-phishing protection;
Enable, deploy, or implement a URL phishing filter;
Trust, but verify: "did this contact really need to send me a "Payment Copy"? - if needed, verify via a phone call - notΒ via email;
Be generally cautious with links and attachments. Do not click on links or open attachments from unknown senders;
If possible, use Firefox with NoScript enabled; and,
If you're in an organisation: create or organise user awareness training.
Conclusion
Phishing has been around for a long time - Office 365 phishing, on the other hand, has been around since, well, Office 365 was created. Every time a new service is created, you can imagine that phishing emails targeting that service will follow - maybe one month later, perhaps a year later - but they will.
Always try to be vigilant and follow the prevention tips mentioned above to stay safe.
Kent Ickler// TLDR: We use a custom dictionary to crack Microsoft Office document encryption. Β Then we use a custom dictionary for pwnage in LinkedIn hash database. Background: I recently got [β¦]
Carrie Roberts*Β // (Updated, 2/11/2019) Trying to figure out the password for a password protected MS Office document? This free solution might do the trick. It attempts to guess the password [β¦]
Carrie Roberts // Β Β Β A malicious macro in a Microsoft Word or Excel document is an effective hacking technique. These documents could be delivered in a variety of [β¦]
Ethan Robish // As promised in my previous post, part 1, this post shows how to place a tracking bug in a native .xlsx file. Β Full credit for this method [β¦]
Sally Vandeven // Evading anti-virus scanners has become a bit of a sport around BHIS. Β When we do C2 testing for our customers we start with a host on the [β¦]
Lisa Woody // On the 23rd of December, a cyber attack left hundreds of thousands of people in the Ukrainian region of Ivano-Frankivsk without power. This was the first confirmed [β¦]
Login
