🚨 SharePoint Zero-Day Exploits Surge & Lessons from BT's 180-Year Journey to Zero-Trust Secret Management

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic we cover - Eliminating Passwords at Enterprise Scale: The BT Transformation Story (continue reading) 

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

This week, the cybersecurity landscape faced a critical reality check as multiple zero-day vulnerabilities dominated headlines, from actively exploited SharePoint servers to sophisticated AI evasion techniques embedded in malware. While threat actors escalate their tactics, enterprise security leaders are pioneering innovative approaches to eliminate fundamental attack vectors.

Our featured expert this week is Christian Schwarz, Security Director for Network Services at BT Group, who shares fascinating insights from transforming one of the world's oldest telecommunications companies into a modern, software-defined infrastructure with zero-password authentication for developers.

📰 TL;DR for Busy Readers

• This Week's News: 

  • Critical SharePoint zero-day (CVE-2025-53770) exploited by China-aligned APTs since July 7, requiring immediate patching and key rotation

  • Microsoft Entra Conditional Access Optimization Agent now GA, providing AI-driven policy management to strengthen zero-trust posture

  • First documented malware uses prompt injection to evade AI security tools

  • Azure & Google Cloud AI enhancements: Defender for Cloud expands to 31+ frameworks, Google Unified Security consolidates threat intelligence

• Expert Insight: 

  • BT's transformation approach: Eliminated passwords through threat modeling, storytelling, and intrinsic motivation

📰 THIS WEEK'S SECURITY HEADLINES

🔴 Breaking: Critical SharePoint Zero-Day Under Mass Exploitation

What Happened: Multiple threat actors, including China-aligned groups, have been actively exploiting CVE-2025-53770 (CVSS 9.8) since July 7, with exploitation intensifying on July 18-19 across government, telecommunications, and software sectors. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate by July 23.

Why It Matters: This represents an urgent, active threat to enterprise SharePoint deployments. Attackers deploy malicious ASP.NET web shells to extract sensitive cryptographic keys, enabling persistent access even after patching. Over 75 organizations have been confirmed compromised, with 9,762 on-premises SharePoint servers exposed globally. The vulnerability bypasses previous July patches, demonstrating sophisticated adversary adaptation capabilities.

Source: The Hacker News

⚠️ Breakthrough: Malware Embeds Prompt Injection for AI Evasion

What Happened: Check Point Research discovered malware dubbed "Skynet" that embeds prompt injection techniques designed to manipulate AI-powered security analysis tools, attempting to convince LLMs to report "NO MALWARE DETECTED."

Why It Matters: This marks the first documented case of malware specifically designed to evade AI-based security tools through prompt injection. As organizations increasingly deploy LLM-powered security analysis, threat actors are adapting their techniques. OWASP has ranked prompt injection as the top security risk in its 2025 OWASP Top 10 for LLM Applications.

Source: Check Point Research

🚨 Google Workspace Deploys Layered Prompt-Injection Mitigations

What Happened: Google announced enhanced enterprise controls for Gemini within Workspace, implementing model hardening through adversarial training, system-level safeguards including markdown sanitization, and granular admin controls for compliance regimes like HIPAA and FedRAMP High.

Why It Matters: Directly addresses invisible prompt exploits that can force Gemini summaries to display fake warnings, boosting enterprise confidence in embedding AI within workflows. Admin controls ensure only intended contexts access sensitive data, crucial for organizations implementing AI-powered productivity tools.

Source:Google Workspace Announcement

🎯 Azure & Google Cloud Release AI‑Security Enhancements and Azure Conditional Access Agent

What Happened:

• Google Workspace/Gemini introduced layered defenses for prompt‑injection across apps like NotebookLM Workspace Updates Blog.

• Azure released updates including Security Copilot integration and a new Conditional Access Agent

Why It Matters:

• These enhancements signal a shift toward embedded security in cloud-native AI workflows and deeper integration of identity-based controls at the endpoint/app level.

• Cloud teams should evaluate these capabilities for enhanced telemetrics, faster incident response, and improved policy enforcement across hybrid estates.

🎭 Microsoft Entra: Introducing Conditional Access Optimization Agent

Microsoft released the Conditional Access Optimization Agent (part of Security Copilot in Entra), now generally available 

• Automatically scans for gaps or outdated access policies, recommending and remediating issues (e.g., break‑glass accounts, new apps).

• Offers real-time explainable insights, feedback loops, and full audit trails.

• Deployed within Entra, Intune, and Security Copilot context no manual scripting needed.
  

Why It Matters:

• Strengthens identity hygiene and zero‑trust posture, reducing human error and stale policies that attackers could exploit.

• Moves enforcement to continuous, AI‑driven control loops, improving resilience in hybrid/cloud estates.

🎯 Topic of the Week: Eliminating Passwords at Enterprise Scale: The BT Transformation Story

In an era where password-based attacks dominate the threat landscape, how does a 180-year-old telecommunications giant eliminate passwords entirely from developer workflows? This week's featured conversation with Christian Schwarz reveals the strategic approach that British Telecom used to transform legacy infrastructure into a zero-trust, software-defined environment.

