Table of Contents

The gist: A formerly legitimate Chrome extension named ShotBird has been hijacked. Threat actors took control of the extension to turn it into a tool for data theft and malware delivery.

Why it matters: The extension now forces users to download malicious Windows files, leading to credential theft and complete system exposure.

What is happening:

  • Hijacking: Adversaries took over the ShotBird extension via an ownership transfer.

  • In-Browser attacks: The malicious extension strips browser security headers and injects fake, urgent update pop-ups into sites you visit.

  • Malware pivot: These pop-ups trick users into running a fake googleupdate.exe. This file installs a legitimate Chrome installer alongside a malicious script that hijacks your computer.

  • Data theft: Once executed, the malware suppresses security logs, dumps credentials from the Windows Credential Manager, and targets saved browser data.

What to do:

  • Audit extensions: Immediately audit and remove the ShotBird extension (ID: gengfhhkjekmlejbhmmopegofnoifnjp) from all managed endpoints.

  • Review logs: Check your systems for signs of malicious PowerShell execution—specifically, any commands containing orangewater00.com or unexpected googleupdate.exe processes.

  • Enforce restrictions: Ensure your security policies block unauthorized browser extensions and restrict the execution of untrusted scripts.

    • How to do this in Group Policy and Intune will be covered in a future Wednesday edition.

Go deeper: For a full list of indicators of compromise, read the official research report.

How to strengthen defenses against destructive attacks

The big picture: Cyber adversaries use destructive malware and wipers to disable systems, steal data, or cover their tracks. To stay safe, Google reminds us to treat technical defense and incident recovery as part of your daily operations.

Why it matters: Cyber attacks become an easy, low-cost weapon for adversaries. By planning ahead, you can stop threats early or recover quickly if an attack succeeds.

Key strategies:

  • Secure your perimeter: Identify all apps and services accessible from the internet. Use vulnerability scans to find weak spots, patch them, and make sure you have strong multi-factor authentication (MFA) everywhere.

  • Upgrade your MFA: Move away from SMS or phone-based codes, which are easy to intercept. Use phishing-resistant methods like security keys (FIDO2) or authenticator app-based passkeys.

  • Protect critical assets: Ensure domain controllers are backed up, and keep those backups in a secure, isolated location. Regularly test your ability to restore systems from these backups.

  • Limit network traffic: Servers and critical systems should not have unrestricted internet access. Use a "deny-by-default" approach, only allowing traffic that is absolutely necessary for business.

  • Tighten admin access: Never use high-privilege accounts for daily work. Use hardened workstations for administrative tasks, and adopt "just-in-time" access to grant permissions only when needed and for a short time.

The bottom line: Resilience is about practice as much as it is about tools. Build an "out-of-band" communication plan that works even if your main systems go down, and run regular recovery exercises to ensure your team knows what to do when an incident occurs.

Go deeper: https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks/

Why password managers are essential for security

The big picture: In the most recent Ouch! newsletter, SANS reminds us relying on a single password across multiple accounts creates a massive security risk. When one site is breached, adversaries easily gain access to your other accounts, leading to identity theft or financial loss.

How they work: Password managers store all your credentials in an encrypted digital vault. You only need to remember one strong "master" password to unlock this vault. The software then automatically fills in your unique, complex passwords for every website you visit.

Why it matters for you:

  • Better security: They make it simple to use unique, complex passwords for every account.

  • Convenience: They handle the heavy lifting, syncing your passwords across all your devices so you are never locked out.

  • Efficiency: They eliminate password fatigue, helping you stay compliant with security policies without the frustration of constant resets.

What to look for:

  • Trust: Stick to well-known, established vendors with positive community feedback.

    • My favorite for personal and organizational use: Bitwarden

  • Usability: If it’s too hard to use, you won’t use it. Pick one that feels simple for your daily workflow.

  • Syncing: Ensure it works seamlessly across your computer, tablet, and phone.

  • Features: Always enable phish-resistant multi-factor authentication (MFA) to add an extra layer of protection to your vault.

The bottom line: A password manager is the single most effective tool for securing your digital identity. Choose a reputable one, create a strong master password, and stop reusing credentials today.

Go deeper: https://www.sans.org/newsletters/ouch/stop-password-pain-reliable-password-manager

LastPass phishing warning: adversaries spoof support emails

The news: Speaking of password managers, adversaries are impersonating LastPass support staff to steal user vault credentials.

How it works: The phishing emails look like forwarded internal conversations between LastPass support and an adversary about an unauthorized account access request.

  • These fake chains create a sense of urgency, urging you to click links to "report suspicious activity" or "lock your vault."

  • These links lead to a fake login page (such as verify-lastpass[.]com) designed to steal your master password.

Why it matters: Adversaries are using sophisticated social engineering, including spoofed sender names and realistic-looking email threads, to trick even savvy users. While LastPass confirms its own infrastructure remains secure, these campaigns frequently target their users to gain unauthorized access to password vaults.

What to do:

  • Never share your master password. No legitimate LastPass support agent will ever ask for it.

  • Check the sender. Inspect the actual email address, not just the display name.

  • Report it. If you receive a suspicious email, forward it to [email protected].

  • Go directly to the source. If you are worried about your account, open your browser and manually type lastpass.com rather than clicking links in an email.

Go deeper: https://blog.lastpass.com/posts/march-2026-phishing-campaign-targeting-lastpass-customers

New tech support scam uses email bombing and fake IT calls to deploy malware

The big picture: Adversaries are posing as IT support staff to trick employees into giving them remote access. Once inside, they deploy the "Havoc" command-and-control framework to steal data or launch ransomware.

Why it matters: This attack is dangerous because it relies on human trust. By pretending to be your IT team, attackers bypass traditional security filters and get users to willingly install malicious software.

How the attack works:

  • The lure: Adversaries flood an inbox with junk emails to overwhelm the user (a technique called “email bombing”).

  • The hook: They call the user, claiming to be from IT, and ask for remote access to "fix" the issue.

  • The trap: Once they have access, they direct users to a fake website that looks like a Microsoft portal to "update spam rules."

  • The payload: The user is tricked into downloading a file that installs malicious code, giving the adversaries full control of the computer.

The bottom line: Modern adversaries use a mix of social engineering and technical tricks to stay hidden. Make sure your team knows that real IT staff will never call and ask them to navigate to unknown websites or install remote access tools on the spot to fix a common issue.

Go deeper: https://www.huntress.com/blog/fake-tech-support-havoc-command-control

New phishing tactic uses OAuth to bypass defenses

Microsoft reports that adversaries are abusing a standard feature in the OAuth protocol (the system used for "Sign in with..." buttons) to trick users and deliver malware.

Why it matters: Adversaries are moving away from traditional phishing that steals login credentials. Instead, they are manipulating legitimate authorization flows to redirect users to malicious websites. Because this technique relies on trusted identity providers (like Microsoft Entra ID or Google Workspace), it can often bypass traditional email and browser security filters.

How it works:

  • The lure: Adversaries send phishing emails with themes like fake e-signature requests, password resets, or meeting invites.

  • The redirect: The links contain intentionally broken OAuth parameters. When a user clicks the link, the identity provider fails the request as planned and automatically redirects the browser to a site controlled by the adversary.

  • The payload: Once on the adversary’s site, victims are prompted to download files, which can lead to malware installation, credential harvesting, or remote access.

What you should do:

  • Govern your apps: Review and limit user consent for OAuth applications. Remove apps that are unused or have excessive permissions.

  • Tighten security policies: Use Conditional Access policies and identity protection to monitor for suspicious sign-in behavior.

  • Monitor alerts: Look for unusual URL click events or unexpected browser activity following an OAuth authorization error.

For advanced hunting, check your security logs for patterns involving "invalid scope" parameters, which are a hallmark of this specific attack technique.

Go deeper: https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/

If you have any comments or feedback, just respond to this email!

Thanks for reading and stay secure,

Aaron

Keep Reading

© 2026 Sensible Security.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv