Identity Security – Our Greatest Cyber Weakness
In this edition of Cyderes Intel, we’re looking at the biggest identity security news of 2025, and some of the most dangerous email security scams phishing our inboxes for credentials.
BIDEN ISSUES EXECUTIVE ORDER ENHANCING DIGITAL IDENTITY SECURITY
President Biden signed an executive order intended to boost the privacy of Americans amid continued cyberattacks against the U.S.
Article contributed by Brian Rushton-Phillips
“Adversary countries, and criminals have increasingly targeted the U.S. government, corporations, and individual Americans, with cyberattacks that disrupt critical services, businesses, and individual lives, costing billions of dollars, as well as damages,” a senior administration official told reporters on a call previewing the order.
The executive order outlines a set of measures to assist the federal government in protecting against cyber attacks that jeopardize the privacy of Americans' digital identities.
The National Security Council (NSC) noted that the U.S. is unique among major economies regarding its digital identity infrastructure. According to the NSC, Americans face approximately $56 billion in fraud annually.
A portion of the executive order will ease the criteria for sanctions imposed by the U.S. government to penalize cyber attackers.
“The goal is to make it costlier, and harder for China, Russia, Iran, [North Korea], and ransomware criminals to hack, and to also signal that America means business when it comes to protecting our nation, from our economy, and employment, to infrastructure, and innovation,” the administration official said, adding later, “It means more tools to publish them, to publicly name, sanction, and penalize these individuals, whether they’re working independently, or for [a] foreign government.”
The order will also accelerate the deployment of private-sector technology to enhance government efficiency and minimize fraud.
It encourages the adoption of "privacy-preserving digital identity documents," such as mobile driver licenses, and the initiation of an early-warning fraud pilot to alert Americans about potential fraud incidents related to their public benefits and payments, according to the NSC.
Additionally, it sets new standards for software providers working with the U.S. government. This comes just weeks after the Treasury Department informed lawmakers that Chinese state-sponsored actors breached the agency early last month, stealing a key from a third-party software service provider.
Building on Biden’s initial cyber executive order, which mandated federal agencies to adopt new practices to safeguard against cyberattacks, the order aims to advance this objective by promoting the use of modern technologies that are resistant to phishing within federal agencies.
It will also enhance the visibility of attack activities across government agencies, enabling the Cybersecurity and Infrastructure Agency (CISA) to perform its duties more effectively.
“If we find one particular technique that a foreign government has used to hack one particular federal agency, this now tasks CISA, and invites CISA centralized visibility to [threat] hunt, across all agency systems, to ensure we’re defending against this attack broadly,” the administration official said.
Moreover, the order will expedite the advancement, and application of artificial intelligence (AI), alongside further exploration of AI-driven cybersecurity solutions, and post-quantum technologies. This aspect mirrors Biden’s national security memorandum from last October, which urged government agencies to leverage cutting-edge AI systems, to enhance national security.
The order also highlights the need to safeguard space-based systems, referencing the destruction caused by Russia’s assault on Ukraine’s military satellite communications system, prior to its 2022 invasion.
KEY PROVISIONS
Software Supply Chain Security: This initiative mandates that software providers submit attestations of secure development practices in a machine-readable format, which the Cybersecurity and Infrastructure Security Agency must validate within 90 days.
Federal Cybersecurity Enhancements: Implements enhanced endpoint detection and response (EDR) tools, authentication methods resistant to phishing, and revised cloud security protocols, with a 120-day deadline for implementation.
Quantum-Resistant Cryptography: Establishes an objective for federal agencies to shift to post-quantum cryptographic standards by 2030, requiring "detailed plans" to be provided within 90 days.
AI for Cyber Defense: Initiates efforts to employ artificial intelligence to enhance cybersecurity, especially in vital infrastructure areas such as energy, with pilot programs set to commence within 180 days.
Cybersecurity in Space: Mandates improved security measures for space systems and ground stations to tackle emerging threats, with agency evaluations and updates to cybersecurity standards required within 180 days.
Open Source Software Management: Advises agencies to implement optimal practices for utilizing and safeguarding open source software, with guidelines to be provided within 120 days.
