Phishers have exploited a vulnerability in Google’s OAuth system to execute a sophisticated attack, allowing them to send fraudulent emails that appear to originate from Google. This method, known as a DKIM replay phishing attack, enables hackers to bypass security checks, presenting a fake email as a legitimate message from Google while directing recipients to a fraudulent login page. In a notable case, Nick Johnson, lead developer of the Ethereum Name Service, received a phishing email that mimicked a legitimate security alert from Google. The email passed DomainKeys Identified Mail authentication, making it difficult for users to detect the scam. Security experts from EasyDMARC have detailed the mechanisms behind this attack, emphasizing that the vulnerability lies in how Google verifies messages. Similar tactics have also been employed against other platforms, such as PayPal, where attackers have utilized fraudulent confirmation messages to target users.
A recently discovered vulnerability in Gladinet’s CentreStack file-sharing platform has raised alarms within the cybersecurity community. The flaw, identified as CVE-2025-30406, allows remote code execution due to a deserialization issue linked to a hardcoded cryptographic key. Research from Huntress indicates that this vulnerability has already been exploited in at least seven known cases across various organizations. The issue, which affects both CentreStack and its on-premises counterpart, Triofox, stems from the use of default keys that were not altered during deployment, making it easier for attackers to gain control over compromised systems. Huntress discovered 120 CentreStack endpoints among its monitored systems that were vulnerable. Triofox has not yet been actively targeted. Gladinet has since advised customers to upgrade or manually change their keys to mitigate potential threats.
Microsoft has acknowledged a flaw in its Intune device management tool that inadvertently offered Windows 11 upgrades to devices that should have been blocked from receiving the update. The issue, attributed to a latent code error, was detected on April 12th, prompting Microsoft to recommend pausing updates to prevent further complications. In light of this incident, organizations are advised to manually revert any devices that were incorrectly upgraded. This is not an isolated case; a similar issue occurred in November 2024, when users unexpectedly upgraded from Windows Server 2022 to Windows Server 2025 without consent.
Why do we care?
Security awareness training needs updating. Most phishing training assumes bad grammar or unauthenticated domains. These emails are cryptographically legitimate — only context or real-time sandboxing exposes the fraud. And note, Google’s failure to close this loophole highlights a growing accountability issue: when major platforms get exploited, it’s your customer who pays. Providers must increasingly become the buffer between platform security shortcomings and end-user exposure, which is risk exposure too.
CentreStack is A textbook case of secure-by-default failure: using hardcoded keys is an old sin, but it still happens. What’s worse — exploitation was already underway before disclosure. Vendors like Gladinet continue to offload security responsibility to MSPs, hoping partners will catch what insecure defaults expose. The incident reinforces a key trust issue: are your vendors building secure products, or are they relying on you to compensate for design debt?
When rare edge cases add up, they define the new baseline of risk. The assumption that vendors will “get it right by default” is no longer safe — and MSPs are the last line of accountability when that trust fails.