Brave browser now blocks Microsoft Recall by default, preventing screenshots and protecting users’ browsing history on Windows 11.

Brave browser has announced a new privacy measure, automatically blocking Microsoft’s controversial Recall feature from taking screenshots of browsing activity. This move, implemented in version 1.81 for Windows users, aims to give users more control over their digital privacy, especially concerning their online history.

****What is Microsoft Recall?****

Microsoft Recall, first introduced in May 2024, is designed as a productivity tool for Copilot+ PCs, which are high-end, AI-enhanced computers. It works by taking periodic screenshots of a user’s screen activity and storing them in a local, searchable database. The idea is to allow users to easily ‘recall’ past actions and information using natural language queries, for instance, finding a website visited that featured specific content.

However, from its initial announcement, Recall faced significant criticism from privacy advocates and security experts. Early versions stored these screenshots in plain text, making them highly vulnerable if a system got compromised. While Microsoft has since made changes, including making Recall an opt-in feature and encrypting the data, concerns about a persistent, OS-level log of user activity remain.

****Brave’s Proactive Privacy Stance****

Brave’s Privacy Team specified that Recall contradicts the browser’s privacy-first mission. To address this, Brave has expanded upon Microsoft’s existing privacy commitment to not record private browsing sessions. Therefore, Brave now signals to the operating system that all Brave browser windows are “private,” effectively preventing Recall from capturing any screenshots from them by default.

Block Microsoft Recall toggle in Brave (Source: brave.com)

This approach ensures user browsing activity does not “accidentally end up in a persistent database,” which the Brave Privacy Team highlighted as particularly sensitive in cases like intimate partner violence. Details on this implementation were discussed in a relevant thread on the Brave GitHub repository. Details on this implementation were discussed in a relevant thread on the Brave GitHub repository.

While inspired by similar screenshot-blocking efforts from messaging platforms like Signal, Brave’s method is designed to avoid interfering with other legitimate functions, such as accessibility tools or regular screenshots. Users who wish to allow Recall to capture their Brave Browser can manually adjust a setting within brave://settings/privacy.

****Ongoing Changes and User Control****

This step comes as Microsoft is enhancing Recall, a feature currently in preview, with its final release form for all Windows 11 users remaining uncertain. The Brave Privacy Team has acknowledged that Microsoft has made several security and privacy-enhancing modifications to Recall due to initial concerns.

However, the rapid emergence of bypasses to Microsoft’s initial fixes, such as CVE-2025-53770 and CVE-2025-53771, indicates an ongoing challenge for software developers in securing against such deep-level system monitoring.

Nonetheless, Brave’s action reinforces its commitment to user privacy by offering a strong default defence against features that could potentially log extensive personal data.

Brave Browser Blocks Microsoft Recall from Tracking Online Activity

Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

Unmasking the new Chaos RaaS group attacks

Multiple hacking groups—including state actors from China—have targeted a vulnerability in older, on-premises versions of the file-sharing tool after a flawed attempt to patch it.

Hundreds of organizations around the world suffered data breaches this week, as an array of hackers rushed to exploit a recently discovered vulnerability in older versions of the Microsoft file-sharing tool known as SharePoint. The string of breaches adds to an already urgent and complex dynamic: Institutions that are longtime SharePoint users can face increased risk by continuing to use the service, just as Microsoft is winding down support for a platform in favor of newer cloud offerings.

Microsoft said on Tuesday that, in addition to other actors, it has seen multiple China-linked hacking groups exploiting the flaw, which is specifically present in older versions of SharePoint that are self-hosted by organizations. It does not impact the newer, cloud-based version of SharePoint that Microsoft has been encouraging customers to adopt for many years. Bloomberg first reported on Wednesday that one of the victims is the United States National Nuclear Security Administration, which oversees and maintains US nuclear weapons.

“On-premises” or self-managed SharePoint servers are a popular target for hackers, because organizations often set them up such that they are exposed on the open internet and then forget about them or don't want to allocate budget to replace them. Even if fixes are available, the owner may neglect to apply them. That's not the case, though, with the bug that sparked this week's wave of attacks. While it relates to a previous SharePoint vulnerability discovered at the Pwn2Own hacking competition in Berlin in May, the patch that Microsoft released earlier this month was itself flawed, meaning even organizations that did their security diligence were caught out. Microsoft scrambled this week to release a fix for the fix, or what the company called “more robust protections” in its security alert.

