Ransomware Recovery Takes Center Stage as AI-Powered Attacks Outpace Prevention Managed Security Service Providers (MSSPs) are being urged to shift their focus from perimeter defense to rapid recovery as ransomware attacks grow more sophisticated. A 2026 report from Veeam reveals that 72% of companies never fully recover their data after an attack, underscoring the limitations of traditional prevention-only strategies. The rise of AI has democratized cyber threats, enabling attackers to exploit unknown vulnerabilities in operating systems and browsers with minimal resources. Instead of brute-force breaches, adversaries now log in using stolen credentials and leverage an organization’s own admin tools to delete data before detection. With global cybercrime damages projected to reach $12.2 trillion by 2031 and the average time from intrusion to containment at 241 days, businesses face prolonged exposure to undetected threats. The real business risk lies in downtime hospitals canceling appointments, small businesses halting operations, and enterprises facing multimillion-dollar recovery costs. Sophos reports the 2025 average ransomware payment at $1.2 million, but the larger financial and operational impact stems from prolonged outages. A Fortune 100 company’s recent incident demonstrated this disparity: two sites hit by the same attack had vastly different outcomes one recovered in minutes, the other in days due to architectural differences like immutable snapshots and separate recovery credentials. MSSPs are now being pushed to adopt an assumed-breach model, designing defenses under the premise that attackers are already inside. The focus shifts from preventing entry to limiting access and accelerating recovery. Key factors include: - Immutable backups that cannot be altered or deleted. - Separate control planes for recovery credentials, isolated from compromised admin accounts. - Rapid-restore architectures that minimize downtime to minutes rather than days. As attackers leverage AI to move faster, the data layer becomes the critical line of defense. MSSPs that prioritize recovery time objectives (RTOs) and active data management will define the next phase of cybersecurity resilience.

Salesforce Marketing Cloud Patches Critical Vulnerabilities Exposing Subscriber Data Salesforce recently addressed a series of high-severity vulnerabilities in its Marketing Cloud (SFMC) platform that could have allowed attackers to access and exfiltrate marketing emails, subscriber records, and engagement data across multiple tenants including Fortune 500 organizations. The flaws stemmed from weaknesses in SFMC’s server-side templating and encryption mechanisms. AMPScript and SSJS, used for dynamic email personalization, included functions like TreatAsContent that enabled template injection. Attackers could exploit this by embedding malicious payloads in user-controlled fields (e.g., name fields), which would execute during template evaluation. Once injected, built-in functions like LookupRows allowed queries against internal data views, exposing subscriber lists, sent emails, and tracking data. A more severe issue involved SFMC’s "view email in browser" and CloudPages features, which relied on encrypted query strings (qs parameters) to authenticate users. Researchers at Searchlight Cyber discovered that the older "classic" qs format used unauthenticated CBC encryption with a padding oracle vulnerability, enabling decryption and re-encryption of parameters. Additionally, a legacy XOR-based encryption scheme with a static key allowed rapid decryption of sensitive identifiers like JobID and ListSubscriber. Since SFMC reused a single static encryption key across tenants, attackers could forge qs tokens to access emails and subscriber data from other organizations. The vulnerabilities, reported on 16 January 2026, were mitigated between 21–24 January 2026. Salesforce migrated to AES-GCM encryption, rotated keys, disabled double evaluation of email subject templates, and invalidated all legacy tracking and CloudPages links created before 21 January 2026 (23:00 UTC). No confirmed malicious exploitation was reported. The incident underscores risks in shared SaaS infrastructure, where template engines and cryptographic flaws can expose high-value marketing data at scale. Salesforce assigned multiple CVEs to address broken encryption, hard-coded keys, and argument injection in MicrositeURL and CloudPages workflows.

AI and Phishing-as-a-Service Fuel Surge in Sophisticated Enterprise Attacks, SpyCloud Report Reveals Austin, TX – June 17, 2026 – A new report from SpyCloud, a leader in identity threat protection, underscores the rapid escalation of phishing attacks targeting enterprises, driven by artificial intelligence (AI) and phishing-as-a-service (PhaaS) platforms. The 2026 Phishing Pulse Report reveals that 78% of organizations with over 1,000 employees experienced a rise in phishing volume over the past year, while 84% report that AI-generated attacks are becoming more prevalent or harder to detect. The analysis found that phishing exposed employee data at 86% of Fortune 100 companies in the last 12 months, with technology firms facing the highest exposure, followed by the airline and automotive sectors. Despite awareness of the threat, many organizations remain ill-equipped to respond effectively. Only 38% are highly confident in detecting and mitigating credential theft within 24 hours, while 58% struggle to identify exposed credentials or session tokens post-incident. Remediation challenges persist, with 42% unable to scale responses and 68% requiring four hours or more to address confirmed exposures. SpyCloud’s research also highlights a shift in attacker tactics, with PhaaS platforms now five times more likely to target enterprise identities than malware up from three times in late 2025. Nearly half of recaptured PhaaS-sourced records are tied to corporate accounts, and tools like Tycoon 2FA show 80% of stolen credentials belong to enterprise email addresses. Beyond traditional phishing, organizations face growing threats from business email compromise (BEC), vendor impersonation, and adversary-in-the-middle (AiTM) techniques, including device code phishing, which exploits OAuth workflows for persistent access. Trevor Hilligoss, SpyCloud’s Chief Intelligence Officer, noted that attackers are increasingly capturing session cookies and refresh tokens, enabling prolonged access even after password resets. The report emphasizes a critical visibility gap: without clear insight into exposed credentials or tokens, attackers gain time to establish persistence, escalate privileges, or launch follow-on attacks like ransomware or session hijacking. Only 30% of organizations have fully integrated phishing detection with identity response workflows, leaving many vulnerable to prolonged breaches. The findings are based on a survey of security professionals and SpyCloud’s analysis of active phishing campaigns, darknet data, and criminal infrastructure. The company’s recaptured data including credentials, session cookies, and tokens helps enterprises identify and remediate exposures before they lead to further compromise.