Microsoft 365 Copilot's Security Flaw, AI in Misinformation, and Emerging Cybersecurity Solutions

[00:00:02] It's Thursday, June 12th, 2025, and I'm Dave Solt. Three things to know today. Microsoft 365 Copilot exposed a zero-click exploit raising serious questions about AI agent security. OpenAI reveals state-level actors using ChatGPT for cyber ops. ConnectWise faces renewed scrutiny over certificate updates, and new tools from Huntress, Netgear, and Varonis signal a pivot towards hands-on, automated, and resilient security. This is the Business of Tech.

[00:00:33] Microsoft 365 Copilot, the artificial intelligence tool integrated into Microsoft Office applications, has been found to have a significant security vulnerability known as Echo Leak. This flaw allows hackers to access sensitive information without requiring user interaction, simply by sending an email to a user, which Copilot reads and acts upon. The discovery was made by AIM Security, which took three months to reverse-engineer the software.

[00:01:00] They reported that this is the first known zero-click attack on an artificial intelligence agent, highlighting a broader risk of such vulnerabilities in AI systems. Microsoft has stated that the issue has been addressed and that no customers were affected, but experts warn that this design flaw reflects deeper issues in the security of large language model-based AI agents, akin to vulnerabilities seen in software two decades ago.

[00:01:25] Open AI's latest threat report reveals that malicious actors, including those potentially linked to North Korea and Russia, are exploiting the capabilities of ChatGPT to conduct cyber crime and misinformation campaigns. The report highlights ten operations that were shut down, involving the generation of fake job applications and social media content aimed at undermining security and spreading disinformation.

[00:01:49] Among these, four campaigns were traced back to China, showcasing the use of artificial intelligence in crafting deceptive online personas and generating resumes. The threat report also noted that some operators used ChatGPT to develop malware, while others created fake accounts to spread election-related misinformation in Germany.

[00:02:09] The New York Times has reported on the acquisition of secret Russian intelligence documents that were advertised online by a cybercrime group known as Ares Leaks. The documents include a directive from Russia's domestic security service, revealing insights into the country's counterintelligence operations concerning China. Ares Leaks announced the sale of these classified documents on the messaging app Telegram, claiming they originated from within the Federal Security Service.

[00:02:38] The New York Times confirmed the authenticity of the documents through consultations with six Western intelligence agencies, all of which verified their format and content. The documents indicate heightened concerns within Russia regarding Chinese espionage as the relationship between the two nations evolves. The report highlights the growing market for sensitive government documents, with Ares Leaks offering multiple tranches of Russian intelligence for up to $120,000. Why do we care?

[00:03:08] Microsoft 365 co-pilot's vulnerability highlights that AI agents with ambient access to data and intent execution, like reading emails and summarizing content, are not passive tools, they are autonomous actors. This requires rethinking endpoint protection, email filtering, and how we assess trust boundaries for LLM-based assistance. Malicious actors are already using LLMs for social engineering, malware authoring, and disinformation.

[00:03:35] The fact that groups linked to North Korea, Russia, and China were detected shows this is state-level strategic usage, not script-kitty experimentation. The Ares Leaks story adds another unsettling dimension. Intelligence-grade documents are being commercialized on the dark web. This means that the next breach isn't just a ransomware event, it could be state secrets sold to the highest bidder, with downstream risk for anyone affiliated, be it a supply chain, vendors, or geopolitical alignment.

[00:04:33] And push vendors for career, threat modeling, and response plans for their AI integrations, especially for zero-click scenarios. And critically, this reinforces a long-term strategic truth.

[00:05:02] With every new breach and threat that I cover, it's clear that cybersecurity isn't a luxury anymore. It's a necessity. That's where Huntress comes in. Their fully-managed cybersecurity platform is built for every kind of business, not just the 1%. Huntress seamlessly integrates their products and threat-hunting team.

[00:05:21] Their EDR, ITDR, SIM, and security awareness training solutions are purposely built for their elite 24x7 security operations center to stop threats before anyone else even spots them. This potent combination of purpose-built cybersecurity and threat hunting expertise is one of the many reasons why G2 users have voted Huntress the number one rated EDR for growing businesses.

[00:05:46] To see what people-powered cybersecurity looks like, visit Huntress.com slash MSB Radio. ConnectWise is urging customers to update their Screen Connect, Automate, and ConnectWise RMM solutions by June 13th, following the rotation of digital code signing certificates. The initial warning indicated that the certificate changes would take effect on June 10th, but this was extended to June 13th.

[00:06:12] The flagged vulnerability relates to how Screen Connect managed configuration data in earlier versions, prompting ConnectWise to enhance its software security measures. This action is intended to address concerns raised by a third-party researcher regarding the handling of configuration data and is not linked to a recent nation-state attack disclosed by the company.

[00:06:33] The planned rotation follows a recent discourse that ConnectWise detected malicious activity in its environment, although the company emphasized that the certificate rotation is a separate measure. Customers with on-premises versions of Screen Connect or Automate are advised to update their software and validate that all agents are updated by 8pm Eastern Time on Friday to prevent disruptions. ConnectWise is also automatically updating certificates and agents for its cloud instances. Why do we care?

[00:07:03] ConnectWise wants to distance this from the nation-state breach it previously disclosed, but customers don't experience these events in isolation. A security incident combined with a rushed certificate rotation and vague language regarding configuration flaws results in reduced confidence in the vendor's internal controls. Let's not forget, Screen Connect was already the target of mass exploitation earlier this year. That breach cycle remains fresh in the minds of MSPs and clients.

