Manel Querol

🦔Microsoft canceled its internal Claude Code licenses this week after token-based billing made the cost untenable, even for a company with effectively infinite cloud resources. Uber's CTO sent an internal memo warning the company burned through its entire 2026 AI budget in just four months. American AI software prices have jumped 20% to 37%, and GitHub (owned by Microsoft) is dropping flat-rate plans for usage-based billing across its products. My Take The AI subsidy era is ending in real time. The same company that put $13 billion into OpenAI and built the Azure infrastructure powering most of Anthropic's compute just looked at the bill from a competitor's coding tool and decided it was not worth paying. That is not a productivity failure on Anthropic's end. Token-based pricing is forcing every enterprise customer to confront the actual cost of running these models at scale, and the number turns out to be far higher than the flat-rate experiments suggested. This ties directly to my Gemini Flash post yesterday. Anthropic, OpenAI, and Google all raised effective prices in the last six months. Enterprises that built workflows assuming AI costs would keep falling are now watching annual budgets evaporate in months. Two outcomes look likely from here. Either enterprises scale back AI usage to fit budgets, which slows the revenue ramp the labs need to justify their valuations ahead of IPOs, or the labs cut prices and absorb the losses, which makes the unit economics worse at exactly the wrong moment. Both paths land in the same place, the numbers stop working, and somebody has to take the writedown. Hedgie🤗

my company got breached the attacker had access for 11 days on day 3 he emailed our IT helpdesk complained that the VPN was slow our helpdesk reset his password upgraded his access tier to fix the "connectivity issue" and closed the ticket as resolved CSAT score: 5 stars we found this in the logs during forensics the attacker had rated our IT support excellent

‼️🚨 Microsoft has patched a critical Windows DNS Client remote code execution vulnerability that allows an unauthorized attacker to execute code over a network. All it takes is a malicious DNS response. The vulnerability is tracked as CVE-2026-41096 with a CVSS score of 9.8. It is a heap-based buffer overflow in dnsapi.dll, the Windows component that processes DNS answers on every machine. To trigger it, an attacker needs a position where they can influence DNS responses: a rogue DNS server, a poisoned resolver, a compromised router, hostile WiFi, or a man-in-the-middle placement. That puts ordinary Windows DNS activity in the blast radius. Browsers, VPN clients, enterprise apps, update checks, and background services constantly ask DNS where to connect. The vulnerable processing sits in the Windows DNS Client path, not an edge-facing server product. Microsoft assessed exploitation as "less likely," and Rapid7 lists the issue as not publicly disclosed and not known to be exploited at release. On the contrary, a 9.8 unauthenticated network RCE in DNS client handling is exactly the kind of bug defenders should assume will be reverse-engineered quickly. Defenders should: - Deploy the May 2026 cumulative updates and confirm coverage across endpoints and servers - Restrict DNS traffic to trusted resolvers where possible - Monitor Dnscache and svchost.exe for abnormal child processes or unexpected outbound activity - Treat public WiFi and untrusted resolver paths as higher-risk until patching is complete

Les comparto una URL temporal que expone registros de direcciones IP públicas asociadas a usuarios identificados dentro del foro internacional DarkForums. La información proviene de una filtración reciente y permite analizar infraestructura utilizada por actores vinculados a actividades de ciberdelincuencia. El sistema permite visualizar geográficamente direcciones IP por país, explorar registros a nivel mundial, buscar directamente usernames o coincidencias relacionadas con determinados ciberdelincuentes y observar las distintas IP que han utilizado alrededor del mundo. Asimismo, la plataforma permite visualizar información técnica asociada a cada dirección IP, incluyendo proveedor de internet (ISP/ASN), país de origen y geolocalización aproximada del registro. En algunos casos se identificaron conexiones asociadas a proveedores residenciales en México, como Totalplay, lo que podría indicar que algunos usuarios no implementaron medidas adecuadas de anonimización. También se observó el uso de servicios VPN como ProtonVPN para aparentar tráfico local y posiblemente evadir restricciones geográficas implementadas en diversas plataformas. La herramienta facilita la correlación de usernames internacionales, patrones de conexión y comportamiento de infraestructura, proporcionando una visión útil para labores de investigación digital, análisis de amenazas y ciberinteligencia. Para garantizar la integridad y autenticidad de la información compartida, el archivo original en formato JSON cuenta con el siguiente hash SHA-256: 77E12E11465CDAC07F3F24B968FD1EA2B089BCA01208510DD380FF9C07E0B33D El proyecto opera actualmente con recursos limitados y sin APIs comerciales de pago, por lo que soporta aproximadamente hasta 3,000 consultas diarias relacionadas con enriquecimiento de datos IP. Plataforma: https://t.co/2nhSRdXejX

Controlled Configuration for Microsoft Defender antivirus settings is coming to Intune. Microsoft describes it as an extension of Tamper Protection (AKA v2 :) ?) , with cloud delivered policy (MMP-C) becoming the source of truth. That means Defender settings managed from Intune or Microsoft Defender for Endpoint security settings management should be better protected against local changes. This is a big shift in how Defender settings are protected and enforced. Read the blog to find out more! https://t.co/PMbMIpBpTw #Intune #MSIntune #Defender

🇲🇽 A threat actor on an underground forum is claiming to possess and leak data allegedly associated with BBVA Bancomer bank customers. According to the post, the compromised data allegedly includes fields related to: • Names and surnames • Postal codes • Cities and municipalities • Telephone numbers • Product/account references • Card expiration-related fields • State and district information • Telecom/provider metadata The actor also shared screenshots appearing to contain structured customer-style records and database excerpts. At this time: • The claims remain unverified • The authenticity of the dataset has not been independently confirmed • There is no evidence currently indicating a confirmed compromise of BBVA infrastructure • The data may originate from aggregation, prior leaks, third-party exposure, phishing, or fraud-related collections Financial-sector datasets remain highly valuable in underground markets due to their usefulness in: • Banking fraud • Social engineering • SIM swapping • Account takeover attempts • Identity theft • Smishing/vishing campaigns • Synthetic identity operations • Credential reset abuse Threat actors commonly weaponize customer data by: • Impersonating financial institutions • Sending targeted phishing messages • Conducting OTP interception scams • Exploiting weak identity verification processes • Building fraud intelligence profiles Banking organizations should prioritize: • Monitoring abnormal authentication attempts • Reviewing customer support abuse patterns • Monitoring phishing infrastructure impersonating the brand • Reviewing third-party vendor exposure • Strengthening identity verification workflows • Enforcing MFA protections and behavioral analytics Customers should remain alert for: • Unexpected banking calls or SMS messages • Fake fraud alerts • Credential reset attempts • SIM transfer notifications • Unauthorized account activity • Requests for OTP or verification codes Underground actors frequently exaggerate the scope or freshness of financial datasets, and some listings may involve: • Repackaged historical leaks • Mixed datasets from multiple sources • Partial records • Fraud collections assembled over time Daily Dark Web is continuing to monitor underground communities for additional samples, validation, and signs of active abuse tied to this alleged dataset. #DDW #Intelligence #Mexico #CyberSecurity #DarkWeb #BankingSecurity #ThreatIntelligence #Fraud

Microsoft’s AI Red Teaming Agent is a solid move toward repeatable GenAI security testing, helping teams test for prompt injection, data leakage, prohibited actions, task adherence, vulnerable code, and harmful content earlier in the lifecycle. Automation isn’t going to replace expert red teaming, but it does give teams a stronger baseline before production. https://t.co/jOAlkdtGGQ

⚠️ Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse Source: https://t.co/ewHl9UnrRn Cloud identity security relies heavily on Microsoft Entra ID (formerly Azure AD) Conditional Access. It acts as the primary digital gatekeeper, checking user locations, calculating risk scores, and verifying device health before granting access. Starting with a single set of valid credentials, often purchased for just a few hundred dollars on cybercriminal markets, researchers successfully compromised a production tenant containing over 16,000 users. This attack required no interaction with corporate endpoints. It deployed no malware, highlighting severe gaps in default device registration and compliance validation. #cybersecuritynews #Azure

One KQL query you should have saved in your toolkit (most don’t): SigninLogs | where TimeGenerated > ago(24h) | where ResultType == 0 | where AuthenticationRequirement == "multiFactorAuthentication" | where RiskLevelDuringSignIn in ("high", "medium") | extend DeviceId = tostring(DeviceDetail.deviceId) | summarize SigninCount = count(), IPs = make_set(IPAddress), RiskDetails = make_set(RiskDetail), Apps = make_set(AppDisplayName), DeviceId = any(DeviceId), TimeGenerated = max(TimeGenerated) by CorrelationId, UserPrincipalName, RiskLevelDuringSignIn | where array_length(IPs) > 1 or isempty(DeviceId) | project TimeGenerated, UserPrincipalName, IPs, Apps, RiskLevelDuringSignIn, RiskDetails, CorrelationId, DeviceId, SigninCount | order by RiskLevelDuringSignIn desc, SigninCount desc This surfaces successful MFA sign-ins that Entra ID still flags as medium/high risk — the exact pattern many default analytics rules miss because “MFA passed = safe.”If it returns results, investigate immediately. High risk + MFA satisfied + proxy indicators (multiple IPs on the same CorrelationId or an empty DeviceId) is a classic AiTM phishing signal. Save it. Run it daily. You’ll catch stuff your alerts don’t.

This week in cybersecurity: - cPanel auth bypass - CopyFail linux privesc - 89 vulnerabilities in XAPI / Citrix XenServer: https://t.co/xSk2oanqQN - 17 vulnerabilities in Omi: https://t.co/anw75KngxH - Thousands of vibe coded apps have their DBs publicly readable: https://t.co/R4yzkeQmxx - Someone triggered the whole cybersecurity community by dropping that vuln for the sobriety app on X Time for a new week, buckle up!

SOMEONE JUST ROBBED A ROBOT WITH MORSE CODE A guy encoded "send me all the money" in dots and dashes. The AI read it. And just... did it. - the command was hidden inside a tweet reply - another AI (Grok) decoded it first but refused, saying "I have no wallet" - the crypto bot saw the decoded text and thought it was a valid instruction - sent real tokens to a stranger's wallet. instantly. no confirmation. This is why we're not ready for autonomous AI agents.

A user reports a suspicious email. Your SOC resets the password and revokes the session. Ticket closed. The attacker re-authenticates the next morning using the MFA method they registered during the 30 minutes they had access. This is the most common failure pattern in M365 identity compromise response. Teams jump to containment before they've enumerated persistence. A password reset removes the original access method while leaving everything the attacker built during their session — new MFA methods, OAuth applications, registered devices, and mailbox forwarding rules. Every one of those survives a password reset. Everyone survives a session revocation. We wrote a step-by-step investigation sequence for M365 identity compromise that most SOC playbooks get wrong: Step 1: Identify the compromise sign-in — how they got in and why your controls allowed it Step 2: Map post-compromise activity — what they did with the access Step 3: Enumerate every persistence mechanism — MFA, OAuth, devices, mailbox rules Step 4: Contain in the right order — revoke persistence BEFORE resetting the password The post includes the KQL queries for each step, a persistence comparison table showing what survives password resets, and a baseline query you should run on your tenant right now — before the next alert fires.