Weekly Security Analysis: iPhone Spyware, Microsoft Zero-Day Vulnerability, TokenBreak Incident, AI Data Breaches, and Additional Insights

Some of the most significant security challenges emerge quietly, without alerts or warnings. Small actions that appear benign often mask deeper issues. Attackers have adapted their tactics to blend in, complicating the detection of anomalies.

The recent news underscores not only the incidents themselves but also the ease with which they occur. If we focus solely on obvious warnings, we risk overlooking subtle indicators right in front of us.

This analysis highlights various tactics and oversights that can go unnoticed yet pose considerable risks.

⚡ Threat of the Week

Apple Zero-Click Flaw in Messages Exploited to Deliver Paragon Spyware — Apple has acknowledged an active security vulnerability in its Messages app, CVE-2025-43200, exploited to target members of civil society in sophisticated cyber attacks. Addressed in February through updates to iOS and macOS, the vulnerability paved the way for attackers to deploy Paragon’s Graphite spyware, successfully infecting notable journalists, including Italian journalist Ciro Pellegrino, as reported by the Citizen Lab.

🔔 Top News

• Microsoft Fixes WebDAV 0-Day Exploited in Targeted Attacks — Microsoft has resolved a zero-day vulnerability in Web Distributed Authoring and Versioning (WebDAV), exploited in targeted attacks by the threat actor Stealth Falcon. This vulnerability was leveraged to deliver Horus Agent, showcasing the threat actors’ refined capabilities.
• TokenBreak Attack Bypasses AI Moderation With a Single Character Change — Research has disclosed an attack technique named TokenBreak, capable of circumventing large language model (LLM) content moderation with minimal alterations in input.
• Google Addresses Flaw Leaking Phone Numbers Linked to Accounts — Google has remediated a vulnerability allowing potential brute-force recovery of phone numbers tied to user accounts.
• Rare Werewolf and DarkGaboon Leverage Readymade Tooling to Target Russia — Threat actors utilized legitimate tools and malware to breach Russian entities, illustrating how commonplace administrative tactics can complicate defense measures.
• Zero-Click AI Flaw Allows Data Exfiltration Without User Interaction — A newly discovered vulnerability in Microsoft 365 could enable attackers to exfiltrate sensitive data via crafted emails without user awareness.
• VexTrio Runs a Massive Affiliate Program to Propagate Malware, Scams — The VexTrio operation has been linked to extensive campaigns that compromise WordPress sites, transforming them into active participants in malware and scam distribution.

‎️‍🔥 Trending CVEs

Software vulnerabilities remain the favored entry points for attackers. It’s critical to promptly address these flaws to maintain security. Key vulnerabilities identified this week include:

• CVE-2025-43200 (Apple),
• CVE-2025-32711 (Microsoft 365 Copilot),
• CVE-2025-33053 (Microsoft Windows),
• CVE-2025-47110 (Adobe Commerce and Magento),
• CVE-2025-43697, CVE-2025-43698, CVE-2025-43699, CVE-2025-43700, CVE-2025-43701 (Salesforce),
• CVE-2025-24016 (Wazuh),
• CVE-2025-5484, CVE-2025-5485 (SinoTrack),
• and numerous others across various platforms.

📰 Around the Cyber World

• Kazakh and Singapore Authorities Disrupt Criminal Networks — Authorities in Kazakhstan dismantled a network involved in selling citizen data through Telegram, arresting over 140 individuals. Concurrently, Singapore’s coordinated effort led to around 1,800 arrests linked to online scams.
• Microsoft to Block .library-ms and .search-ms File Types in Outlook — In response to security concerns, Microsoft is updating the banned attachment file types in Outlook.
• Meta and Yandex Misuse Tracking Code — Both companies reportedly exploited Android’s localhost ports to transmit tracking data between web browsers and native apps, potentially compromising user privacy.
• Replay Attacks Bypass Deepfake Detection — Research indicates that re-recorded deepfake audio can successfully deceive detection models, increasing the risk for corporate environments.
• Microsoft Defender Flaw Disclosed — A vulnerability in Microsoft Defender was detailed, allowing unauthorized spoofing on adjacent networks. The issue was promptly addressed with a patch.
• Apple Updates Passwords App — New enhancements to Apple’s Passwords app aim to improve transparency and security for user credentials.

🔒 Tip of the Week

Understanding the hidden ways trackers collect data is essential for digital privacy. Methods like localhost tracking reveal user activity without consent. Measures to counteract these tactics include:

• Regularly uninstalling non-essential applications.
• Utilizing privacy-centric browsers and maintaining strict control over background data.
• Frequent clearing of browser data and employing incognito modes for sensitive sessions.

In conclusion, many threats may not be invisible; rather, they are mischaracterized or underestimated. Vigilance in monitoring security alerts is paramount to safeguarding against evolving threats.