Helpdesk BPOs Become MFA Bypass Vector in Adobe Breach

◆ DEEP DIVES

1. 01

   Your Helpdesk Is the New Front Door: BPO Supply Chain Attacks Bypass MFA at Scale

   <h3>Two Campaigns, One Broken Trust Model</h3><p>Two distinct threat actors are exploiting the same architectural flaw: <strong>outsourced support vendors sit inside your identity perimeter</strong> with the ability to reset passwords, re-enroll MFA, and modify authentication workflows — and attackers are going through them instead of through you.</p><p><strong>UNC6783 ('Mr. Raccoon')</strong> targets BPO providers handling customer support for large enterprises. Google's threat intelligence documents the playbook: compromise the BPO, then use their legitimate access to <strong>steal Zendesk tickets en masse</strong>. The Adobe breach alone yielded <strong>13 million support tickets</strong> stolen through a compromised Indian BPO. Their phishing kit uses spoofed Okta pages following patterns like <code>company.zendesk-support##.com</code> and captures <strong>clipboard contents to bypass TOTP codes</strong> copied from authenticator apps. Only FIDO2/hardware keys resist this technique.</p><p><strong>Storm-2755 ('Payroll Pirate')</strong> takes a different path to the same destination. Microsoft tracks this actor using SEO poisoning and malvertising to drive employees to fake Office 365 login pages. An <strong>adversary-in-the-middle proxy captures session tokens</strong>, defeating MFA entirely. Once inside, they search for HR and payroll contacts, create inbox rules to hide their activity, then email HR to redirect direct deposit information. <em>Vulnerable U — a security-focused organization — was itself targeted by this campaign.</em></p><hr><h4>Why Your EDR Won't Save You</h4><p>These attacks are <strong>invisible to endpoint detection</strong> because nothing anomalous happens on the endpoint. The compromise occurs in the identity layer — legitimate credentials, legitimate SSO flows, legitimate-looking user behavior. Your EDR fires when malware executes; it doesn't fire when a valid session token authenticates through Okta.</p><table><thead><tr><th>Detection Layer</th><th>Effectiveness</th><th>Gap</th></tr></thead><tbody><tr><td>EDR/Endpoint</td><td>Low</td><td>Valid credentials + legitimate SSO = no anomaly</td></tr><tr><td>Network/DNS</td><td>Medium</td><td>Can detect spoofed Okta domains if DNS telemetry monitored</td></tr><tr><td>Identity Analytics</td><td>High</td><td>Impossible travel, MFA re-enrollment spikes detectable</td></tr><tr><td>BPO Access Monitoring</td><td>High</td><td>Most orgs don't monitor support vendor identity ops at all</td></tr><tr><td>FIDO2 MFA</td><td>Preventive</td><td>Keys can't be replayed through spoofed pages</td></tr></tbody></table><blockquote>If your BPO agent can reset an executive's password without a second verification channel, that's your highest-priority finding today.</blockquote><h4>The Payroll Endgame</h4><p>Storm-2755's targeting of payroll is particularly insidious because the fraud often isn't detected until an employee reports a missing paycheck — <strong>days or weeks after the redirect</strong>. Zephyr Energy lost <strong>€700K</strong> to a contractor payment redirect using similar TTPs. The actor creates inbox rules to auto-delete confirmation emails, ensuring neither the compromised employee nor HR sees evidence of the change until it's too late.</p>

   Action items

   • Map every BPO, call center, and helpdesk contractor that can trigger password resets, MFA re-enrollment, or Okta session modifications — then apply conditional access policies restricting these actions to verified contexts
   • Deploy FIDO2/WebAuthn hardware keys to all admin accounts, helpdesk staff, HR/payroll teams, and executives within 30 days
   • Mandate out-of-band phone verification for all payroll/direct deposit changes — no exceptions for email or chat requests
   • Monitor for spoofed domains matching patterns like company.zendesk-support##.com and deploy impossible travel detection on Okta

   Sources:Adobe Reader zero-day has no patch, DPRK is in 5 of your package managers · FortiClient EMS zero-day is live, BlueHammer is unpatched · Your helpdesk is the new front door