New Requirements for Vendors: Requires federal contractors to adhere to basic cybersecurity standards and introduces a "Cyber Trust Mark" for consumer Internet-of-Things devices, with a 240-day deadline for implementation.
Numerous foreign adversaries executed hacking operations in the U.S. last year, heightening concerns about the nation’s capacity to defend against such threats. Among these was the unprecedented “Salt Typhoon” operation, where China-backed actors infiltrated over half a dozen telecom companies in the U.S.
Some of those targeted in the Salt Typhoon hacks were involved in governmental or political activities, as officials disclosed earlier this year. Although the exact number of targets remains undisclosed, President-elect Trump, and Vice President-elect Vance were reportedly among those whose phones were targeted.
This eagerly awaited order arrives at the close of the Biden administration and follows two AI-related directives issued by the president earlier this week.
BEWARE OF PHISHING SCAMS TARGETING 401(K) AND PAYROLL ADJUSTMENTS
As tax season approaches and annual performance reviews conclude, cybercriminals are capitalizing on the perfect opportunity to exploit employees.
Article contributed by Ethan Fite
We've seen a sharp uptick in phishing campaigns targeting individuals with fake 401(k) updates and payroll adjustment notifications. These scams aim to harvest sensitive data, such as login credentials and personal information, under the guise of legitimate corporate communications.
This activity seems to build on a trend we observed in December, where threat actors used similar tactics to distribute fake new employee handbooks, as detailed in our blog post: https://www.cyderes.com/blog/global-phishing-campaign-targeting-new-employee-handbooks.
Common Themes in Recent Phishing Campaigns
1) Subjects
2) Sender Details
3) URLs
4) Visual Elements
The phishing emails often include logos, QR codes, and familiar design elements from legitimate brands to build trust. For instance:
Examples of Phishing Emails
1) Payroll Adjustment Request
This email mimics a payroll update notification, complete with a QR code linking to a malicious site. It requests employees to confirm their salary adjustments by signing a fraudulent document.
2) 401(k) Compliance Notice
A fake DocuSign email claims that recipients must sign off on their 401(k) benefits. The urgency is emphasized with terms like "Status: Pending."
3) Company Payroll Update
A highly convincing email mimicking Company HR communications. It features a table summarizing pay increases and a QR code for further action, but leads to a phishing page.
Why These Scams Work
Timing: With tax season and annual reviews happening simultaneously, employees expect communications about payroll and benefits.
Familiarity: Cybercriminals mimic trusted tools like Adobe Sign and DocuSign to exploit employee trust.
Urgency: The emails use phrases like "Immediate Action Required" or "Pending Signature" to pressure users into acting without second-guessing.
How to Protect Yourself
Verify the Source: Always check the sender’s email address carefully. Hover over links to inspect their destination before clicking.
Avoid Scanning Unknown QR Codes: QR codes can redirect you to malicious sites. Only scan those from trusted sources.
Use Multi-Factor Authentication (MFA): Even if credentials are compromised, MFA adds an extra layer of protection.
Report Suspicious Emails: If you receive an email like the ones mentioned, report it to your IT or security team immediately.
Conclusion
Phishing attacks are becoming more sophisticated, leveraging seasonal events and workplace processes to trick even the most vigilant employees. Stay cautious and spread awareness among your team to minimize risk.
NEXT LEVEL IDENTITY GOVERNANCE
As organizations expand and digital interactions increase, effective identity management is essential for protecting sensitive data, and ensuring secure access.
Article contributed by Brian Rushton-Phillips
However, this complexity also introduces vulnerabilities, making it crucial for businesses to implement robust identity management solutions.
Identity Governance and Administration Simplified
As organizations grow, the complexity of managing credentials and access increases, leading to greater risks. Implementing user-friendly controls that streamline access while maintaining security is essential.
This approach not only protects against external threats but also enhances user experience, making it easier for employees to navigate their access needs without compromising security.
Actionable Insights
Adopting an identity-first security posture is indeed a forward-thinking approach.
By placing identity at the core of security, organizations can make informed access decisions based on real-time threat intelligence and user behavior. This continuous monitoring not only enhances security but also allows for a more adaptive governance model, effectively responding to emerging threats.
Leveraging digital twin technology in identity governance, offers organizations a powerful tool for real-time visibility and management of their identity landscape.
By creating a dynamic model that reflects users, roles, and permissions, organizations can quickly identify discrepancies and unauthorized access attempts. This proactive approach enhances security by allowing for immediate responses to potential vulnerabilities, ensuring that identity governance remains aligned with real-world operations.
Implementing the principle of least privilege (PoLP) is a highly effective way to enhance your security posture.
By ensuring that users have only the access necessary for their roles, you reduce the risk of unauthorized access. Regularly reviewing permissions and utilizing automation – along with digital twins – can streamline this process, making it easier to identify and revoke unnecessary privileges. This proactive approach significantly strengthens your organization's defenses against potential threats.
Implementing multifactor authentication (MFA) across all user access points is essential for strengthening identity security.
By extending MFA beyond just external systems to include internal applications, organizations can enhance their security posture without significant infrastructure changes. Additionally, considering risk-based adaptive MFA allows for a tailored approach, adjusting authentication challenges based on user behavior and access context, which minimizes friction while maintaining robust security.
Simplifying user lifecycle management is crucial for preventing orphaned accounts that can be vulnerable to attacks.
By automating the provisioning and de-provisioning of user accounts based on current roles, organizations can ensure that access aligns with responsibilities. Integrating HR and IT systems allows for automatic updates when personnel changes occur, reducing errors and enhancing visibility into access changes across the organization.
Anomalous behavior detection is indeed becoming more accessible through advanced technologies like digital twins and AI-driven tools.
By monitoring user activities such as unusual login times and failed attempts, organizations can gain insights into identity interactions within their systems. This proactive approach allows for swift responses to potential security breaches, enhancing overall identity governance and security measures.
PHISHING TREND EXPLOITING YOUTUBE URLS THROUGH O365 EXPIRY THEMES
A recent wave of phishing campaigns is leveraging cleverly disguised URLs and Microsoft 365 (O365) password expiry lures to trick users into divulging sensitive credentials.
Article contributed by Ethan Fite
Here’s what we know:
1) Phishing Lure
• The email subject consistently follows the format: “ACTION Required - [Client] Server SecurityID:[random string]”.
• The body of the email urges the recipient to reconfirm their password due to expiry, with clickable buttons labeled “Keep [USER EMAIL] Access Active.”
2) Tactics
• Fake YouTube Links: Attackers embed links starting with a legitimate-looking URL (e.g., youtube.com) followed by a series of obfuscation characters like %20.
• URI Obfuscation: Using the @ symbol in the URL, the attackers direct users to a malicious domain (e.g., globaltouchmassage[.]net) while making the URL appear trustworthy.
3) Notable Indicators
• Embedded URLs use excessive %20 (HTML space encoding).
• URLs include an @ symbol that segments the URL into two parts:
1) Everything before the @ is treated as irrelevant (or user info).
2) Everything after the @ is the actual domain.
• The domains used include redirectors and standard phishing templates utilized by Tycoon 2FA, Mamba 2FA, and EvilProxy kits.
How These Links Work
When a URL includes an @ symbol, browsers interpret everything before it as user credentials and redirect to the domain after the @. For example:
• Destination Domain: testing123.net.
Why This Matters
This tactic abuses legitimate services like YouTube in the URL structure to lend credibility to the link. Users are more likely to trust the link without inspecting it closely.
IOC (Indicators of Compromise)
• Example Phishing URL:
• Common Subject Lines:
"ACTION Required - [Client] Server SecurityID:[random string]"
Recommendations
1) Educate Users
• Always inspect URLs for unusual structures or unexpected symbols (%20, @).
• Be wary of emails urging immediate action regarding passwords or accounts.
2) Technical Mitigations
• Deploy URL filtering and blocklists to catch domains like globaltouchmassage.net.
• Use sandbox tools to analyze suspicious links safely.
3) Report and Monitor
• If you suspect phishing, report it to your IT/security team immediately.
Final Note
As phishing tactics evolve, attackers continue to exploit trust in legitimate services. Stay vigilant and always verify links before clicking. Keep your workforce informed and your systems protected.
Follow our story ➜ https://linkedin.com/company/cyderes