Daily Signal Note: Trust Surfaces | Consent Without Verification

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ provides analyst-grade cyber intelligence used by CISOs and security leaders inside the Fortune 100. Each briefing identifies structural security failures and decision breakdowns across identity, machine trust, third-party access, and enterprise attack surfaces. This work exists to inform executive judgment, not to react to headlines.

—

Subscriber access includes weekly CISO briefings, deep-dive intelligence reports, premium research, and supporting tools. Corporate plans available.

Listen to the 2-minute Daily CISO Briefing on Spotify.

Signal 1: FCC Covered List Expansion

The FCC added all foreign-manufactured drones and UAS critical components to the Covered List, blocking new FCC equipment authorizations. The action follows a December 21 national security determination by a White House interagency body. Existing authorizations and previously purchased devices remain unaffected. DJI, Autel, and all foreign drone manufacturers are now blocked from future U.S. market entry. DoD or DHS may grant specific exemptions.

Signal 2: OAuth Device Code Phishing Surge

Proofpoint reported widespread abuse of Microsoft's OAuth 2.0 device authorization grant flow since September 2025. State-aligned group UNK_AcademicFlare and financially motivated actor TA2723 are using SquarePhish2 and Graphish toolkits to trick users into entering device codes on legitimate Microsoft login pages. Successful code entry grants attackers valid M365 access tokens. The technique bypasses MFA and persists until tokens expire or are revoked.

Signal 3: Malicious npm WhatsApp API Package

Koi Security disclosed that npm package "lotusbail" with 56,000+ downloads contains hidden data exfiltration and account hijacking capabilities. The package is a functional fork of the legitimate @whiskeysockets/baileys library. It captures WhatsApp authentication tokens, intercepts all messages, and links the attacker's device to the victim's account via hardcoded pairing code. The package has been live for six months and includes 27 anti-debugging traps.

Signal 4: Denmark Attributes Water Utility Attack to Russia

Denmark's Defence Intelligence Service publicly attributed a 2024 cyberattack on Tureby Alkestrup Waterworks to pro-Russian group Z-Pentest. The attack altered water pressure, burst three pipes, and disrupted service to 500 households. DDIS also attributed November 2025 DDoS attacks on Danish election websites to NoName057(16). Both groups are assessed as instruments of Russian state hybrid operations.

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.