Due to their numerous components and dependencies, web applications often have multiple vulnerabilities—many of them unknown and susceptible to zero-day attacks—that can be exploited by malicious HTTP requests. Determining whether a vulnerability exists is challenging without visibility into an application’s real-time data and event flows, which isn’t possible with existing firewall-based solutions.

Threat actors are abusing DocuSign’s API to send phony invoices that appear “strikingly authentic,” according to researchers at Wallarm. “Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard,” Wallarm says.

ReliaQuest warns that the BlackBasta ransomware gang is using new social engineering tactics to obtain initial access within corporate networks. The threat actor begins by sending mass email spam campaigns targeting employees, then adding people who fall for the emails to Microsoft Teams chats with external users. These external users pose as IT support or help desk staff, and send employees Microsoft Teams messages containing malicious QR codes.

Over a decade ago, I noticed that social engineering was the primary cause for all malicious hacking. It has been that way since the beginning of computers, but it took me about half of my 36-year career to realize it. At the time, I think everyone in cybersecurity knew social engineering was a big part of why hackers and their malware programs were so successful, but no one really knew how big.

“Aren’t you a little short for a Stormtrooper?” In this iconic Star Wars moment, Princess Leia lazily responds to Luke Skywalker, disguised as one of her Stormtrooper captors and using authentication information to open her cell. In other words, Star Wars acts as an analogy for a cross-site request forgery (CSRF) attack. In a CSRF attack, malicious actors use social engineering so that end-users will give them a way to “hide” in their authenticated session.

With governments across the globe gearing up for major elections, experts have been predicting an increase in distributed denial of service (DDoS) attacks from nation-states and, so far, those predictions have paid off. According to Forbes, a recently thwarted DDoS attack found hackers sending traffic at 3.8 terabytes per second to a target server, peaking at 2.14 billion packets per second, making it the largest DDoS attack ever recorded.