Feds snooze as US datacenter law set to lapse with no replacement in site
Palo Alto Networks is pleased to announce the successful completion of a new Cloud Medium security assessment conducted by the Canadian Centre for Cyber Security (Cyber Centre), significantly expanding the number of Palo Alto Networks cloud services assessed for Protected B / Medium Integrity / Medium Availability (PBMM) environments. This assessment includes a broad range of capabilities across our Cortex®, Cortex Cloud and Strata™ platforms. By achieving this milestone, Palo Alto Networks enables organizations handling Canada’s most sensitive data to leverage a unified, AI-driven security architecture without compromising on compliance or operational resilience.
For years, many organizations viewed PBMM as something that only mattered to the Canadian federal government. It was often seen as a procurement requirement—a framework tied to public sector cloud adoption, relevant for departments handling Protected B information, but not necessarily for the private sector.
That assumption is changing.
The reality is that the challenges driving PBMM are no longer unique to government environments. Banks, energy providers, transportation networks, healthcare organizations, crown corporations, and other critical infrastructure operators are now facing many of the same pressures:
That is why PBMM matters far beyond Ottawa. At its core, PBMM represents a rigorous approach to validating whether enterprise-grade security platforms can operate securely in environments where trust, resilience, and operational continuity are critical.
Increasingly, that level of assurance matters to everyone.
PBMM, a rigorous cybersecurity and data classification standard used by the Canadian Centre for Cyber Security, stands for Protected B / Medium Integrity / Medium Availability. While often associated with federal cloud security requirements, PBMM is not simply a checkbox exercise. It is a comprehensive assessment framework aligned to Canadian cybersecurity guidance and operational security expectations.
What makes PBMM important is that it evaluates whether platforms and services can securely support sensitive and mission-critical workloads in real-world environments.
Palo Alto Networks meeting these rigorous PBMM requirements through three core pillars:
These are not theoretical requirements. They are practical operational expectations designed for environments where downtime, visibility gaps, or security failures can have significant consequences.
Organizations today are no longer evaluating cybersecurity solely based on features. They are evaluating whether platforms can be trusted to support critical operations at scale.
The cybersecurity landscape has evolved dramatically. Infrastructure is distributed across cloud providers, SaaS applications, remote users, third-party integrations, operational technology (OT), AI platforms, and interconnected supply chains. At the same time, attacks have become faster, more automated, and more disruptive.
In this environment, security can no longer be treated as a compliance exercise. Organizations need confidence that their platforms, operational processes, and security controls can function effectively under pressure.
This is why Palo Alto Networks has undertaken independent PBMM assessments across its portfolio, providing customers with greater assurance and trust. By meeting these rigorous standards into Strata and Cortex, we enable non-government entities—like financial institutions and utility providers—to deploy the same defensive rigor used to protect national security systems.
To effectively manage risk, critical infrastructure operators require a platform approach that helps eliminate security silos, reduce manual intervention, and accelerate threat mitigation.
One of the most significant shifts occurring across industries today is the growing focus on operational resilience. Organizations are increasingly asking questions that extend beyond traditional cybersecurity controls:
As organizations adopt cloud-native architectures, AI-driven technologies, and interconnected digital ecosystems, resilience has become a board-level concern. The ability to prevent incidents remains important, but organizations are equally focused on their ability to withstand, respond to, and recover from them.
This is where frameworks like PBMM provide value. Beyond evaluating security controls, PBMM assesses the governance, operational processes, monitoring capabilities, and risk management practices that help organizations operate securely.
For critical infrastructure operators, resilience is no longer simply an IT objective—it is a business imperative. Increasingly, the organizations that earn trust are those that can demonstrate they are prepared to operate effectively when disruption occurs.
PBMM may have started solely as a government assessment framework, but its relevance now extends far beyond federal environments. It represents something universal: the ability to operate securely, reliably, and transparently in environments where trust matters most.
By expanding our PBMM-assessed offerings across Cortex and Strata, Palo Alto Networks underscores its commitment to securing Canada's digital future. We provide the validated foundation organizations need to innovate with confidence, protect sensitive data, and maintain operational continuity under any circumstance.
To learn more about the Palo Alto Networks Cloud Medium security assessment, review the publicly available assessment summary report issued by the Canadian Centre for Cyber Security.
Ready to modernize your defenses with PBMM-assessed solutions? Schedule a demo with our team or contact Unit 42 to learn how we can help elevate your organization's resilience against emerging cyber threats.
The post Securing Canada’s Digital Future: Why PBMM Matters Beyond Government appeared first on Palo Alto Networks Blog.


As part of our ongoing series, we focus on the shared infrastructure that fuels threat actors; the intersection of mainstream social media, open-source messaging platforms, and gaming communities.

Threat actors and their illicit communities do not exist in a vacuum. To scale their operations, coordinate financial fraud, deploy malware, and recruit new talent, threat actors must interface with the broader digital world. This means leveraging everyday, public digital spaces to facilitate illicit activity, effectively hiding in plain sight.
When conceptualizing the cybercriminal underground, it is easy to focus exclusively on Tor-based onion sites or restricted-access dark web forums and marketplaces. However, a massive portion of modern illicit activity thrives on the clearnet. Threat actors heavily utilize commercial social media and public messaging networks to coordinate fraud, deploy malware, and run public relations campaigns for their operations.
At first glance, conducting illicit operations on highly monitored, mainstream platforms seems counterintuitive. However, the massive, continuous volume of legitimate traffic on the clearnet provides a form of operational security. By blending into the noise, threat actors can maintain a highly accessible digital presence. This visibility is crucial for their business models: it allows them to maintain a low barrier to entry for potential recruits and targets who know exactly what markers to look for, or who are systematically funneled into these spaces.
The misuse of mainstream communication tools has changed how threat actors interact. Rather than waiting for users to seek out the dark web, cybercriminals are actively meeting their targets or co-conspirators on platforms designed for daily socialization.
Originally built to connect gaming communities, Discord’s rapid growth and robust infrastructure have inadvertently made it a target for malicious activity. Cybercriminals treat the platform as a multi-functional tool for both technical infrastructure, social engineering, and radicalization.
On a technical level, advanced persistent threats (APTs) and other threat actors exploit Discord’s content delivery network (CDN) to host and distribute malware. Because traffic to Discord domains is generally trusted by corporate networks, threat actors can potentially use it to deliver payloads—such as infostealers and remote access trojans (RATs)—bypassing standard security perimeters.
Beyond hosting malware, extremist groups across various ideological spectrums often target the platform’s demographic, which skews heavily towards younger tech-savvy users. This group provides an impressionable pool of adolescents who may be susceptible to grooming, indoctrination, and recruitment into illicit operations.
While monitoring The Com, Flashpoint analysts have observed the systematic use of platforms like Discord, Roblox, and Minecraft to run predatory extortion pipelines. The mechanics of this ecosystem takes place through a multi-phase methodology:
Once isolated, perpetrators coerce victims into sending sensitive imagery or CSAM. This material is immediately compiled and weaponized as leverage for blackmail via doxxing. This creates a severe psychological trap in which the victim feels compelled to partake in escalating illegal activity to keep their previous actions hidden. This drives the victim to transition from a victim into an aggressor to escape their own abuse.
While many social media and messaging platforms can serve as an initial funnel for engagement, Telegram has been known to be used from time to time as an operational hub for the broader illicit ecosystem. Since the arrest of Pavel Durov, Telegram has begun working more closely with law enforcement, leading to several key arrests and major disruptions due to their cooperation.
The platform occupies a unique space in threat intelligence and open source intelligence (OSINT). While the vast majority of its user base is entirely benign, its minimal moderation policy and robust channel architecture have made it vital to public and private intelligence gathering.
Telegram functions as an open marketplace and real-time coordination center for a vast spectrum of threat actors. Flashpoint has observed it being used by:
Furthermore, threat actors routinely use other public-facing platforms like X (formerly Twitter) alongside Telegram to amplify their impact. They leverage the broad reach of social media to broadcast proof of their compromises, hype up ransomware leaks, and exert public pressure on corporate victims during extortion cycles. Concurrently, Telegram often acts as the backend repository where the stolen data is hosted, discussed, and monetized.
The evolution of illicit ecosystems demonstrates that the lines between the dark web and the clearnet have intersected. Whether analyzing the activities of extremist and threat actor groups or tracking the predatory pipelines of The Com, defenders must look beyond traditional intelligence sources.
Because malicious actors rely heavily on consumer messaging apps and social platforms to coordinate attacks, leak data, and target people, monitoring these public-to-private pipelines is an essential component of threat intelligence. Uncovering these physical and cyber threats requires best-in-class threat intelligence and OSINT investigations capable of parsing the massive noise of the clearnet to find the signals of illicit coordination.
Request a demo to see how Flashpoint empowers security teams to monitor these decentralized threat landscapes to proactively protect their critical assets.
| Check out the rest of our “Understanding Illicit Ecosystems” series: |
| Understanding Illicit Ecosystems: The Hybrid Threat of “The Com” |
| Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground |
The post Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure appeared first on Flashpoint.

In this post, we explore XSS’ shift from a unified forum to a scattered community spread across several competing factions.

For more than two decades, XSS was the gathering ground for the Russian-speaking cybercriminal underground. Evolving from its former name, DaMaGeLaB, XSS evolved from a mid-tier message board into a top-tier hacking forum.

XSS is home to vendors of various crime types, including loaders, phishing, scamming, carding, malware development, distributed denial-of-service (DDoS) bots, and related services. It also facilitates the trade of illicit goods and services, while simultaneously serving as a networking and recruitment hub for threat actors.
XSS forum content falls within the following main sections:

On July 23, 2025, law enforcement organizations reportedly seized XSS as part of a multinational operation with Ukrainian authorities, French police, and Europol. Alongside the domain seizure, French authorities reported the arrest of XSS’s longtime administrator in Ukraine.
This arrest triggered an immediate chain reaction that has had lasting effects on the Russian-speaking underground—with the XSS ecosystem splintering into several competing factions.
While the original XSS architecture was severely disrupted, the surrounding Russian-speaking cybercriminal ecosystem remains intensely active. However, instead of a centralized hub, the XSS ecosystem is spread out through competing environments that emerged directly from the fallout of the takedown.
Launched by the legacy moderators of XSS, DamageLib represents a structural pivot away from standard illicit forums. Concluding that the old XSS site was compromised by law enforcement, the moderators launched a new model that completely abandons commerce—shutting down all buying, selling, and auctions entirely—-to eliminate user tracking and surveillance. Instead, it focuses strictly on technical materials and tutorials.
Recognizing that displaced cybercriminals still required a commercial venue to trade, a former XSS moderator launched Rehub quickly after the emergence of DamageLib. Rehub immediately integrated a commercial platform, successfully recruiting prominent threat actors into its moderation team to establish underground credibility.

The forum is still in its development stage, with its content being populated, and an active member base being built.
In early August 2025, an unknown entity launched an alleged resurrection of the forum on a new domain [.pro], utilizing old backups that preserved legacy user data, threads, and forum deposits. However, this new version has been met with significant distrust from Exploit and DamageLib, believing the [.pro] domain to be a honeypot controlled by law enforcement.
Started by a pro-Russian Telegram hacking group, this community actively targets EU and Ukrainian digital infrastructure. According to user discussions on DamageLib, this forum is not related to XSS. In addition, Flashpoint analysts note that targeting Ukrainian infrastructure directly contradicts its original community rules. The authenticity of this forum and its ownership has not been verified.
While law enforcement achieved a significant victory over XSS, they did not eliminate the Russian-speaking cybercriminal underground. Instead, they broke the foundational trust mechanics that had kept it centralized for twenty years.
This has left the Russian-speaking underground in a deeply fractured state that is still intensely active and highly adaptive. For defenders and analysts, this threat has not diminished—it has diversified. Tracking this ecosystem no longer means watching a single centralized community, but rather actively mapping out the live migrations, shifting rules, and behavioral patterns across these splintered groups.
Request a demo to learn how Flashpoint helps security teams aggregate intelligence from these scattered factions into a single source of truth, empowering your organization to proactively monitor and intercept emerging threats.
The post Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground appeared first on Flashpoint.
Disclaimer:
This post reflects the perspectives shared in the book Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, and does not represent the views of the publisher of this blog.
The summer of 1983, President Reagan watched WarGames at Camp David and couldn't get it out of his head. A week later, he walked into a White House meeting with cabinet members and Congress and launched into a detailed plot summary of a Matthew Broderick movie about a teenager who nearly hacks the world into nuclear war. The room full of defense experts sat uncomfortably, suppressing smirks. Then Reagan turned to General John Vessey, Chairman of the Joint Chiefs, and asked if something like that could actually happen.
Vessey came back a week later with an answer: "Mr. President, the problem is much worse than you think."
Fifteen months after that, Reagan signed a classified presidential directive titled "National Policy on Telecommunications and Automated Information Systems Security" – the first federal policy of its kind. A movie had done what years of expert warnings hadn't: It made the most powerful person in the world stop and ask the right question.
Allie Mellen, author of Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, loves to tell this story, and it captures exactly why she wrote the book. In a conversation recorded at RSA 2025, Mellen joined Threat Vector host, David Moulton, to talk about nation-state threats, attribution pitfalls, and why the security industry's biggest problem isn't technical.
"They're human stories, and if we can communicate them that way to the general public, then we'll get more people interested in cybersecurity, invested in cybersecurity, and invested in protecting their data."
That gap, between what the security community understands and what everyone else grasps, is the core problem Mellen set out to solve. And in today's geopolitical moment, closing it has never been more urgent.
One of the central arguments in Code War is that you can't understand a nation's cyber behavior without understanding its history, doctrine and social contract. China, Russia, Iran, North Korea and the U.S. each approach offensive and defensive cyber operations from completely different starting points, and those differences matter enormously to defenders.
China operates with patience. Its attacks tend to be low and slow, focused on long-term espionage rather than loud disruption. But that changes sharply in its own region, where operations targeting Taiwan are aggressive and relentless. Russia, by contrast, is bombastic; they want you to know it was Russia. Its influence operations have been some of the most effective in modern history, studied and imitated by Iran and others.
Interestingly, the very system China built to protect itself has become a liability in one specific domain. Because Chinese operators live behind the Great Firewall, without access to western social media, they lack the cultural fluency that makes Russian disinformation so effective. "They try to use memes, but it's like ‘uncanny valley’," Mellen explains. "They just slightly miss every time and so it doesn't go viral." The walled garden that gives China control over its own population makes it harder to manipulate everyone else's.
Mellen is careful about attribution, and she wants defenders to be too. The standard technical signals (coding language, infrastructure patterns, operational hours) are necessary but not sufficient. Nation-states, especially the U.S., have developed tools specifically designed to mimic other actors' signatures. AI will make that problem significantly worse.
But the bigger issue is motivation. Mellen walks through a case from the Olympics where an attack was initially attributed to North Korea, even though North Korea was actively trying to normalize relations at the time by sending Kim Jong Un's sister to the games. The actual perpetrator was Russian, using a false flag to obscure its involvement. The lesson: Attribution requires asking not just "who has the technical capability?" but "who has the motive right now, given everything happening geopolitically?"
The pitfalls are real:
One of the more powerful sections of the conversation centers on a question Mellen hears constantly: why would China care about my data?
Her answer cuts through the dismissiveness. These nations aren't collecting data out of idle curiosity. They're willing to constrain companies for it, invest billions in infrastructure for it, and in some cases, far worse. "Whether you wanna be involved in that system or not, you are involved in that system," she says. "And so you can either choose to take control of your information in that environment, or you can just pretend like it's not your problem."
The historical context she offers is striking. One of the driving forces behind GDPR in the EU was the collective memory of how Nazi Germany used data to target Jewish people during the Holocaust. Europe built privacy protections into law because it had seen what happens when governments gain unrestricted access to population data. That's not an abstract concern. It's a lesson written in history that the rest of the world is still catching up to.
Mellen isn't optimistic about the trajectory. Attribution is about to get much harder. Attacks are about to get much more dynamic. And AI is the reason for both.
She points to research on Chinese state-sponsored actors using AI to orchestrate attacks across the full kill chain, with only a couple of human checkpoints in the loop. The implication isn't just faster attacks. It's more adaptive malware that can adjust to different operating environments, more convincing disinformation that clears the cultural context bar, and reconnaissance-to-exploitation cycles that move faster than most defenders can process.
The constraints that have always slowed sophisticated attackers – understanding the operating system, identifying vulnerabilities, crafting exploits, mimicking attribution – all get easier with AI. All of that becomes more dynamic. And most enterprises, Mellen acknowledges, are not yet equipped to respond effectively.
The investment required is in the basics the industry has always struggled to get right, executed now at a pace and scale that demands automation and AI on the defensive side. Fighting AI with AI isn't a vendor talking point. It's the only math that works.
The nation-state threats Mellen describes aren't theoretical. Unit 42 responded to more than 750 major incidents in 2025. See what they found. Download the 2026 Global Incident Response Report.
Listen to the full conversation with Allie Mellen, author of Code War, on the Threat Vector podcast
The post From WarGames to Cyberwar appeared first on Palo Alto Networks Blog.

If you’re looking to strengthen your organization’s security posture on Amazon Web Services (AWS) but aren’t sure where to start, then we’re here to help. Security Activation Days are complimentary, virtual, hands-on workshops designed to help you get practical experience with AWS security services in a single session.
Each Security Activation Day is a 3–6 hour virtual workshop where you work directly with AWS security services in real-world scenarios. Through a combination of presentations, demos, and workshops, you will get hands-on practice guided by AWS security specialists either in your own environment or in an AWS-provided sandbox.
Topics rotate across the full spectrum of AWS security, identity, and governance services, including threat detection and response, identity and access management, network and application protection, data protection, and governance and compliance. You will leave with actionable knowledge you can apply to your workloads immediately—not a to-do list of things to research later.
Security Activation Days are made for builders—security engineers, cloud architects, and DevOps teams who want to go deeper on specific AWS security capabilities. Whether you’re evaluating a service for the first time or looking to operationalize something you’ve already deployed, these sessions meet you where you are.
With over 6,400 attendees across 90 events so far in 2026, Security Activation Days consistently earn a 4.8 out of 5 satisfaction rating. Participants tell us the hands-on format is what makes the difference: there’s no substitute for actually configuring a service and seeing the results in real time.
We run Security Activation Days year-round across all time zones, with new sessions added regularly. Find a session, show up ready to learn, and start building today.
If you have feedback about this post, submit comments in the Comments section below.
Not hours. Not days. It takes thirty-nine seconds from initial access to data exfiltration.
That stat, pulled from Unit 42® research, isn't hypothetical. It's what defenders are up against right now, while most organizations are still building security teams around manual detection and response workflows that were never designed to operate at machine speed.
Wendi Whitmore, Chief Security Intelligence Officer at Palo Alto Networks, put it plainly in a recent conversation on the Threat Vector podcast, recorded live at RSA this year:
If you're applying a manual detection and response capability, you are going to be beat by the attacker every day.
It's the kind of sentence that should make security budgets move faster.
Whitmore has spent nearly 25 years tracking nation-state actors, and she's unequivocal about what's changed. The adversaries today aren't just better funded and more sophisticated. They're faster, and increasingly AI-powered.
Consider what's converging right now:
Chinese nation-state groups like Volt Typhoon and Salt Typhoon have been operating with near-surgical patience inside critical infrastructure, leveraging existing administrative tools to avoid detection. Volt Typhoon is focused on military prepositioning in power grids, water systems and telecommunications. Salt Typhoon has been systematically collecting intelligence from those same networks. Neither group announces itself with novel malware. They disappear into environments using the tools already there.
Meanwhile, threat actors tied to Iran are operating with entirely different objectives: tactical disruption and destruction. And financially motivated cybercriminal groups are automating ransomware campaigns at a pace that has compressed attack timelines from weeks to minutes.
Every CISO is being asked to defend against all of them simultaneously, while also managing their organization's AI expansion, and doing it without adding headcount.
When Whitmore references the 39-second exfiltration window, she's pointing at something structural, not just alarming. It reflects how completely the attacker's operational tempo has shifted.
The 72-minute data breach figure from Unit 42 Incident Response data is equally striking: From initial access to full data theft in the time it takes to sit through a decent movie. A 400-times year-over-year increase in exfiltration speed isn't a trend. It's a fundamental change in the physics of an attack.
"There is no way that we are going to defeat these adversaries if we are working at manual speed," Whitmore explained. The answer isn't just more analysts. It's fighting AI with AI, letting machines handle the volume and velocity, so humans can focus on the problems that actually require human judgment.
Here's where the conversation gets more nuanced and more important.
Most of the AI-in-security conversation focuses on the offensive side: adversaries using generative AI to craft convincing phishing lures, accelerate reconnaissance and automate attack sequences. That's real, and it's accelerating.
But Whitmore raised the other half of the problem, one that gets far less attention: The attack surface that organizations are creating by deploying AI without securing it.
Innovation of AI doesn't so far outpace the security of AI.
This is the outcome she wants to see. Right now, that's not what's happening. Business pressure to deploy AI quickly is outrunning the security architecture required to protect it. Every new AI deployment touching production data, cloud APIs and enterprise systems expands the attack surface. Shadow AI, prompt injection, model poisoning: These are not future threat vectors. They're present tense.
The distinction Whitmore draws is useful: AI for cybersecurity (faster detection, automated response, reduced analyst burden) needs to advance in parallel with cybersecurity for AI (securing the models, prompts and data pipelines that organizations are building on). One without the other creates exactly the kind of asymmetry attackers will exploit.
Whether the conversation is about defending against nation-state actors or securing AI deployments, Whitmore keeps returning to the same foundation of visibility.
Not complexity. Not more tools. Visibility is a single, unified view of what's happening across endpoints, networks, cloud and AI systems, that’s fast enough to matter when the window is measured in seconds, not days.
For SOC teams, that means being able to detect and contain a threat before a compromise of one system becomes an enterprise-wide event. For CISOs thinking about AI governance, it means understanding what's being deployed, what's being prompted, and where the data is going before an incident surfaces for them.
The organizations Whitmore sees succeeding aren't the ones with the largest security budgets. They're the ones with the clearest picture of their environment, and the architecture to act on it in real time.
Perhaps the most important reframe in the conversation is that the objective is no longer to prevent every attack. That goal is not achievable against adversaries operating at AI speed with nation-state resources.
The win is resilience. Detecting fast and containing fast. Keeping one compromised endpoint from becoming an enterprise-wide breach.
That shift in framing, from prevention to rapid recovery, has significant implications for how security teams are built, how AI is integrated into workflows, and how CISOs make the case for investment to leadership that still thinks in terms of keeping attackers out.
The adversaries already know the perimeter is gone. The question is whether your defense strategy has caught up.
Listen to the full interview here.
The post 39 Seconds — That's How Long It Takes to Lose Your Data appeared first on Palo Alto Networks Blog.

It’s only been a few weeks since Anthropic announced the Claude Mythos Preview model and launched Project Glasswing with AWS and other leading organizations. This has generated a lot of discussion about the future of cybersecurity and what the ever-increasing capabilities of foundation models mean to organizations.
As AWS CISO Amy Herzog pointed out in the Project Glasswing announcement, “At AWS, we build defenses before threats emerge, from our custom silicon up through the technology stack. Security isn’t a phase for us; it’s continuous and embedded in everything we do.”
Read more from Amy about this in Building AI defenses at scale: Before the threats emerge.
While the discussion around the future of cybersecurity is important, the only thing we know for certain is that organizations need to be able to react quickly to the rapid changes AI is bringing to technology and business in general. And you can’t react quickly if your security fundamentals aren’t dialed in.
It’s easy to assume you have the foundational security elements covered, or to overlook some completely. Basic security use cases like identity management, threat detection, vulnerability management, data protection, and network security can be inconsistently implemented across cloud environments. While AI is reshaping the security landscape, strong security fundamentals continue to be essential for every organization, regardless of size or industry.
These are the security basics that matter whether or not you’re adopting AI: patching consistently, enforcing least-privilege access, enabling logging and monitoring, encrypting data at rest and in transit, and reviewing security configurations regularly. When these fundamentals are in place, you’re better positioned to take advantage of AI-driven tools and respond to newly discovered vulnerabilities, wherever they come from.
While the concepts that drive security fundamentals are universal, implementing them in your environment is best done with an understanding of the context unique to your organization. That’s why we have a multitude of freely available materials—like the AWS Well-Architected Framework—that you can use to help ask the right questions and implement changes in your environment. We also offer programs like the Security Health Improvement Program (SHIP) to help you improve your security posture through prescriptive guidance and continuous improvement.
SHIP is a no-cost program available to every AWS customer, regardless of support tier. SHIP provides a proven, data-driven methodology to:
The program is led by AWS Solutions Architects and Technical Account Managers who take you through a personalized report, contextualize findings for your environment, and help you build a prioritized action plan.
Project Glasswing highlights an important shift: AI-powered tools are accelerating the pace of vulnerability discovery, which means organizations need to be prepared to assess and respond to findings and changing situations faster than before. In addition to external factors, as organizations adopt AI—whether deploying foundation models, building agentic workflows, or using AI-powered services—how they implement their security controls must change as well. A strong security foundation is what makes confident AI adoption possible.
Here’s how SHIP helps:
SHIP uses a data-driven methodology to identify opportunities to improve and optimize across 10 core security use cases: threat detection, cloud security posture management, application security testing, configuration management, access governance, vulnerability management, application protection, network security, encryption, and secrets management. The program includes a SHIP assessment to identify critical security findings related to your current security posture, so your team can build a prioritized roadmap for improvement tailored to your environment.
Before you deploy your first model on Amazon Bedrock or build agentic workflows with Amazon Bedrock AgentCore, you need confidence that your underlying infrastructure follows security best practices. SHIP uses actual data from your environment to provide prescriptive, specific guidance rather than generic security recommendations. This is especially relevant as AI-driven vulnerability discovery tools become more widely available: organizations with strong baselines will be able to act on new findings quickly and effectively.
As AI capabilities evolve, organizations benefit from having a repeatable process to assess and strengthen their security posture over time. SHIP establishes the methodology and mechanisms for your team to continuously assess, prioritize, and improve. By building this operational capability, you’re strengthening your organization’s ability to adapt and contributing to broader industry resilience. As the cybersecurity community integrates AI into defense strategies, SHIP helps you maintain foundational best practices so you can adopt these innovations effectively and with confidence.
SHIP is available today, at no cost, to every AWS customer. Here’s how to get started:
AWS is committed to being the most secure cloud, from our participation in Project Glasswing to the security embedded in every layer of our infrastructure. Security is a shared responsibility, and programs like SHIP give customers the tools, guidance, and support to strengthen their security foundations so they can build confidently, no matter what comes next.
Ready to improve your security posture? Contact your AWS account team to schedule a SHIP engagement, or visit the SHIP resources page to learn more.
The United Kingdom has established itself as a leading global cyber power. Over the last decade, Palo Alto Networks has been proud to work alongside British institutions to protect the digital borders of a highly innovative economy. As UK organisations navigate an evolving threat landscape and adopt transformative technologies, like AI, the need for security partners who understand British operational realities has never been greater.
Organisations today require more than a technology provider. They need a partner that understands the specific legal frameworks and strategic priorities of the British landscape. We are reaffirming our deep commitment to the UK, safeguarding British data as a core part of national resilience, even as both technology and cyber adversaries evolve.
The targeting of UK infrastructure is a daily operational reality. According to our Unit 42 2026 Global Incident Response Report, attackers are moving at unprecedented speed, with exfiltration speeds for the fastest attacks quadrupling in 2025. Identity weaknesses played a material role in almost 90% of Unit 42® investigations, as attackers increasingly exploit stolen credentials and fragmented identity systems to escalate privileges and move laterally. These threats span across all sectors, from NHS patient data to local government systems and energy networks.
UK organisations need partners who understand their unique requirements. While our broader European commitments provide a strong foundation, we recognise that the UK requires a dedicated focus across data protection, critical infrastructure security and public-private collaboration. This includes a deep-rooted local presence, aligning our operations with national standards of protection to support British ingenuity and ambition.
Genuine data control requires two things: understanding exactly how and under which laws your information is handled and having the technical capabilities to enforce that control.
For UK customers, we provide the capability to host data within UK-based infrastructure, ensuring that critical data can be stored in regions that align with UK data protection requirements. Additionally, for applicable products and services, we offer Bring Your Own Encryption Keys (BYOK) capabilities, giving you direct control over the encryption protecting your data.
Our agreements are built to comply with UK GDPR requirements and include the necessary protections for any cross-border data transfers. But beyond contractual obligations, we operate on a fundamental principle: Your data serves only the purpose for which you’ve engaged us.
How we handle different data categories:
1. Customer and Personal Data Are Processed Only to Serve You
We process your Customer Data and Personal Data exclusively to deliver the services you have purchased. This includes the content of your communications and files uploaded for support. The purpose is singular: delivering the security and protection you’ve contracted us to provide.
2. Systems Data Is Used to Enhance Functionality and Collective Defence
To provide effective security, our products generate Systems Data, which includes technical logs, performance metrics and threat indicators. This information serves three main purposes: ensuring the day-to-day functionality of your services, enabling our teams to provide expert technical support and troubleshooting, and powering our global threat research capabilities.
When a new threat is detected against a specific UK sector, our entire network receives updated protection within minutes. This allows British organisations to benefit from global threat intelligence. We handle Systems Data in ways that preserve your operational privacy, ensuring the intelligence value comes from understanding threat patterns, not identifying individual organisations.
For detailed technical information on how we categorise and handle data, see our Customer Data, Personal Data and Systems Data whitepapers.
We publish a biannual Transparency Report detailing all government and law enforcement data requests we receive. This isn’t simply about compliance. It’s about providing UK organisations with verifiable evidence of how we handle requests, enabling informed risk assessment and governance oversight. For more information, please visit the Privacy Section in our Trust Center.
The UK’s 13 sectors of Critical National Infrastructure represent the backbone of society. These sectors require security solutions built with an understanding of their unique threat models, from the specific requirements of an NHS trust to the challenges facing an energy provider.
We currently serve hundreds of UK public sector organisations across government, health and critical infrastructure sectors, which include the UK Government, UK Home Office and the Ministry of Justice.
For the UK’s most critical services, operational resilience is paramount. Our security platforms are designed for high availability and reliability, helping organisations maintain continuous protection even during disruptions.
Palo Alto Networks is deeply integrated into the UK’s security ecosystem, ensuring our solutions exceed national benchmarks for resilience and transparency.
We hold Cyber Essentials Plus certification and align with the NCSC Cloud Security Principles, providing assurance to customers that we adhere to the highest security protocols to protect their most critical assets. As a Software Security Ambassador and a committed supporter of the NCSC Telecom Vendor Assessment, we are committed to enhancing the security of the UK’s telecommunications and software supply chains.
Beyond compliance, our Unit 42 team serves as an NCSC-assured Cyber Incident Response (CIR) Enhanced Level provider, offering specialised incident support to help UK organisations navigate and recover from the most complex incidents. For customers with specific requirements, particularly in defence and national security, we can provide support from personnel in countries with compatible security standards and legal frameworks. We are committed to the Telecommunications Security Act (TSA) Code of Practice, supporting the resilience of the UK’s public telecommunications networks.
Strengthening Local Expertise with National Impact
Our investment in the UK extends across our people, infrastructure and local expertise. Operating from our London hub, we remain deeply connected to the communities we serve and make a direct and indirect contribution to the UK economy. Our UK-based teams span engineering, threat research, professional services, policy and security strategy, and have a deep understanding of the UK market and the requirements of our customers. We also partner with NCSC CyberFirst and others on developing the next generation of cyber talent, and our Cyber Academy Program partners with universities and colleges all over the UK to train the next generation of cyber defenders.
The UK’s digital autonomy increasingly depends on its ability to secure both cyber infrastructure and the emerging AI economy. This requires partnerships that serve the UK’s long-term national interests, grounded in trusted institutions, local expertise and transparency that enables commitments to be verified, not simply asserted.
We recognise that the UK’s cyber landscape is shaped by its legal framework, strategic priorities and threat environment. From protecting critical infrastructure to enabling the secure adoption of AI, organisations across the UK need to trust their security partner to deliver on their commitments. Palo Alto Networks is committed to maintaining and increasing that trust through verifiable action, transparency, accountability and an enduring partnership.
To learn more about our comprehensive commitment to digital trust, privacy and security, visit the Palo Alto Networks Trust Center.
The post Securing the UK’s Digital Future appeared first on Palo Alto Networks Blog.


In this post, we examine how threat actors use emojis across illicit communities, how these symbols function as a form of coded language, and why understanding this form of communication is increasingly critical for threat intelligence teams.

As threat actor activity continues to shift toward informal, fast-moving communication platforms such as Telegram and Discord, the way adversaries communicate is evolving. Emojis, often dismissed as casual or nontechnical, have become a meaningful part of that evolution.
Across illicit forums, messaging apps, and closed communities, emojis are used not just for expression, but for signaling intent, categorizing activity, and, in some cases, obscuring meaning from outsiders. For analysts, this introduces an additional layer of context that can influence how communications are interpreted, prioritized, and actioned.
Within threat actor communities, emoji usage is often structured and repeatable.
Rather than replacing language entirely, emojis act as a functional overlay — reinforcing key concepts, highlighting important information, and accelerating communication in high-volume environments.
This is especially common in:
In these environments, speed and clarity matter. Emojis allow actors to quickly scan messages, identify relevant content, and engage without parsing long text-based posts.
Flashpoint analysis of illicit communities shows that emoji usage tends to cluster around a set of recurring categories. While meanings can vary slightly by group, several patterns appear consistently.
Emojis related to money are among the most frequently used.
Common examples include:
These symbols often appear in sales posts, fraud logs, or success claims, helping actors quickly identify opportunities tied to financial gain.
Another cluster of emoji usage centers on access and account compromise, where symbols are used to signal the availability of credentials, successful intrusions, or control over compromised systems.
Examples include:
In many cases, these emojis are used in combination with minimal text, allowing actors to advertise access or share results without detailed descriptions.
Emojis are also used to signal tooling and service offerings.
Examples include:
These are commonly seen in phishing-as-a-service, SMS gateway services, and malware distribution communities.
Threat actors frequently use emojis to represent targets or regions.
Examples include:
This allows actors to signal targeting scope quickly, particularly in multilingual or international groups.
Some emojis are used to communicate momentum or importance.
Examples include:
These signals are particularly important in fast-moving channels where actors compete for attention.
Beyond signaling, emojis are also used to evade detection.
Threat actors may substitute emojis for keywords associated with:
For example, replacing “credit card” with
or “bank” with
can help bypass basic keyword filters or reduce visibility in automated moderation systems.
When combined with slang, abbreviations, and multilingual phrasing, this creates a layered form of obfuscation that complicates large-scale monitoring efforts.
Emoji usage is not just functional. It can also be behavioral.
Over time, actors often develop recognizable patterns in how they use emojis:
These patterns can serve as lightweight identifiers, helping analysts:
In ecosystems where aliases frequently change, these subtle patterns can provide additional attribution signals.
Illicit communities are inherently global, spanning multiple languages and regions.
Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text. This is particularly valuable in:
For example, a combination of
+
+
can communicate “global carding opportunity” without requiring a shared language.
This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.
Despite these patterns, emoji usage is not universal or fixed.
The same emoji can carry different meanings depending on:
For example,
may indicate “high value” in one group, but simply “active discussion” in another.
For analysts, this reinforces the need to treat emojis as contextual signals, not standalone indicators. Accurate interpretation depends on understanding the broader communication environment.
Emoji usage reflects a broader shift in how threat actors communicate toward faster, more visual, and more adaptive forms of interaction.
Flashpoint assesses that incorporating emoji analysis into intelligence workflows can enhance:
While emojis alone are not decisive indicators, they provide an additional layer of signal that can strengthen overall analysis.
Understanding how threat actors communicate down to the symbols they use provides critical context for identifying and interpreting emerging threats.
Flashpoint delivers intelligence that helps organizations monitor illicit communities, track evolving communication patterns, and translate raw data into actionable insights. Within the Flashpoint platform, analysts can search across environments like Flashpoint Ignite and Echosec using emojis alongside keywords—enabling more precise discovery of relevant conversations, signals, and emerging activity that might otherwise be missed.
This approach allows teams to capture nuance in how threat actors communicate, improving detection, attribution, and overall situational awareness.
To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.
The post The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online appeared first on Flashpoint.

November 20, 2025: Original publication date of this post. This post has been updated to reference the most recent version of the LZA Compliance Workbook published to AWS Artifact in March 2026.
We’re pleased to announce the availability of the latest sample security baseline from Landing Zone Accelerator on AWS (LZA)—the Universal Configuration. Developed from years of field experience with highly regulated customers including governments across the world, and in consultation with AWS Partners and industry experts, the Universal Configuration was built to help you implement security and compliance at scale for on your regulated workloads. By setting a high bar with the latest AWS security best practices, the Universal Configuration can help address technical control requirements from compliance frameworks across different geographic regions and industry verticals. The Universal Configuration’s multi-account security architecture provides a foundation to host your diverse workload requirements today along with providing the ability to explore the generative AI and agentic AI solutions that will shape your organization in the future. It can also replace months of complex planning and design by deploying a comprehensive security and compliance-driven environment based on AWS Well-Architected principles in a matter of hours.
As organizations grow, they typically pursue or must adhere to new security compliance certifications. LZA and the Universal Configuration help organizations of all sizes and phases in their security and compliance journey. The speed of deployment, step-by-step documentation, and compliance resources can reduce traditional assessment and authorization timelines by months and result in more predictable and successful audit outcomes. This enables more freedom to invest resources to grow the business instead of choosing between security and compliance tradeoffs.
The Universal Configuration helps organizations:
The LZA engine has been a trusted tool for quickly deploying secure multi-account AWS environments for over 4 years. It is also cost effective because you pay only for the AWS services used to operate your environment. The Universal Configuration is the first sample configuration accompanied by the LZA Compliance Workbook available on AWS Artifact. It is a first-of-its-kind resource with detailed control mappings showing how the Universal Configuration can support different industries and regions, helping you address requirements from frameworks listed below.
|
|
|
|
|
|
|
|
|
|
|
|
The LZA Compliance Workbook is regularly maintained to reflect the latest Universal Configuration baseline and will include additional compliance mappings in future releases. The workbook contains detailed security configuration descriptions based on the Universal Configuration deployment files, along with control requirement mappings and implementation statements that translate its security capabilities into a compliance-friendly format. By combining AWS security best practices with global compliance expertise, the Universal Configuration delivers predicable security outcomes while also helping you meet regional and industry requirements.
To get started with the Landing Zone Accelerator on AWS Universal Configuration, the LZA Implementation Guide walks you through the steps, use cases, and considerations when deploying with LZA. You can download the LZA Compliance Workbook from AWS Artifact today and configure notifications to receive emails when future versions are released. You can view the deployment files and additional technical implementation guidance on the GitHub Universal Configuration sample and documentation page. Additionally, visit the AWS Partner Network (APN) for help with audit and advisory initiatives, cloud migrations, deploying the LZA Universal Configuration, and other services. You can visit the AWS Partner Finder tool and search by solution for Landing Zone Accelerator for the latest LZA Partner offerings.
If you have feedback about this post, submit comments in the Comments section below.
In the race to digitise public services, the UK’s digital estate has grown into a vast, borderless ecosystem that manual audits can no longer track. For UK Government departments, local authorities and NHS trusts, it is a sprawling, shifting landscape of cloud workloads, legacy infrastructure, shadow IT and third-party supplier connections.
This complexity creates blind spots that modern threats exploit. Recognising this vulnerability, the UK Government is moving toward a secure-by-design digital infrastructure, with the 2026 Government Cyber Action Plan (GCAP) setting a high bar for resilience. A central theme of the GCAP is the urgent need for the government to have better visibility of cyber security and resilience risk. Fundamentally, organisations cannot secure what they cannot see. As the GCAP explicitly states, the Government will use “data sources from across the government to truly understand government-wide and departmental cyber risks.”
Many public sector organisations rely on a complex web of spreadsheets, data calls, legacy tools and manually curated lists to create an inventory of their internet-connected assets. But attackers do not look at an organisation's internal lists; they scan the internet for what they have forgotten to secure. Whether it is an unpatched server from a legacy project or a misconfigured database in a department, these "unknown unknowns" are the primary entry points for attackers.
Palo Alto Networks Cortex Xpanse® is an active external attack surface management (EASM) solution that provides an outside-in view of organisations' entire digital footprint. It helps leaders meet national resilience goals:
![]()
Palo Alto Networks Cortex Xpanse aligns with the National Cyber Security Centre (NCSC) external attack surface management (EASM) buyer's guide by providing automated discovery, continuous monitoring and risk prioritisation of internet-facing assets. It replaces manual, point-in-time audits with a proactive, agentless solution. By automating the discovery of all internet-accessible assets (including shadow IT and unmanaged cloud operations) the platform fulfills the NCSC’s core requirement for continuous global monitoring and rapid attribution. This data-driven approach allows for the automated prioritisation of critical exposures, such as RDP, and integrates seamlessly with multiple third-party automation and visualisation tools, including Cortex XSOAR® and XSIAM, to accelerate remediation with national incident response standards.
In fact, with Palo Alto Networks deployment of Cortex Xpanse, we were able to achieve a 95% reduction in external vulnerability management spending across more than 700,000 cloud instances, while improving coverage and outcomes.
Securing the public sector requires a move from manual, point in time assessments to data-driven intelligence. Cortex Xpanse provides the foundations to remove blind spots, secure the supply chain and prevent unknown vulnerabilities in the face of sophisticated threats.
For further information and case studies, visit the links below, or schedule a demo.
The post Closing the Gap by Enhancing Visibility and Mitigating Risks appeared first on Palo Alto Networks Blog.

Explore Google’s synced passkey architecture. Unit 42 details its mechanisms, key management, and secure communication in passwordless systems."
The post Google Cloud Authenticator: The Hidden Mechanisms of Passwordless Authentication appeared first on Unit 42.

A vulnerability in Microsoft Authenticator for both iOS and Android (CVE-2026-26123) could leak your one-time sign-in codes or authentication deep links to a malicious app on the same device.
Deep links are predefined URIs (Uniform Resource Identifiers) that allow direct access to an activity in a web or mobile application when clicked. In simple terms, they are specifically constructed links used to open an app and complete actions like signing in.
Microsoft Authenticator is a mobile app that generates time-based one-time codes and handles sign-in links and QR-based logins for Microsoft and other accounts. It is widely used for multi-factor authentication (MFA) on personal phones, including BYOD (Bring Your Own Device) devices that protect access to corporate and production services.
This vulnerability affects users who have Microsoft Authenticator installed on an iOS or Android device. For the vulnerability to be exploited, the user would first need to install a malicious app on their device and then accidentally choose that app to handle a sign‑in deep link.
If that happens, the malicious app receives the one-time code or sign-in information and can potentially use it to authenticate as the victim.
If successful, an attacker could:
The fix for CVE-2026-26123 is already included in current releases, so installing updates is the most effective mitigation.
Note: If your device manufacturer has implemented a different method to apply app updates, the steps may vary slightly.
If you are temporarily unable to update the app, avoid installing new apps that request to handle authentication links, QR-based sign-ins, or web-to-app sign-in flows.
When scanning QR codes or tapping sign-in links, verify that the handler is Microsoft Authenticator or another trusted app, and not an unknown, recently installed, or otherwise suspicious app.
Where possible, use alternative MFA options you already trust (such as built-in authentication in your password manager or platform-specific solutions like Apple’s password features) until you can apply the update.
Use anti-malware protection for your mobile devices that can help detect malicious apps.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Our malware removal support team recently flagged a new wave of sextortion emails, with the subject line: “You pervert, I recorded you!”
If the message sounds familiar, that’s because it’s a variation of the long-running “Hello pervert” scam.
The email claims the target’s device has been infected by a “drive-by exploit,” which supposedly gave the extortionist full access to the device. To add credibility, the scammer includes a password that actually belongs to the target.
Here’s one of the emails:

Your device was compromised by my private malware. An outdated browser makes you vulnerable; simply visiting a malicious website containing my iframe can result in automatic infection.
For further information search for ‘Drive-by exploit’ on Google.
My malware has granted me full access to your accounts, complete control over your device, and the ability to monitor you via your camera.
If you believe this is a joke, no, I know your password: {an actual password}
I have collected all your private data and RECORDED FOOTAGE OF YOU MASTRUBATING THROUGH YOUR CAMERA!
To erase all traces, I have removed my malware.
If you doubt my seriousness, it takes only a few clicks to share your private video with friends, family, contacts, social networks, the darknet, or to publish your files.
You are the only one who can stop me, and I am here to help.
The only way to prevent further damage is to pay exactly $800 in Bitcoin (BTC).
This is a reasonable offer compared to the potential consequences of disclosure.
You can purchase Bitcoin (BTC) from reputable exchanges here:
{list of crypto-currency exchanges}
Once purchased, you can send the Bitcoin directly to my wallet address or use a wallet application such as Atomic Wallet or Exodus Wallet to manage your transactions.
My Bitcoin (BTC) wallet address is: {bitcoin wallet which has received 1 payment at the time of writing}
Copy and paste this address carefully, as it is case-sensitive.
You have 4 days to complete the payment.
Since I have access to this email account, I will be aware if this message has been read.
Upon receipt of the payment, I will remove all traces of my malware, and you can resume your normal life peacefully.
I keep my promises!
The message is a bit contradictory. Early on, the sender claims they have already removed the malware to “erase all traces,” but later promises to remove it after receiving payment.
I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868@gmail.com sent many of these emails to people that use the FakeMailGenerator service.
FakeMailGenerator is a free disposable email service that gives users a temporary, receive‑only inbox they can use instead of their real address, mainly to get around email confirmations or avoid spam.
As mentioned, the addresses are receive‑only, meaning they cannot legitimately send mail and the mailbox is not tied to a specific person. On top of that, there is no login. Anyone who knows the address (or guesses the inbox URL) can see the same inbox.
My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails.
So users of FakeMailGenerator and similar services should consider this a warning. Your inbox may be publicly accessible, show up in search results, and you may receive a lot more than what you signed up for. Definitely don’t use services like this for anything sensitive.
Knowing these scams exist is the first step to avoiding them. Sextortion emails rely on panic and embarrassment to push people into paying quickly. Here are a few simple steps to protect yourself:
Pro tip: Malwarebytes Scam Guard immediately recognized this for what it is: a sextortion scam.
What do cybercriminals know about you?
Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

Our malware removal support team recently flagged a new wave of sextortion emails, with the subject line: “You pervert, I recorded you!”
If the message sounds familiar, that’s because it’s a variation of the long-running “Hello pervert” scam.
The email claims the target’s device has been infected by a “drive-by exploit,” which supposedly gave the extortionist full access to the device. To add credibility, the scammer includes a password that actually belongs to the target.
Here’s one of the emails:

Your device was compromised by my private malware. An outdated browser makes you vulnerable; simply visiting a malicious website containing my iframe can result in automatic infection.
For further information search for ‘Drive-by exploit’ on Google.
My malware has granted me full access to your accounts, complete control over your device, and the ability to monitor you via your camera.
If you believe this is a joke, no, I know your password: {an actual password}
I have collected all your private data and RECORDED FOOTAGE OF YOU MASTRUBATING THROUGH YOUR CAMERA!
To erase all traces, I have removed my malware.
If you doubt my seriousness, it takes only a few clicks to share your private video with friends, family, contacts, social networks, the darknet, or to publish your files.
You are the only one who can stop me, and I am here to help.
The only way to prevent further damage is to pay exactly $800 in Bitcoin (BTC).
This is a reasonable offer compared to the potential consequences of disclosure.
You can purchase Bitcoin (BTC) from reputable exchanges here:
{list of crypto-currency exchanges}
Once purchased, you can send the Bitcoin directly to my wallet address or use a wallet application such as Atomic Wallet or Exodus Wallet to manage your transactions.
My Bitcoin (BTC) wallet address is: {bitcoin wallet which has received 1 payment at the time of writing}
Copy and paste this address carefully, as it is case-sensitive.
You have 4 days to complete the payment.
Since I have access to this email account, I will be aware if this message has been read.
Upon receipt of the payment, I will remove all traces of my malware, and you can resume your normal life peacefully.
I keep my promises!
The message is a bit contradictory. Early on, the sender claims they have already removed the malware to “erase all traces,” but later promises to remove it after receiving payment.
I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868@gmail.com sent many of these emails to people that use the FakeMailGenerator service.
FakeMailGenerator is a free disposable email service that gives users a temporary, receive‑only inbox they can use instead of their real address, mainly to get around email confirmations or avoid spam.
As mentioned, the addresses are receive‑only, meaning they cannot legitimately send mail and the mailbox is not tied to a specific person. On top of that, there is no login. Anyone who knows the address (or guesses the inbox URL) can see the same inbox.
My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails.
So users of FakeMailGenerator and similar services should consider this a warning. Your inbox may be publicly accessible, show up in search results, and you may receive a lot more than what you signed up for. Definitely don’t use services like this for anything sensitive.
Knowing these scams exist is the first step to avoiding them. Sextortion emails rely on panic and embarrassment to push people into paying quickly. Here are a few simple steps to protect yourself:
Pro tip: Malwarebytes Scam Guard immediately recognized this for what it is: a sextortion scam.
What do cybercriminals know about you?
Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.
As the digital landscape undergoes profound shifts, the recently released National Cyber Strategy provides the essential foundation for enduring American leadership. By prioritizing the disruption of hostile actors, future-proofing networks, accelerating quantum readiness, and securing the AI frontier, the strategy provides the strategic clarity necessary to protect our digital way of life from sophisticated adversaries. Palo Alto Networks commends National Cyber Director Sean Cairncross for his leadership and looks forward to working with the administration to operationalize this strategy.
Each pillar of the strategy galvanizes meaningful action to advance our collective defense:
This signals a decisive shift toward the proactive disruption of malicious actors. The Trump Administration has made clear that the U.S. Government should impose real costs on adversaries to change their behavior. While the private sector is already executing discrete disruptions against malicious actors, coordination has historically been fragmented. The strategy identifies that increased collaboration with private sector entities, who possess unique insight into adversary behavior, can in turn enable more impactful deterrence.
The strategy appropriately recognizes that complexity is the enemy of security. A focus on measurable improvements in cyber outcomes (versus check-the-box compliance exercises) collectively makes us all safer. While much attention is rightfully paid toward harmonizing incident reporting requirements, which Palo Alto Networks wholeheartedly supports, let’s not stop there. The federal government can lead by example by consolidating and streamlining federal government software compliance certifications. For example, there should be logical reciprocity between FedRAMP High and DoW IL-5 certifications.
In addition to the necessary attention on AI-powered cyber defense, cloud security and zero trust network architecture, Palo Alto Networks applauds the discrete focus on quantum-safe security ahead of “Q-Day,” the point where quantum computing capabilities will compromise legacy public key encryption that has underpinned cybersecurity for decades. As Federal CISO Mike Duffy recently stated, "Modernization without considering PQC readiness or cryptographic agility is really creating technical debt in the future, something that we don’t want to see ever.”
To address this challenge, Palo Alto Networks provides a structured quantum-safe framework organized into four stages:
The bottom line is that 2035 is too late. Quantum readiness must accelerate today, and this strategy will set a critical North Star to drive the necessary urgency.
Critical infrastructure resilience is central to our homeland security, economic security, public health and safety. Unfortunately, critical infrastructure entities are increasingly under assault from emboldened cyber adversaries.
In fact, Palo Alto Networks research shows some form of operational disruption in up to 86% of major cyber incidents. Our 2026 Global Incident Response Report underscores another sobering reality: These entities are under assault from all angles. In 87% of cyber incidents, attacks targeted multiple attack surfaces, which spanned the network, cloud, endpoints and identity.
Recognizing that you can’t secure what you can’t see, we need a national-level effort to identify, prioritize and harden the critical infrastructure that the American people depend upon. This strategy puts an important marker in the ground to revitalize those efforts.
Palo Alto Networks was pleased to see the strategy reinforces the core tenets of the AI Action Plan, emphasizing that "secure-by-design" principles for AI technologies are non-negotiable and that AI adoption and AI security can and must be inexorably linked.
Enterprises should be able to deploy AI confidently without fear of data leakage, model tampering or rogue AI agents. However, despite our research showing an 88% success rate of “jailbreaking” techniques against widely deployed AI models, only 6% of organizations currently have an AI security strategy. It’s time to flip this paradigm and put defenders back in the driver’s seat in this AI-first moment.
To support this emerging consensus around the importance of promoting AI security, we developed the Secure AI by Design Policy Roadmap. This framework provides a four-part construct to evaluate the evolving dimensions of threats to AI systems. Palo Alto Networks is also proud to make its comprehensive AI security suite, Prisma® AIRS
, available to all federal agencies at substantial discounts through GSA’s OneGov Initiative.
Recognizing America’s cyber workforce as a “strategic asset,” the strategy calls for a pragmatic and accessible pipeline for developing talent. The explicit recognition that we should take advantage of existing avenues across government, industry and academia is important. For example, Palo Alto Networks is proud of the impact of its Cybersecurity Academy – that provides free, NIST Framework-aligned curricula covering essential domains, such as cybersecurity fundamentals, enterprise and network security, cloud security, security operations and the AI/cybersecurity nexus.
Resources like this, and those for other entities, can form the basis of a renewed focus on cyber talent development.
Palo Alto Networks views itself as more than a cybersecurity vendor. We see ourselves as an integrated national security partner of the federal government at a moment when defending our digital way of life demands all of us working together. To that end, we are ready to do our part to turn strategic vision into action.
This strategy should be applauded. Let’s roll up our sleeves and get to work.
The post How the National Cyber Strategy Secures Our Digital Way of Life appeared first on Palo Alto Networks Blog.