Featured Experts This Week 🎤

• Christian Schwarz - Security Director, Network Services at BT Group

• Ashish Rajan - CISO | Host, Cloud Security Podcast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

• Secret Management at Scale: The practice of securely storing, distributing, and rotating authentication credentials, API keys, and cryptographic secrets across enterprise infrastructure without manual intervention.

• Intrinsic Security Motivation: A psychological approach to security culture where teams naturally choose secure practices because they understand the value and have frictionless tools, rather than being forced through policies.

• Threat Modeling: A structured approach to identifying and analyzing potential security threats to determine appropriate countermeasures based on attack surface and threat vectors.

• Software-Defined Infrastructure: Moving from hardware appliances to virtualized, software-based services that can be programmatically managed and secured.

💡Our Insights from this Practitioner 🔍

1 - The Storytelling Revolution in Security Engineering

Christian Schwarz's approach at BT demonstrates that technical solutions alone cannot drive enterprise security transformation. "The first aspect that I really want to mention is about storytelling, and most people forget that you need to take your teams with you," Schwarz explains. "Not everybody wants to think about security all the time, but they need to understand that security is important and that it's really for everybody to action security."

This insight proves especially relevant given this week's SharePoint zero-day exploitations. Organizations with strong security narratives and visible threat demonstrations are better positioned to respond rapidly to emerging threats. BT leverages their red team to perform internal attacks using modern techniques that nation-state actors would employ, creating powerful frontline stories that motivate secure behavior.

2 - Threat Modeling as the Foundation for Credential Elimination

When asked about starting points for standardizing secret management, Schwarz's answer was unequivocal: "There's no surprise here. The answer needs to be threat modeling. You need to understand what is your attack surface, what is your threat landscape, and then from there you look into different services."

This approach directly applies to defending against sophisticated attacks like the SharePoint exploitation campaign. BT's methodology involves breaking down complex systems from mobile antennas that "everybody can walk up to" to virtualized mobile core infrastructure in controlled data centers and applying appropriate security controls based on realistic threat assessments.

3 - The Legacy Infrastructure Challenge and Modern Solutions

BT's transformation from appliance-based to software-defined infrastructure mirrors challenges facing many enterprises. "Previously, most things were provided by appliances," Schwarz notes. "You had all this real estate and it's all dedicated machines. A lot of black boxes essentially, because they're all managed by third parties."

The security implications were severe: "The other problem is that at the time, because it's operationally much easier or simpler, they would only give you a single password that operates on all of these appliances. If this gets leaked or shared, then game over essentially."

This historical context illuminates why modern zero-trust approaches are essential. The SharePoint vulnerabilities exploited this week demonstrate how centralized credentials become high-value targets for sophisticated adversaries.

4 - Visibility as a Driver for Security Investment

One of Schwarz's most compelling insights involves using credential discovery tools to create urgency around security improvements. "Once you start getting into more software-defined services, you can use tools that give you visibility on all of the secrets and credentials that are being used. It's very scary because you suddenly see tens of thousands, hundreds of thousands maybe credentials in your estate."

This visibility becomes a powerful element of storytelling that drives organizational change. Similar visibility tools could help organizations identify SharePoint instances vulnerable to the current zero-day campaign and prioritize remediation efforts.

5 - Achieving Intrinsic Security Motivation

Schwarz's ultimate objective represents a paradigm shift in security culture: "My objective and the company's objective is really to get to this intrinsic motivation where everybody wants to do the right thing automatically." He references Dan Pink's work on Motivation 3.0, explaining that modern security requires moving beyond external compliance to internal drive.

The practical application involves reducing cognitive load through design patterns, templates, and architectural guardrails. "They don't have to think about security all the time. They know that I've got these risks, I can map those to existing solutions that we have already implemented."

6 - Practical Implementation Strategy

BT's success stems from making secure practices easier than insecure ones. "We have lots of areas where we can really plug in. I do not need to care about secure enclaves anymore. We have solved this. There is an API, you can hook up to this API."

This approach creates reusable patterns that scale across the organization, leveraging HSMs, secure enclaves, and cryptographic secrets that are never exposed to users. The result is an environment where developers automatically follow secure practices because they're built into the platform.

Related Resources 📚

• Threat Intelligence: Microsoft Azure AI Content Safety Documentation - Prompt Shields for defending against AI manipulation

• Whitepaper: NIST AI Risk Management Framework - Comprehensive guidance for AI system security

• Tools: OWASP Top 10 for LLM Applications - Essential security considerations for LLM implementations

• Cloud-Native Guidance: CNCF AI Security Guidelines - Best practices for AI in cloud-native environments

• Licensing Resource: AI Model License Tracker - Comprehensive database of AI model licensing terms

Related Podcast Episodes 🎧

Question for you? (Reply to this email)

Have you tried eliminating static credentials in cloud native environments?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast