Weekly Cyber Update: 09 December 2025

Assured’s head of incident response reacts:

In Full-page iFrame overlay attacks, an attacker creates a fake login page (e.g., for Microsoft 365 or a bank portal) and embeds an iFrame to a real login page within the fake page’s HTML. When the victim enters their username and password, they are actually entering their credentials to the real site via the iFrame.

The attacker then uses JavaScript to intercept the POST request from the user’s browser and monitor successful logins, allowing them to steal credentials. I should clarify that JavaScript on the malicious page cannot directly read what the user types into the iFrame, because this will very likely be blocked by the browser’s Same-Origin Policy. The attacks have moved beyond pure client-side tactics and now use server-side reverse proxies and overlay keyloggers, making them difficult to block with traditional email gateways.

The visible link and the iFrame both point to a real domain, so the pages appear legitimate to most email gateways. Breaking down the layers of email defence:

Some statistics from publicly available data over the past 18 months:

• Proofpoint’s 2024 report: “Transparent proxy” and iFrame-based attacks bypassed most email filters in >70% of tested campaigns.
• Microsoft Digital Defence Report 2024: Credential phishing using legitimate domains (mostly via iFrames or reverse proxies) was the #1 successful technique.
• Large red-team engagements (2024–2025): Advanced iFrame kits routinely achieve 80–95% inbox delivery and 30–60% credential-capture rates.

Effective defence against these attacks relies upon:

• For web developers: preventing legitimate sites from being iFramed in the first place – by setting X-Frame-Options: DENY, CSP frame-ancestors ‘none’.
• For cybersecurity teams:
  • Implement browser-native threat detection operating directly in the browser to identify and block identity-based attacks, including sophisticated iFrame phishing techniques. If you’re interested in exploring these solutions, get in touch.
  • Implement an email security solution that uses behavioural AI to analyse the full context of emails and user interactions. Speak to us for recommendations if you would be interested in exploring these solutions.
  • Train users to check the domain in the address bar.

Assured’s head of incident response reacts:

One of the fundamental trade-offs in cybersecurity has always been between usability and security: generally, the more user-friendly a computer system is, the more complex the code required to deliver that experience is, and the larger the potential attack surface becomes.LNK files are Windows shortcut files, small binary files designed to simplify the process of traversing through file directories. For something in principle so simple, these files can actually end up containing a lot of information:

• The full path to the real target (e.g., C:\Program Files\Mozilla Firefox\firefox.exe)
• Working directory (where the program starts)
• Command-line arguments (e.g., firefox.exe -private-window)
• Icon location (so the shortcut can show the correct icon)
• Hotkey (e.g., Ctrl+Alt+F)
• Window state (normal, minimised, maximised)
• Relative or absolute paths
• Network paths (\server\share\file.doc)
• Even references to printers or control panel items

This naturally creates numerous attack vectors for threat actors to exploit..LNK files have been known to launch malware and automatically parse and process unintended files quietly. The famous Stuxnet malware was distributed via infected .LNK files on USB drives, allowing Windows to execute the worm simply by viewing the USB drive in Explorer.

CVE-2025-9491 is a high-severity vulnerability recently discovered in Windows machines involving the handling of LNK files. It enables a User Interface (UI) Misrepresentation of Critical Information (CWE-451), allowing attackers to hide malicious command-line arguments within shortcuts. On vulnerable machines, when a user inspects a file’s properties in the Windows UI, the Target field may be padded with whitespace or non-printing characters. However, when the user clicks the shortcut, the full hidden payload still runs, leading to remote code execution in the user’s context.

Microsoft has since patched this vulnerability in a recent Patch Tuesday update, so no remediation is required beyond ensuring all Windows machines are up to date. You can see their handiwork by right-clicking any file on your desktop, navigating to Properties, and viewing the full file location under ‘location:’. Realistically, any modern endpoint security solution worth its salt would prevent the running of malicious code after clicking on an infected shortcut file. But these vulnerabilities are a reminder that the most sophisticated threat actors will turn over every stone and combine multiple seemingly insignificant vulnerabilities across systems to carry out their attacks.

The exploitation of this vulnerability required no real technical sophistication; it bypassed traditional signature-based AV and worked in fully patched systems before November 2025, but some concrete hardening controls to consider that would have directly mitigated or stopped this specific vulnerability are (without waiting for a Microsoft Patch):