“At Microsoft, our commitment—anchored in the Secure Future Initiative—is to meet customers where they are,” said a Microsoft spokesperson in an emailed statement. “That means supporting organizations across the full spectrum of cloud adoption, including those managing on-premises systems.”

Microsoft still supports SharePoint Server versions 2016 and 2019 with security updates and other fixes, but both will reach what Microsoft calls “End of Support” on July 14, 2026. SharePoint Server 2013 and earlier have already reached end of life and receive only the most critical security updates through a paid service called “SharePoint Server Subscription Edition.” As a result, all SharePoint server versions are increasingly part of a digital backwater where the convenience of continuing to run the software comes with significant risk and potential exposure for users—particularly when SharePoint servers sit exposed on the internet.

“Years ago, Microsoft positioned SharePoint as a more secure replacement for old school Windows file-sharing tools, so that's why organizations like government agencies invested in setting up those servers. And now they just run at no additional cost, versus a Microsoft365 subscription in the cloud that involves a subscription,” says Jake Williams, a longtime incident responder who is vice president of research and development at Hunter Strategy. “So Microsoft tries to nudge the holdouts by charging for extended support. But if you are exposing a SharePoint server to the internet, I would emphasize that you also have to budget for incident response, because that server will eventually get popped.”

The United States Cybersecurity and Infrastructure Security Agency said in guidance about the vulnerability on Tuesday that, “CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS). For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.”

The ubiquity of Microsoft’s Windows operating system around the world has led to other situations in which a long goodbye has created security issues for holdout users—and other organizations or individuals with connections to a vulnerable entity. Microsoft struggled to deal with the long tail of users on extremely popular Windows editions including Windows XP and Windows 7. But legacy software is a challenge for any software or digital infrastructure provider. Earlier this year, for example, Oracle reportedly notified some customers about a breach after attackers compromised a “legacy environment” that had been largely retired in 2017.

The challenge with a service like SharePoint is that it often acts as an ancillary tool without ever being the center of attention.

“For on-premises software like SharePoint, which is deeply integrated into the Microsoft identity stack, there are multiple points of exposure that need to be continuously monitored in order to know, expose, and close critical gaps,” says Bob Huber, chief security officer at the cybersecurity company Tenable.

When asked about the alleged breach at the National Nuclear Security Administration, the Department of Energy emphasized that the incident did not impact sensitive or classified data. “On Friday, July 18, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA,” a DOE spokesperson told WIRED in a statement. “The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate.”

Microsoft did not immediately return WIRED’s requests for comment about the process of sunsetting SharePoint Server. The company wrote in a blog post on Tuesday that customers should keep supported versions of SharePoint Server updated with the latest patches and turn on Microsoft's “Antimalware Scan Interface” as well as Microsoft Defender Antivirus.

Microsoft Put Older Versions of SharePoint on Life Support. Hackers Are Taking Advantage

It's the first known instance of malware that abuses the UIA framework and has enabled dozens of attacks against banks and crypto exchanges in Brazil.

Banking Trojan Coyote Abuses Windows UI Automation

FBI warns of Interlock ransomware using unique tactics to hit businesses and critical infrastructure with double extortion.

The Federal Bureau of Investigation (FBI), alongside the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a warning regarding increased activity by the Interlock ransomware group.

This financially motivated threat targets a wide range of organizations, including businesses and vital critical infrastructure across North America and Europe, employing a dangerous double extortion model to maximize pressure on victims.

****Interlock’s Uncommon Attack Methods****

Interlock ransomware was first detected in late September 2024, with FBI investigations as recent as June 2025 detailing their evolving tactics. The group develops encryptors for both Windows and Linux operating systems, with a particular focus on encrypting virtual machines (VMs). Open-source reports also suggest similarities between Interlock and the Rhysida ransomware variant.

This group stand out for its initial access techniques, which differ from many ransomware groups. One observed method involves ‘drive-by downloads’ from legitimate but compromised websites, where malicious software is disguised as fake updates for popular web browsers like Google Chrome or Microsoft Edge, or even common security tools such as FortiClient or Cisco-Secure-Client.

Moreover, they leverage a social engineering trick called ClickFix, where users are tricked into running harmful files by clicking on fake CAPTCHAs that instruct them to paste and execute malicious commands in their system’s run window.

