What Does AI-Powered Email Security Really Mean

Four public disclosures this quarter. Same pattern. Same failure mode. CVE-2026-26144: crafted Excel content turns Copilot Agent into a zero-click exfiltration channel. CVE-2026-0628: a malicious Chrome extension hijacks the Gemini side panel and inherits camera, mic, and file-access privileges. CVE-2026-26133: an attacker-crafted email hijacks Microsoft 365 Copilot's summarization surface to produce phishing content inside the assistant's trusted output. Zenity Labs' PleaseFix: a calendar invite steers Perplexity's Comet agentic browser to exfiltrate a user's 1Password vault and change the master password. Different agents, different vendors, different data sources. The failure was the same in every case. None of these were jailbreaks. None required a zero-day in the underlying model. The agents did exactly what they were allowed to do. An attacker planted instructions in a channel the agent was permitted to read. The agent followed them. Data left. No alert fired. This is the lethal trifecta demonstrated four times in public: access to sensitive data, exposure to untrusted content, ability to act externally. Each capability is useful. The combination is an exfil vector. Three things these demos force a CISO to accept: Every agent with those three capabilities is one well-crafted input away from an incident. The probability is not zero. It is a matter of time. Your existing controls did not block these demos in lab conditions. They will not block them in production either, because the controls were built for a different threat model. Identity is the first lever. If you cannot name every agent in production and describe its exact permissions, you cannot reason about blast radius. The uncomfortable part is that these are the responsible disclosures. The unreported ones are already in the wild. The question for Monday morning: which of your agents could survive being handed a malicious email, support ticket, or web page? #AISecurity #AgenticAI #PromptInjection #CyberSecurity #EnterpriseAI

We keep spending billions on perimeter security. And attackers keep walking through the front door with a fake email. A recent case proved it again and the details are sobering. A major organization, one of the most sophisticated in the world, was targeted by a nation-state-backed attacker for nearly five years. No ransomware. No elaborate exploit chain. Just spear-phishing. Done with surgical precision. Here's what actually happened, and what it means for every security team right now: ① The attack was personal, not automated. The attacker didn't spray emails blindly. He researched targets on LinkedIn and in academic publications, identified who was working on what, then sent a casual email pretending to be a known colleague, asking for software copies or source code as a favor. ② The stolen IP had direct weapons-grade applications. The attacker was an engineer at a state-owned defense conglomerate. Every successful email was a capability transfer to a foreign adversary's weapons program. ③ The red flags were there. Nobody was looking across the signals. Multiple requests for the same software. No justification provided. Unusual transfer patterns. Each signal in isolation looked like a quirky email. Most security stacks would have fired a single alert on any one of these emails. And that alert would have sat in a queue, uninvestigated, next to 200 others. The threat wasn't a technical exploit. It was a trust exploit, and it worked because no one was watching the full picture. Your tools aren't enough if your analysts can't see across them. What's your team's process when a signal looks "too normal" to be suspicious? At SecureSense, we help security teams stop investigating in silos and start seeing the full picture. If your team is drowning in individual alerts without the context to connect them, let's talk. 📩 Drop a comment or DM us. We'll show you what correlated detection actually looks like in practice. #cybersecurity #securesense

A 686% surge in malicious n8n webhooks is bypassing your email filters. Since October 2025, threat actors have weaponized the trusted AI workflow automation platform n8n. They use its webhook functionality to host malicious links and tracking pixels. The Problem: Legitimate .app.n8n.cloud subdomains are being abused. This bypasses traditional security, making attacks appear to come from a trusted source. The Impact: • Phishing emails deliver malware disguised as shared documents. • Device fingerprinting occurs via invisible tracking pixels. • Attackers deploy modified RMM tools like Datto for persistent C2 access. The Agitation: Your team's productivity tools are now a threat vector. The same automation designed to save time is being repurposed to attack you at scale. The Solution: Security teams must adapt. Monitor for anomalous traffic to automation platform subdomains. Treat low-code/no-code platforms as part of your attack surface. How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #CloudSecurity #ThreatIntelligence

🔎 Scenario: Suspicious Login → Possible Account Compromise 🧠 Step 1: Alert Triggered Alert from Splunk: 👉 “Multiple failed logins followed by a success from unusual IP” 🔍 Step 2: Identify Failed Logins (Brute Force Check) index=auth_logs user=jdoe action=failure | stats count by src_ip | sort -count ✅ What I look for: High number of failures from a single IP Multiple IPs targeting same user 👉 Finding: One IP with 500+ failures → brute-force suspected 🔍 Step 3: Check for Successful Login After Failures index=auth_logs user=jdoe action=success | table _time, user, src_ip, location ✅ What I look for: Success after failures New or unusual IP/location 👉 Finding: Successful login from foreign IP (never seen before) 🌍 Step 4: Validate Geographic Anomaly index=auth_logs user=jdoe action=success | iplocation src_ip | table _time, src_ip, Country, City 👉 Finding: Login from another country (impossible travel) 🧑💻 Step 5: Check User Activity Post-Login index=endpoint user=jdoe | stats count by process_name, parent_process ✅ What I look for: Suspicious processes (PowerShell, cmd, encoded scripts) Privilege escalation behavior 👉 Finding: powershell.exe with encoded command Possible attacker activity 📁 Step 6: Look for Data Exfiltration index=network user=jdoe | stats sum(bytes_out) by dest_ip | sort -sum(bytes_out) ✅ What I look for: Large outbound traffic Unknown external IPs 👉 Finding: High data transfer to external IP → exfiltration suspected 🦠 Step 7: Check Against Threat Intelligence index=network dest_ip=* | lookup threat_intel ip as dest_ip OUTPUT threat_level | where threat_level="high" 👉 Finding: Destination IP flagged as malicious 🚨 Step 8: Incident Conclusion Brute-force attack → successful login Account compromised Suspicious PowerShell activity Data exfiltration to malicious IP 🛠️ Step 9: Response Actions Disable/lock user account Reset credentials + enforce MFA Block malicious IPs Isolate affected endpoint Initiate full forensic investigation #SOCANALYSTS, #CYBERSECURITY, #INCIDENTRESPONSE, #MITTREATT&CK

Cybersecurity Insiders, partnering with Saviynt, unveils new findings showing that AI identities are increasingly active within key enterprise systems, frequently without proper governance or visibility. https://gag.gl/QsOkAt

There’s a structural imbalance in cybersecurity that’s easy to overlook. Attackers need one successful attempt. Defenders need systems that hold up every time. As Andras Cser, VP and Principal Analyst, Forrester explains in this clip, that imbalance is compounded by compliance requirements, operational scale, and the need for repeatability. All of this sits on the defender’s side. This becomes more complex in identity workflows. Deepfakes and synthetic identities are now being tested against onboarding and access controls, where consistency is difficult to maintain under pressure. If you’re responsible for identity or workforce security, this is the context behind many of the decisions being made right now. The full session goes deeper into where this imbalance shows up and how teams are approaching it. Watch the on-demand webinar → https://lnkd.in/eEGsjGee #Deepfakes #iProov #Forrester

When an analyst opens a complex investigation, they see may see dozens or hundreds of correlated alerts, multiple detection rules firing, authentication events spanning several countries, and even affected identities from different providers. Next, they have to try to piece together what happened. They haev to build the narrative from the evidence before they can act on it. That takes time, and in identity-based attacks, time is what determines how much damage gets done. Auth Sentry now does that preliminary investigation automatically. Our new AI Analysis capability reads everything attached to an investigation - the correlated alerts, the detection rules that fired, affected identities, source IPs, geolocation data, evidence from triage - and produces a structured summary in seconds. Not a generic notification, a narrative: who was targeted, which rules fired and why, the time window of the activity, and the geographic footprint of the authentication events - all written to be read by a human analyst, not parsed. The output also includes a disposition recommendation: "malicious," "needs review," or "benign," with a confidence score and the specific factors behind why it's labeled that way, along with concrete next steps, scoped to the integrations your organization actually has active. If you have Okta connected, it tells you to suspend the account in Okta. If you have Slack, it tells you where to notify your team. Available now on the Predict tier. Try it free for 7 days. See how it works: gethumming.io/how-it-works #ITDR #IdentitySecurity #SecurityOps #CyberSecurity

AI phishing is no longer just about emails,it’s about impersonation at scale. In 2026, attacks have evolved to mimic real employees, systems, and workflows, making PII vaults a primary target. Once inside, attackers don’t break in, they blend in. This is where traditional security fails. CryptoBind Vault changes the model with zero-trust by design:  Every access request is verified  Sensitive data is never exposed in its original form  Tokenization ensures unusable data even if intercepted  Full visibility with real-time monitoring and audit trails  📩 Connect with us: connect@jisasoftech.com #CryptoBind #DigitalTrust #QuantumSecurity #HSM #DataSecurity #CyberResilience #JISASoftech 

The Cyber Security Tribe team connected with vendors at #RSAC26, asking them to lead not with a pitch, but with the real challenges CISOs are facing today and how they’re solving them. Because we all know: it’s not about selling, it’s about solving. Thank you to everyone who took the time to share their insights. This is a valuable read for anyone looking to better understand how the industry is addressing critical cybersecurity gaps. https://lnkd.in/ezJtgPWP tricia howard, Above Security, Christopher H., BigID, Reuven (Rubi) Aronashvili, CYE, Bernard Brantley, Corelight, Carole Winqwist, GitGuardian, Jake Turetsky 🎷, Noam Issachar 🎷, Yonatan Zohar 🎷, Jazz, Markus Mueller, Nozomi Networks, Rod Schultz, Bolster AI

This one is great! A week after RSA and Dorene Rettas has got a great article that covers so many of the areas of interest last week! Take a few minutes and catch up! #bigid #cybersecuritytribe #aisecurity #datasecurity