2. 02

   AI Agents Are Your New Unmonitored Privileged Users — And 78% Execute Malicious Code Without Detection

   <h3>The Research That Should Change Your Agent Policy</h3><p>New research findings this cycle quantify what security teams have been warning about: <strong>78% of tested LLM systems executed malicious code from compromised agent packages</strong> without any detection mechanism firing. Separately, researchers demonstrated that <strong>subliminal prompts embedded in one AI agent's output propagate virally</strong> to downstream agents in multi-agent architectures — a worm-like propagation mechanism with no production defenses.</p><p>These aren't theoretical attacks. They exploit the fundamental design of AI agents: the willingness to install packages, execute code, and pass instructions between systems based on natural language context. Your EDR, SAST, and SCA tools have <strong>zero coverage</strong> for this attack pattern because it doesn't match any signature — it's the agent doing exactly what it was designed to do, just with adversarial input.</p><hr><h3>The Scale of Unmonitored Agent Access</h3><p>Multiple data points converge to show how far ahead agent adoption has raced past security controls:</p><ul><li><strong>30%+ of Vercel deployments</strong> are now agent-initiated — non-human actors pushing code to production at scale</li><li><strong>Vercel's Claude Code plugin</strong> harvests all developer prompts and full bash commands across every project, regardless of Vercel relevance — a broad-scope telemetry collection mechanism inside your most trusted dev environment</li><li><strong>Alibaba's Qwen Code v0.14.x</strong> ships with remote control via Telegram, DingTalk, and WeChat plus cron-scheduled task execution — traffic patterns structurally indistinguishable from C2</li><li><strong>Claude Managed Agents</strong> now autonomously read files, run commands, browse the web, and execute code on Anthropic's infrastructure with your data</li></ul><table><thead><tr><th>Agent Capability</th><th>ATT&CK Parallel</th><th>Risk Level</th></tr></thead><tbody><tr><td>Remote control via messaging</td><td>T1102 — Web Service C2</td><td>High</td></tr><tr><td>Scheduled autonomous execution</td><td>T1053 — Scheduled Task/Job</td><td>High</td></tr><tr><td>Terminal access & file inspection</td><td>T1059 — Command Interpreter</td><td>High</td></tr><tr><td>Cross-project data collection</td><td>T1005 — Data from Local System</td><td>High</td></tr></tbody></table><blockquote>Your CI/CD pipeline likely has AI agents with more credential access than your junior developers — and fewer guardrails than your interns.</blockquote><h3>Why This Is Different From Shadow IT</h3><p>Traditional shadow IT involved employees using unauthorized SaaS apps. AI agents are <strong>autonomous actors with delegated credentials</strong> that make decisions, execute code, and interact with production systems. When a Vercel plugin collects all bash commands across every project, that's not an employee using an unapproved tool — it's a <strong>persistent data collection mechanism operating inside your development environment</strong> by design, not by misconfiguration.</p><p>The emergence of dedicated sandboxing tools like <strong>JAI ('Jail your AI agent')</strong> and <strong>IronClaw</strong> (Wasm-sandboxed agent harness isolating credentials from the LLM) confirms the industry recognizes this gap. If the market is building containment products, the containment problem is real.</p>

   Action items

   • Audit all Claude Code plugin installations across development teams this week — specifically check for Vercel plugin — and restrict write access to Claude.md configuration files via CODEOWNERS
   • Deploy network detection rules for Telegram Bot API, DingTalk webhook, and WeChat Work API traffic from developer workstations and CI/CD environments
   • Sandbox all LLM agent code execution environments with explicit package allowlists — treat agent-installed packages as untrusted by default
   • Publish an AI agent acceptable-use policy covering approved frameworks, permitted access scopes, and remote control channel restrictions before end of quarter

   Sources:78% of LLM agents blindly execute malicious code · Autonomous AI agents with remote control channels · That Vercel plugin in your devs' Claude Code is exfiltrating every prompt · 30% of Vercel Deployments Are Now Agent-Initiated

3. 03

   Quantum Cryptography Timeline Compressed to Pre-2030 — Start Your PQC Migration Now

   <h3>The Qubit Threshold Just Collapsed</h3><p>Two independent research tracks published this cycle converge on the same conclusion: the hardware requirements for a <strong>cryptographically relevant quantum computer (CRQC)</strong> capable of breaking RSA and ECC are dropping far faster than anyone's migration plans assumed.</p><p><strong>CalTech/Oratomic/UC</strong> demonstrated neutral-atom array advances that reduce the estimated qubit threshold from <strong>millions down to approximately 10,000</strong>. Separately, <strong>Google Quantum AI</strong> reported major reductions in physical qubits needed to crack 256-bit ECC, though specific counts weren't disclosed. China has commercially deployed the <strong>100-qubit Huanyuan 1</strong> system and demonstrated capabilities publicly at MWC Shanghai.</p><table><thead><tr><th>Research Source</th><th>Finding</th><th>Previous Assumption</th><th>New Estimate</th></tr></thead><tbody><tr><td>CalTech / Oratomic / UC</td><td>Neutral-atom array advances</td><td>Millions of qubits</td><td>~10,000 qubits</td></tr><tr><td>Google Quantum AI</td><td>Physical qubit reduction for ECC</td><td>Impractically large</td><td>"Major reduction"</td></tr></tbody></table><hr><h3>Why This Matters Today, Not in 2030</h3><p><strong>Harvest-now-decrypt-later (HNDL)</strong> means the threat is already active. Any data with a secrecy requirement beyond ~2030 that's currently protected by RSA or ECC should be treated as potentially compromised to future decryption. This is especially acute for:</p><ul><li><strong>Blockchain/cryptocurrency</strong> — 1.7 million BTC (~$102B) sit in quantum-vulnerable pay-to-public-key (p2pk) addresses where public keys are permanently exposed on-chain with no migration path</li><li><strong>Healthcare records</strong> subject to HIPAA's indefinite protection requirements</li><li><strong>Diplomatic and classified communications</strong> with multi-decade secrecy needs</li><li><strong>PKI/TLS infrastructure</strong> where certificate rotation is operationally complex</li></ul><p>Even skeptics place a CRQC at 2029–2035. The critical point: <em>Western PQC migration timelines are being set by adversary capability development, not by our own readiness.</em> NIST-vetted post-quantum algorithms exist (ML-KEM, ML-DSA, SLH-DSA). The question is whether your organization is treating migration as a roadmap item or an active program.</p><blockquote>What was a theoretical two-decade planning horizon has compressed into an active deployment concern. Your cryptographic inventory is the prerequisite — and most organizations haven't started.</blockquote><h3>JPMorgan's Signal</h3><p>JPMorganChase launched a <strong>$1.5 trillion 'Security and Resiliency Initiative'</strong> spanning defense, energy, supply chain, and frontier tech including quantum computing. When the largest U.S. bank names quantum as a strategic security priority alongside defense, that's a market signal. The DOJ separately requested a <strong>285% funding increase ($149M vs. ~$38.7M)</strong> for zero-trust migration across 275,000 endpoints — indicating even federal agencies recognize the urgency of cryptographic modernization.</p>

   Action items

   • Commission a cryptographic asset inventory covering all systems using RSA, ECC, or Diffie-Hellman — prioritize by data longevity and sensitivity — within 90 days
   • Mandate crypto-agility for all new systems and major architecture decisions — the ability to swap cryptographic algorithms without full re-architecture
   • Audit Bitcoin holdings for legacy p2pk address format and migrate to p2pkh or newer address types that don't expose public keys until spend-time
   • Build a phased PQC migration roadmap prioritizing HNDL-vulnerable data stores with >5 year secrecy requirements, then TLS/PKI infrastructure

   Sources:Unpatched Adobe Reader zero-day has been hitting your users since November · 5,219 exposed PLCs in your critical infrastructure supply chain · 1.7M BTC in quantum-vulnerable addresses