Once inside a network, the ransomware deploys web shells and tools like Cobalt Strike to establish control, move between systems, and steal sensitive information. They gather login details, including usernames, passwords, and even use keyloggers to record keystrokes.

According to the advisory (PDF), After stealing data, Interlock encrypts systems, appending files with .interlock or .1nt3rlock extensions. They then demand ransom without an initial amount in their note, instead instructing victims to contact them via a special .onion website over the Tor browser. The group threatens to leak exfiltrated data if the ransom, typically paid in Bitcoin, is not met, a threat they have consistently followed through on.

****Urgent Defences for Organizations****

To counter the Interlock threat, federal agencies urge organizations to implement immediate security measures. Key defences include:

*   Preventing initial access by using DNS filtering and web access firewalls, and training employees to spot social engineering attempts.

*   Patching and updating to make sure all operating systems, software, and firmware are up to date, prioritizing known vulnerabilities.

*   Strong authentication implementation, like multi-factor authentication (MFA) for all services where possible, along with stronger identity and access management policies.

*   Network Control by segmenting networks to limit how far ransomware can spread.

*   Backup and recovery by maintaining multiple, offline, immutable (unchangeable) backups of all critical data.

Also, no-cost resources are available through the ongoing #StopRansomware initiative.

FBI and CISA Warn of Interlock Ransomware Targeting Critical Infrastructure

The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information.
"The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes' web addresses and cryptocurrency exchanges," Akamai security researcher Tomer

New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials

Microsoft was the most impersonated brand in phishing attacks during Q2 2025, accounting for 25% of all attempts, according to Check Point Research.

According to Check Point Research’s (CPR) latest report, cybercriminals spent the second quarter of 2025 impersonating the world’s most familiar brands to steal credentials and payment information. The data shows a mix of predictable targets and a few surprising returns, with Spotify reappearing as a key lure for the first time in years.

Microsoft once again topped the list, featuring in a quarter of all phishing attacks during Q2. Tech brands remained the primary focus, but cybercriminals also went after streaming services and travel platforms that people use daily without a second thought.

Screenshot of a Microsoft 365 phishing email tricking users into calling fake support. This scam was first reported in March 2025.

While the latest research shows Meta no longer at the top as it was in 2024, Microsoft taking the lead again doesn’t come as a surprise. As of 2025, over 1.6 billion people were using the Windows operating system. On top of that, Microsoft 365 had around 345 million paid subscribers and roughly 321 million active users each month.

That massive user base is exactly why Microsoft Office was the most targeted software in malware attacks back in 2022. It also explains why Microsoft was the most impersonated brand in phishing campaigns during Q2 2023, and why it has returned to the top spot now.

Spotify’s return to phishing charts for the first time since 2019 was linked to a spoofing campaign that mimicked the company’s login flow almost perfectly. The fake page, hosted on a malicious URL, asked victims to input credentials before redirecting them to a counterfeit payment form. Both the design and branding were polished enough to fool unsuspecting users, many of whom may have believed they were logging into their real account.

Spotify phishing login page (Image via CPR)

This renewed targeting of entertainment services shows attackers aren’t just looking at corporate systems anymore. Everyday platforms with large user bases are just as likely to be exploited, especially when those users are less suspicious of messages related to subscriptions or media.

Booking.com was also hit by a surge in impersonation. Researchers flagged over 700 newly registered domains with names resembling real booking confirmation URLs. Compared to previous quarters, that’s a spike by a factor of 100.

As Hackread.com reported on multiple occasions, most recently in June 2025, Booking.com was abused in a ClickFix email scam. Back in April 2025, another ClickFix scam exploited Booking.com to infect unsuspecting users with AsyncRAT.

Booking.com ClickFix phishing scam that delivered AsyncRAT (Image credit: Hackread.com)

These scams used personal details like names and email addresses to create urgency. While the domains have since been taken down, the approach revealed how much more personalised phishing tactics have become.

Outside these two cases, as per CPR’s report, the overall trend remains predictable. The tech sector continues to be the most impersonated, with Microsoft, Google, and Apple taking the top three spots.

Social media platforms like LinkedIn, WhatsApp, and Facebook remain common targets, while retail and travel services like Amazon and Booking.com round out the top ten. It is worth noting that CPR’s report

If you use any of these services, keep in mind that phishing campaigns count on people clicking without thinking. A few simple steps can help protect your data. Start by using multi-factor authentication, double-check URLs, run suspicious links through VirusTotal before opening them, and don’t get caught up in the urgency scammers try to create.

For businesses, keep employees informed and alert on cybersecurity, since phishing is still one of the easiest ways attackers gain access to internal systems. And finally, for ongoing updates and insights on cybersecurity, make sure to follow Hackread.com.

Microsoft Most Phished Brand in Q2 2025, Check Point Research

Coyote Trojan becomes first malware to abuse Microsoft’s UI Automation in real attacks, targeting banks and crypto platforms with stealthy tactics.

A new version of the Coyote banking trojan has been spotted, and what’s noticeable about it is not just who it’s targeting, but how it’s going about it. Cybersecurity researchers at Akamai have confirmed that this variant is the first malware seen actively using Microsoft’s UI Automation (UIA) framework to extract banking credentials. It’s a method that had only been a conceptual risk a few months ago.

Back in December 2024, Akamai warned that Microsoft’s UIA, which helps assistive technologies interact with software, could be misused by threat actors. Until now, that concern remained a proof-of-concept. Things changed when Akamai spotted Coyote using UIA in attacks targeting Brazilian users, aiming to extract sensitive information from browser windows tied to banks and cryptocurrency platforms.

This shows that Coyote trojan is changing the way it operates, making it harder to detect and stop. The malware, first detected in February 2024, is known for phishing overlays and keylogging aimed at Latin American financial targets. But what makes this variant different is its use of UIA to bypass detection tools like endpoint detection and response software.

Instead of relying on conventional APIs to check which banking site a victim is visiting, Coyote now uses UI Automation. When the active window title doesn’t match any of the malware’s preloaded banking or crypto site addresses, it changes its tactics and uses a UIA COM object to start crawling through the sub-elements of the active window, searching for telltale signs of financial activity.

Akamai’s blog post, shared with Hackread.com ahead of publishing on Tuesday, found that Coyote’s hardcoded list includes 75 financial institutions and crypto exchanges. What’s worse, these aren’t just names or URLs. The malware maps them to internal categories, allowing it to prioritise or customise its credential-stuffing attempts. This approach not only increases its chances of hitting the target but also makes it more flexible across browsers and applications.

Normally, an attacker would need detailed knowledge of a specific application’s design. UIA simplifies that process. With this framework, malware can scan the UI of another app, extract content from fields like address bars or input boxes, and use that information to customise attacks or steal login data.

Coyote trojan doesn’t stop at identifying banks. It also sends system details back to its command-and-control infrastructure, including the computer name, username, and browser data. If offline, it still performs many of these checks locally, making it harder to catch through network traffic alone.

According to researchers, the bigger concern here is how UIA could open up new attack paths. Akamai demonstrated this by showing how attackers might not just scrape data but also manipulate UI elements. One proof of concept shows the malware altering a browser’s address bar, then simulating a click to quietly redirect the user to a phishing site, all while looking legitimate on screen.

Akamai’s PoC (Click to Play GIF)

On the defensive side, there are ways to catch this kind of abuse. Akamai recommends monitoring for the loading of UIAutomationCore.dll into unfamiliar processes. They also provide osquery commands to flag processes that interact with UIA-related named pipes. These are early warning signs that an attacker may be snooping on the user interface.

Akamai’s threat hunting service has already started scanning environments for such anomalies. According to their report, customers were alerted when suspicious UIA activity was detected.

Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks

On this episode of Uncanny Valley, we dive into the differences between what the US government said about a Jeffrey Epstein video it released and the story told by its metadata.

How WIRED Analyzed the Epstein Video

July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube. A traditional monthly roundup. This time, it’s a very short one. 🙂 🗞 Post on Habr (rus)🗒 Digest on the PT website (rus) Only three trending vulnerabilities: 🔻 Remote Code Execution – Internet Shortcut Files (CVE-2025-33053)🔻 Elevation of Privilege – Windows SMB Client […]

**July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube.** A traditional monthly roundup. This time, it’s a very short one. 🙂

🗞 Post on Habr (rus)  
🗒 Digest on the PT website (rus)

Only three trending vulnerabilities:

🔻 **Remote Code Execution** – Internet Shortcut Files (CVE-2025-33053)  
🔻 **Elevation of Privilege** – Windows SMB Client (CVE-2025-33073)  
🔻 **Remote Code Execution** – Roundcube (CVE-2025-49113)

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Tag

#windows