• Cyber Safety
  • Posts
  • 🚨 SharePoint Zero‐Day | EchoLeak AI Vulnerability | PR‐Phishing Surge

🚨 SharePoint Zero‐Day | EchoLeak AI Vulnerability | PR‐Phishing Surge

July 23, 2025

Sponsored by

AI Notetakers Are Quietly Leaking Risk. Audit Yours With This Checklist.

AI notetakers are becoming standard issue in meetings, but most teams haven’t vetted them properly.

✔️ Is AI trained on your data?
✔️ Where is the data stored?
✔️ Can admins control what gets recorded and shared?

This checklist from Fellow lays out the non-negotiables for secure AI in the workplace.

If your vendor can’t check all the boxes, you need to ask why.

🛡️ CYBERSAFETY | TODAY’S THREATS

🔥 THREAT BRIEFINGS

1. SharePoint Zero‑Day Actively Exploited
Over 400 global orgs, including U.S. nuclear agencies, have been compromised via a SharePoint vulnerability. Patches failed to hold.
🔧 Patch now, rotate access keys, isolate legacy servers.

2. EchoLeak in Microsoft Copilot
Attackers can silently extract Copilot context using crafted emails. No clicks required.
🧠 Reassess RAG settings. Limit sensitive data exposure.

3. Fake Journalists Target PR Teams
LLM-powered phishing scams impersonate top media outlets—luring PR pros into credential and data traps.
🎙️ Validate outreach before responding. Educate staff.

🔍 SPOTLIGHT: QR CODE PHISHING (“Quishing”)

AI-generated phishing emails are embedding QR codes to dodge email filters.
⚠️ Don't scan unknown QR codes in emails or PDFs.
🧪 Run simulations and disable QR redirects where possible.

✅ WEEKLY SECURITY TO-DOS

  • 🛠️ Patch and secure on-prem SharePoint immediately

  • 🔒 Audit Copilot configurations for data scope

  • 📬 Launch AI phishing drills

  • 🧾 Train PR teams to verify outreach

  • 🚫 Scan for QR code phishing attempts

📊 STRATEGY CORNER

  • Train with AI-Crafted Threats
    Use GPT-generated emails and quishing examples in red team drills.

  • Segment AI Assistant Access
    Keep sensitive teams’ data away from general-purpose LLMs.

  • Double Verify Media Requests
    Impose validation steps before engaging with unknown senders.

🎯 TAKEAWAY
AI-powered phishing is no longer future fiction. It’s here—and already working. Stay ahead with rapid response, smart simulation, and tight verification.

Stay secure,
The Cybersafety Team
cyber-safety.co