Good morning. Yesterday's security developments from Sunday, November 16, 2025 include six critical articles spanning attack techniques, security tools, vulnerabilities, and nation-state threats. All attribution is by the article authors. All article analysis is automated.
Security researcher Elli Shlomo has revealed significant risks in ChatGPT's Microsoft 365 integration via Entra ID. The OAuth consent mechanism grants delegated Microsoft Graph access with persistent refresh tokens, enabling adversaries to use ChatGPT as a reconnaissance platform to enumerate and download files from OneDrive and SharePoint while bypassing native Microsoft 365 security controls.
Grumpy Goose Labs researchers have identified KVM over IP devices being potentially misused by fraud IT workers, with possible links to DPRK actors. Current EDR solutions often overlook critical telemetry from HDMI, Display, and Audio devices, creating security blind spots that these actors exploit to maintain covert access and control of compromised systems.
Eshlomo1 has released the Entra ID Log Analyzer, a browser-based defensive tool that parses and visualizes Entra ID authentication logs. The tool enriches raw JSON log data to help security analysts detect password spray attacks, session hijacking, and compromised accounts without requiring heavy infrastructure.
Saeros Security has launched an open-source Host-based Intrusion Detection System specifically designed for Microsoft Windows endpoints and Active Directory environments. The tool processes Windows Event Logs locally using Sigma rules to detect lateral movement, privilege escalation, and data exfiltration, forwarding only alerts to SIEM systems with minimal resource usage.
The Cybersecurity and Infrastructure Security Agency has released updated implementation guidance for Emergency Directive 25-03 addressing critical vulnerabilities in Cisco ASA and Firepower devices that are being actively exploited. The directive mandates federal agencies verify correct patch application and provides the RayDetect scanner to examine devices for evidence of RayInitiator malware compromise.
The Israel National Digital Agency has uncovered an ongoing espionage campaign by SpearSpecter, conducted by Iranian threat actors linked to IRGC-IO. The campaign targets senior defense and government officials using advanced social engineering and deploys TAMECAT, a sophisticated PowerShell-based backdoor with fileless execution capabilities and multi-channel command and control over HTTPS, Discord, and Telegram.