Threat Matrix: November 2025
The latest news from the digital underbelly and how to protect your business
Blog
/
Threat Matrix: November 2025
Threat Matrix: November 2025
The latest news from the digital underbelly and how to protect your business
Welcome to the November 2025 edition of Upfort’s Threat Matrix! From targeted attacks on CRMs and Slack workspaces to creative new phishing techniques and AI model manipulation, this month’s headlines reveal how attackers continue to exploit everyday tools and trusted vendors. If your business depends on cloud apps, collaboration platforms, or emerging AI technologies, it’s more important than ever to understand where your exposure lies—and how to close the gaps.
Want to know how protected your company really is? Take two minutes to complete our interactive cybersecurity checklist or get a free cybersecurity risk assessment to uncover exploitable vulnerabilities in your network.
Salesforce customers hacked through third-party vendor Gainsight
Several Salesforce customers, including large enterprises like AAA, Farmers Insurance, and LendingTree, have suffered data breaches due to a cyberattack on Gainsight, a third-party vendor that integrates with Salesforce. Attackers exploited stolen credentials to access Gainsight’s system, which was used to manage and sync customer relationship data.
The exposed data includes names, email addresses, phone numbers, and other personal or business details tied to customer records. While Salesforce itself was not breached, the incident highlights how integrated third-party tools can become indirect access points for attackers.
How to protect your business: Limit third-party app permissions, monitor API integrations for unusual activity, and use zero-trust principles when connecting external vendors to core systems. Regularly review which tools have access to sensitive platforms like your CRM—and remove unused or over-permissive connections.
Prompt injection attacks loom large after OpenAI’s GPT-4o and Atlas launches
Security researchers are warning that prompt injection attacks—where malicious inputs hijack an AI model’s behavior—remain a serious threat, especially as AI agents become more capable and autonomous. The risk has grown with OpenAI’s launch of GPT-4o and its new “memory” and “agent” features, as well as the debut of the enterprise-focused Atlas platform.
These attacks can trick models into leaking sensitive information, ignoring safety rules, or taking harmful actions if connected to external systems. Even well-guarded models can be compromised if they accept untrusted input, whether from users, other systems, or websites.
How to protect your business: Avoid blindly connecting LLMs to tools, APIs, or live data without guardrails. Use allowlists, validate inputs rigorously, and monitor outputs for unexpected behaviors. If deploying AI in customer-facing tools, implement isolation boundaries to prevent cascading risks.
Harvard University discloses data breach affecting alumni and donors
Harvard University has confirmed a data breach that exposed sensitive information belonging to alumni, donors, and affiliates. The breach was linked to a third-party system used for fundraising and engagement, highlighting the growing risks associated with outsourced platforms.
Exposed data includes names, contact information, donation history, and other personal details. While Harvard says no financial account credentials or Social Security numbers were compromised, the leaked information could still be used in phishing, fraud, or social engineering scams.
How to protect your business: Review the security practices of any vendors handling donor or customer data. Limit access to sensitive records, enable logging for data access, and educate your team to spot targeted phishing attempts.
Nikkei suffers data breach after attackers compromise Slack
Japanese media giant Nikkei has confirmed a data breach after attackers infiltrated its Slack workspace and accessed internal systems. The breach reportedly exposed personal information stored in spreadsheets and files shared via Slack, raising concerns about how sensitive data is stored and secured in collaboration tools.
The company has not disclosed how the Slack account was compromised, but similar incidents often stem from stolen credentials, lack of multifactor authentication (MFA), or malicious apps connected to the workspace.
How to protect your business: Treat collaboration tools like Slack and Teams as potential entry points. Enforce MFA for all users, audit shared files regularly, and avoid storing sensitive information in chat platforms. Limit third-party app integrations and monitor for unusual access patterns.
SitusAMC breach exposes client data from real estate finance platform
SitusAMC, a major provider of real estate finance and technology services, has disclosed a data breach that exposed sensitive client information. The breach stemmed from unauthorized access to a system containing private data used in its mortgage and real estate services.
While the company hasn’t confirmed how many clients were affected, filings with the Maine Attorney General indicate that the exposed data includes names, Social Security numbers, and financial account information — raising concerns about identity theft and fraud risks for individuals tied to real estate transactions.
How to protect your business: Limit how much sensitive data you store, and encrypt anything tied to financial services or identity verification. Regularly review access controls and vet third-party providers, especially if they handle client or transactional data.
‘ClickFix’ attack uses fake Windows update screen to deliver malware
A newly discovered malware campaign dubbed ClickFix is tricking users into running malicious scripts by mimicking a legitimate Windows Update screen. The attack uses JavaScript to freeze the victim’s browser and display a full-screen prompt claiming a system update is in progress. Meanwhile, the malware asks users to click a fake “Fix” button — which actually downloads and runs malicious code.
Researchers say the tactic relies heavily on social engineering and is being delivered via compromised websites and malicious ads.
How to protect your business: Train employees to spot suspicious update prompts, especially those that appear in browsers. Use DNS filtering and ad blockers to limit exposure to malicious sites, and install endpoint protection that can detect fake system dialogs or unauthorized scripts.
Malicious Blender files used to spread Stealc malware
Hackers are distributing infostealing malware through weaponized .blend files — project files used in the popular open-source 3D design program, Blender. Security researchers have identified samples that embed malicious Python scripts designed to download and execute Stealc, a powerful infostealer capable of grabbing passwords, cookies, and wallet data from infected systems.
These attacks target creatives and developers who open shared Blender files from unknown or unverified sources — including assets downloaded from forums, free model repositories, or shared via Discord and other communities.
How to protect your business: Only open Blender files from trusted sources. Block unknown Python scripts from executing automatically in design tools, and run endpoint protection software to detect malware hidden in creative assets.
Dartmouth College confirms data breach after Clop extortion attack
Dartmouth College has confirmed that it suffered a data breach tied to the Clop ransomware group, which has been exploiting a vulnerability in the MOVEit file transfer platform. The breach exposed sensitive personal information, including names, Social Security numbers, and other records connected to Dartmouth’s administrative systems.
The Clop group has previously targeted dozens of institutions and companies using the same MOVEit vulnerability, exploiting it to gain access to large troves of internal data for extortion.
How to protect your business: Immediately patch or replace vulnerable file transfer tools like MOVEit. Review third-party software for known exploits and follow vendor advisories closely. Store sensitive data in encrypted formats and segment access to reduce the blast radius of a breach.
Code beautifiers exposed credentials from banks, government, and tech orgs
Researchers have discovered that popular online code beautifiers—tools that reformat messy code—were leaking sensitive credentials from major organizations, including banks, tech firms, and government agencies. When developers pasted code snippets into these tools to clean them up, they often unknowingly shared passwords, API keys, and internal URLs with the tool’s backend servers.
Many of these tools don’t encrypt or secure submitted code properly, and some even log or share the data with third parties. This creates a serious risk, especially if teams use online tools to handle real production code or configuration files.
How to protect your business: Avoid using free online tools to process sensitive code. Set up internal code formatting tools instead. Educate your developers and IT staff about the risks of pasting credentials into any third-party websites.
Cybercriminals stole $262M by impersonating bank support teams
The FBI has issued a warning after cybercriminals stole over $262 million in just the first half of 2025 by posing as bank customer support agents. These scammers contact victims via phone, text, or email, pretending to help with account issues—then trick them into approving fraudulent transactions or handing over sensitive credentials.
The scammers often spoof real bank numbers or mimic legitimate interfaces, making the deception hard to detect. While individuals are the primary target, small business accounts are especially attractive due to higher balances and looser approval processes.
How to protect your business: Train employees to verify any unexpected banking communication using official contact channels. Never approve transactions or share credentials based on inbound calls or messages. Enable transaction alerts and multi-factor authentication on all business accounts.
Hack on emergency alert vendor exposes third-party risk
A cyberattack on OnSolve’s CodeRED platform—a widely used emergency notification system—briefly disrupted alert services across the U.S., affecting state and local governments’ ability to issue critical warnings. The breach, which targeted OnSolve’s internal systems, raises broader concerns about third-party software vulnerabilities and the cascading effects they can have on public and private sector operations.
While OnSolve says it has restored service, the incident highlights how attackers can exploit centralized platforms to cause widespread disruption. Businesses that depend on SaaS vendors or alerting tools for crisis response or operational communication may be exposed to similar risks if vendor systems are compromised.
How to protect your business: Vet and monitor third-party vendors for cybersecurity maturity and breach response readiness. Segment vendor access in your environment, review incident response SLAs, and ensure your team has a backup communications plan if a critical platform goes down.
