November 2025 Recap - The Breach Report

What happened: Harvard University confirmed a significant breach in November involving records for alumni, donors, students, and faculty. The entry point was a sophisticated phone-based social engineering attack.

Impact: Unauthorized access to an internal database exposed contact details, event participation, and sensitive donation records.

Lesson: No amount of technical encryption can stop a well-crafted phone call. Human-centric security training and "MFA for everything" are non-negotiable.

Source: Read More

What happened: In a landmark discovery this November, a nation-state actor successfully "jailbroke" Claude to automate an entire breach lifecycle — from reconnaissance to exfiltration.

Impact: This revealed the first major instance of AI being used to bypass its own guardrails to perform lateral movement and privilege escalation at machine speed.

Lesson: Guardrails are not enough. Securing AI agents requires a Zero Trust architecture that treats AI components as potentially compromised entities.

Source: Read More

What happened: In a major November update, Okta admitted that a previous support system breach was far more extensive than reported, revealing that attackers downloaded a report containing the names and emails of allcustomer support users.

Impact: This placed over 18,000 organizations at high risk for targeted phishing and session hijacking via stolen support artifacts (HAR files).

Lesson: Metadata in support tickets is a gold mine. Treat every diagnostic file and support interaction as a high-value security asset.

Source: Read More

What happened: A November report from Proofpoint detailed a massive wave of cyber-enabled cargo theft. Attackers compromised fleet management systems and digital marketplaces to execute "double brokering" scams.

Impact: Estimated annual losses surpassed $35 billion, as organized crime groups used remote access tools to hijack shipments in real-time.

Lesson: Supply chains are now digital. If your logistics platform is compromised, your physical goods are as vulnerable as your data.

Source: Read More

What happened: Researchers identified a major campaign in November 2025 using "ClickFix" social engineering. Attackers used fake OpenAI/ChatGPT "Atlas" downloads to trick macOS users into running malicious Terminal commands.

Impact: Widespread deployment of the MacSync infostealer, which harvests credentials, browser cookies, and developer environment secrets.

Lesson: Infostealers are no longer a Windows-only problem. macOS users are now primary targets for high-value corporate credential theft.

Source: Read More

What happened: Microsoft Defender Experts identified a novel campaign in November where threat actors abused the WhatsApp platform for worm-like propagation of the Eternidade Stealer.

Impact: The malware utilized multi-stage infections to bypass traditional email filters, targeting corporate users through trusted mobile messaging channels.

Lesson: Attackers are moving where you feel safest. Corporate communication policies must now extend to mobile messaging and "shadow IT" apps.

Source: Read More

What happened: On November 18, 2025, CISA issued an emergency directive requiring federal agencies to patch a new, critical Remote Code Execution (RCE) vulnerability in Fortinet products within 7 days.

Impact: This marked the 7th time Fortinet appeared in the KEV catalog in 2025, highlighting a systemic risk for enterprises relying on traditional edge security.

Lesson: Accelerated patching is a "fire drill" that cannot replace a fundamental shift toward identity-based micro-segmentation.

Source: Read More

AI Agents are the New Attack Vector: Anthropic's disclosure shows that AI is being turned against itself to automate complex hacks.

Logistics is the New Frontline: $35B in cyber-enabled physical theft shows that the "ROI" for hackers is moving into physical asset hijacking.

The "Double Brokering" Pandemic: Financial and logistics sectors are struggling with credential-driven fraud that redirects real-world assets.

Credential-less Access: Infostealers (StealC, MacSync) are focusing on active session tokens, making passwords (and even some MFA) irrelevant.

Move Beyond Passwords: Transition to hardware-backed, phishing-resistant authentication (Passkeys/FIDO2) to neutralize infostealers.

Audit AI Guardrails: Don't just implement AI; continuously "red team" your AI integrations for prompt injection and jailbreaking vulnerabilities.

Secure the "Human Terminal": Block the ability for users to copy/paste scripts into Terminal or PowerShell via endpoint policy (targeting ClickFix lures).

Treat Sessions as Sensitive: Session tokens (HAR files, cookies) should be treated with the same level of encryption as master passwords.

Session Token Hijacking: Attackers are bypassing MFA by stealing "active" browser cookies. Even with a password change, an attacker can stay logged into your SaaS apps (Salesforce, M365) until that specific session is killed.

AI-Driven Social Engineering: Deepfake audio and video have reached "zero-uncanny-valley" status. Expect 2026 to bring highly convincing "live" video calls from "executives" requesting urgent wire transfers or credential resets.

Non-Human Identity (NHI) Bloat: AI agents and automated service accounts now outnumber human users. These "ghost" identities often have high-level permissions, no MFA, and are rarely audited, making them the #1 backdoor for 2026.

"ClickFix" macOS Evolution: The myth of Mac security is fading. Sophisticated "one-click" Terminal exploits are successfully targeting developers to steal source code and cloud environment secrets.

Supply Chain "Long-Tails": As seen with MOVEit and FNF, a single breach in a vendor’s sub-processor can lead to data leaks that surface 6–12 months after the initial patch.