Release Date: 03/08/2025 | Issue: 299
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

How Attackers Are Hijacking Salesforce with a Phone Call

UNC6040 is breaching Salesforce environments using voice phishing to trick employees into authorizing malicious connected apps. Once inside, they exfiltrate sensitive data and move laterally across Okta and M365, often undetected.
This blog explains how the attacks work and how Varonis defends against them using identity hardening, app control and behavioral analytics. Get a Salesforce Risk Assessment to uncover misconfigured connected apps, excessive permissions, and exposure invisible in the UI.
Scan Your Salesforce Risk

This week's articles


You Don't Need a Vendor to Automate Security Questionnaires
I tested three approaches to automating security questionnaires with AI: expensive SaaS vendors, custom RAG solutions, and direct LLM use.   #ai   #process


Cloud Threat Horizons Report
The Google Cloud Threat Horizons Report provides decision-makers with strategic intelligence on threats to not just Google Cloud, but all cloud service providers.   #aws   #azure   #defend   #gcp


Code Execution Through Deception: Gemini AI CLI Hijack
A silent attack on Gemini CLI where, through a toxic combination of prompt injection, misleading UX and missing validation, inspecting untrusted code consistently leads to execution of malicious commands.   #ai   #attack   #defend


Building an AWS GuardDuty Alert Triage Age
This article explores building an AI agent for AWS GuardDuty alert triage using PydanticAI, demonstrating how LLMs can assist in security automation while maintaining human oversight for alert assessment.   #ai   #aws   #monitor


An Arrow to the Heel: Abusing Default Machine Joining to Domain Permissions to Attack AWS Managed Active Directory
Discover critical AWS Managed Active Directory security vulnerabilities enabling RBCD attacks via ms-ds-MachineAccountQuota. Learn mitigation strategies and detection methods for AWS Directory Service environments.   #aws   #attack   #defend   #iam


AWS AgentCore: The Overlooked Privilege Escalation Path in Bedrock's AI Tooling
Deep-dive into a privilege escalation path in AWS's new Bedrock AgentCore tooling, specifically the Code Interpreters used by AI agents.   #ai   #attack   #aws   #iam


Scaling Netflix's threat detection pipelines without streaming
This article discusses Netflix's "Psycho Pattern" - a hybrid batch/real-time pipeline for threat detection.   #design   #monitor


Aren't AWS Cloud Investigations the same as On-Prem? - Part 1 (AWS EC2)
Mini-series to discuss the similarities and differences of AWS Cloud vs. on-premises investigations, starting with the AWS EC2 service.   #attack   #aws   #defend


Critical Vulnerability in AI Vibe Coding platform Base44
New discovery underscores security implications of AI-powered development and the rise of Vibe Coding Platforms.   #ai   #attack   #defend   #saas

Sponsor

AI is plugging into your infrastructure—how closely are you watching?
Agentic AI systems using MCP, also sometimes called “USB-C for AI,” now access databases, APIs, and cloud applications autonomously—often bypassing many security guardrails. In this blog, Teleport and AWS break down how to secure these workflows with ephemeral identity, Zero Trust, and real-time auditability—treating AI like any other privileged system.

See how to enforce least privilege for AI agents on AWS

Tools


MSSQLHound
PowerShell collector for adding MSSQL attack paths to BloodHound with OpenGraph.


forge
A secure, scalable GitHub Actions runner platform for ephemeral workloads. Designed for multi-tenant environments, it automates isolated runner provisioning on Kubernetes or EC2, with built-in OIDC, IAM, cost optimization, and deep observability.


ApplicationInspector
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine.


oracrawl
A tool intended to facilitate the exploration of Oracle database DB Links. You can also refer to the companion blog post.


Veles: secret scanning
Veles is a standalone library for secret scanning that ships as part of Scalibr. It can detect and (where possible) validate credentials and other things colloquially referred to as "secrets". You can also refer to the companion blog post.

From the cloud providers


#AWS   How to automatically disable users in AWS Managed Microsoft AD based on GuardDuty findings
This post addresses scenarios where, for example, you have a web server that uses a Microsoft Active Directory user account (service account) to access an application or database resources on other servers, and you want to automate disabling the user account if suspicious activity is detected.


#AWS   AWS Security Incident Response: The customer's journey to accelerating the incident response lifecycle
A real-world scenario to show how AWS Security Incident Response can immediately generate benefits by accelerating every step of your incident response lifecycle, and how it integrates with other native AWS services.


#GCP   Defending against account takeovers from today's top threats with passkeys and DBSC
This article announces three security enhancements for Google Workspace: passkeys general availability, Device Bound Session Credentials (DBSC) beta, and upcoming shared signals framework receiver to combat account takeovers and credential theft.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini