Daily Signal Note: Legitimate Infrastructure as Attack Vector

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ issues and preserves dated, bounded external cyber judgment.
Not news reaction. Not advisory opinion. Not consensus analysis.

—

Coverage spans ongoing CISO intelligence and versioned decision artifacts, depending on use context.

Listen to the 2-minute Daily CISO Briefing on Spotify.

Signal 1: Legitimate Google Cloud Infrastructure Used for Credential Theft. Check Point disclosed January 3, 2026 that attackers abused Google Cloud Application Integration to send 9,394 phishing emails from [email protected] to approximately 3,200 organizations over 14 days in December 2025. Attack chain: Google-origin sender bypasses email security filters, Google-hosted redirects lead to fake CAPTCHA pages, Microsoft credential harvest endpoint. No Google infrastructure breach. Workflow automation abuse only. Top targets: manufacturing (19.6%), tech/SaaS (18.9%), finance (14.8%). 48.6% US-based organizations.

Signal 2: NIST Publishes Token and Assertion Protection Guidance. NIST IR 8587 "Protecting Tokens and Assertions from Forgery, Theft, and Misuse" published December 22, 2025. Developed with CISA Joint Cyber Defense Collaborative in response to Executive Order 14144. Establishes implementation guidance for federal agencies and cloud service providers on token lifecycle controls, signing key protection, and assertion verification. Public comment period open through January 30, 2026. Explicitly cites SolarWinds SAML forgery and subsequent incidents as threat context. Positions tokens and assertions as first-class attack surface requiring shared responsibility model between CSPs and cloud consumers.

Signal 3: Mustang Panda Deploys Kernel-Mode Rootkit for ToneShell Delivery. Kaspersky disclosed December 30, 2025 that Chinese APT Mustang Panda (HoneyMyte) used a signed kernel-mode driver to deliver ToneShell backdoor against government targets in Myanmar and Thailand. Driver file "ProjectConfiguration.sys" signed with stolen certificate from Guangzhou Kingteller Technology Co. Campaign began February 2025. First observed use of kernel-mode loader for ToneShell. Driver registers as mini-filter, injects backdoor into svchost.exe, blocks Microsoft Defender's WdFilter. Protects malicious files and registry keys from deletion. C2 domains registered September 2024 via NameCheap.

Signal 4: 700Credit Breach Exposes 5.6 Million SSNs Across Auto Dealership Ecosystem. 700Credit LLC disclosed late 2025 that attackers accessed and copied consumer records through 700Dealer.com web application between May and October 2025. 5.6 million individuals affected across 18,000+ auto dealerships. Data includes Social Security numbers, names, dates of birth. Internal network not breached. Attack vector: compromised third-party API integration at application layer. FTC accepted consolidated breach notification filing via NADA, allowing 700Credit to report on behalf of impacted dealer clients. Multiple lawsuits filed alleging negligence. South Carolina confirmed 108,000 residents affected January 2, 2026.

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.