[00:07:31] Now, there's a counterargument. Digital certificate rotation is a best practice and ConnectWise may simply be enhancing its hygiene in response to recent scrutiny. Proactive maintenance isn't inherently suspicious. But if that's true, why the hard deadline? Why not a phased rotation with an optional fallback? The aggressive timeline implies there's more beneath the surface. This isn't just a certificate update.

[00:07:57] It's a stress test for MSPs using ConnectWise's tools, particularly those on-prem. It raises critical takeaways. Every RMM and remote tool vendor is now part of the threat's surface. Certificate integrity, update discipline, and rapid response are more important than effort. Providers should regard certificate-related updates as critical infrastructure changes, not secondary patches.

[00:08:20] And vendors need to be more transparent about what prompted certificate rotations, especially when they follow breaches. Obfuscation undermines partner trust. Bottom line? MSPs must audit and test their agent update processes now. If this incident doesn't spark a broader conversation about vendor risk management, it should. Because the ability to trust your RMM is not optional.

[00:08:47] Huntress has launched Threat Simulator, a new feature for its managed security awareness training program, designed to enhance user engagement by providing hands-on training that simulates real-world hacking scenarios. This innovative approach aims to address the shortcomings of traditional training methods, which often fail to engage users effectively. According to a survey of 2,000 early access users, 90% reported gaining new knowledge about security threats from the threat simulator.

[00:09:15] Dima Kumetz, principal product manager at Huntress, emphasized that the training moves beyond basic phishing simulations, immersing users in scenarios that emulate hacker tradecraft. By teaching users to think more like attackers, Huntress aims to create a more proactive security culture within organizations. Netgear is acquiring Exxium, a cybersecurity provider, to launch a new integrated networking and security platform aimed at managed service providers and small-to-medium enterprises.

[00:09:43] The acquisition is part of Netgear's ongoing investment in cloud-based solutions and aims to simplify advanced business connectivity for the organizations. Exxium's products are specifically designed to support managed service providers in serving their clients, further enhancing Netgear's commitment to delivering reliable and cost-effective networking solutions.

[00:10:03] And Varonis has introduced the Model Context Protocol Server, which allows users to integrate artificial intelligence tools like ChatGPT, Cloud, and GitHub Copilot into its data security platform. This new server enables clients to issue natural language prompts to automate data security tasks and extract insights. The system is designed to translate user instructions into automated outcomes, enhancing the platform's capabilities in managing data security and compliance.

[00:10:31] Varonis reports that their data security platform is utilized by thousands of organizations globally for various security tasks, although specific pricing and rollout details for the MCP server remain undisclosed. And Cohesity has introduced a new approach to application resilience with its latest tool, Cohesity Recovery Agents, designed to facilitate clean recovery of applications following cyber attacks.

[00:10:54] This tool aims to address the shortcomings of traditional disaster recovery methods by ensuring that organizations can restore applications from a last-known good state, thereby avoiding the reintroduction of vulnerabilities. The five-step cyber resilience model recommended by Cohesity emphasizes the importance of protecting all data, ensuring recoverability, detecting threats, practicing application resilience, and optimizing risk posture. Cohesity Recovery Agent allows for automated orchestration of recovery processes,

[00:11:24] which can significantly reduce recovery time and improve security posture. Cohesity's Cyber Event Response Team is available around the clock to assist customers in the event of incident. Why do we care? We're watching the next iteration of cybersecurity tools coalesce around realism, automation, and simplification. Not just more alerts, more dashboards, more tools. More providers?

[00:11:47] Up skill around AI security workflows because your customers will soon expect to ask for outcomes, not click through interfaces. We gotta focus on customer engagement. Tools like Threat Simulator aren't just training, they're customer stickiness generators. And push vendors to prove recovery works, not just claim backups in tact. The vendors succeeding now are those that integrate security into business workflows, speak the language of outcomes, and offer measurable value in response and resilience.

[00:12:16] And that's where IT services companies must align to stay relevant. This episode is supported by Comet Backup. Not all heroes wear capes. Some live among us, quietly saving businesses one help desk ticket at a time. Whether you're battling ransomware, hardware failure, or human error, Comet's powerful backup and recovery solutions put you in control. Manage all your backups in Comet's simple, centralized platform. Protect computers, servers, virtual environments, emails, and databases.

[00:12:47] When disaster strikes, be the hero your business needs. With Comet Backup, you're not just saving the data, you're saving the day. Comet Backup, for the everyday IT heroes. Visit cometbackup.com to start your free 30-day trial today. Get $100 free credit when you sign up with the promo code MSPRADIO. Comet Backup, be the hero, save the day. Thanks for listening.

[00:13:12] Today is National Loving Day, National Jerky Day, National Peanut Butter Cookie Day, and International Falafel Day. It's quite a menu. Join me for a webinar sponsored by Nerdio, modern endpoint management with Intune, what works and what doesn't. Visit bit.ly slash Nerdio webinar or link in the show notes. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:13:42] If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSP radio, and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered?

[00:14:05] We take listener questions, send them in, ideally as a voice memo or video to question at MSP radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP radio.com slash engage. Once again, thanks for listening. And I will talk to you again on our next episode.

[00:14:38] Part of the MSP radio network.