Microsoft enabled Israeli spy agency's mass surveillance of Palestinians' mobile calls

Metacurity really needs your help

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

An investigation by the Guardian with the Israeli-Palestinian publication +972 Magazine and Hebrew-language outlet Local Call reveals that in 2021, Microsoft struck a deal with Israel’s military surveillance agency Unit 8200 to create a customized and segregated area within Microsoft’s Azure cloud platform that enabled the Israeli spies to build a powerful new Palestinian and Gaza mass surveillance tool.

Armed with Azure’s near-limitless storage capacity, Unit 8200 began building a powerful new mass surveillance tool: a sweeping and intrusive system that collects and stores recordings of millions of mobile phone calls made each day by Palestinians in Gaza and the West Bank.

Meeting at Microsoft’s headquarters near Seattle, a former chicken farm turned high-tech campus, the spymaster, Yossi Sariel, won Nadella’s support for a plan that would grant Unit 8200 access to a customised and segregated area within Microsoft’s Azure cloud platform.

Microsoft claims Nadella was unaware of what kind of data Unit 8200 planned to store in Azure. But a cache of leaked Microsoft documents and interviews with 11 sources from the company and Israeli military intelligence reveal how Azure has been used by Unit 8200 to store this expansive archive of everyday Palestinian communications.

According to three Unit 8200 sources, the cloud-based storage platform has facilitated the preparation of deadly airstrikes and has shaped military operations in Gaza and the West Bank.

Intelligence sources with knowledge of the project said Unit 8200’s leadership turned to Microsoft after concluding it did not have sufficient storage space or computing power on the military’s servers to bear the weight of an entire population’s phone calls.

Several intelligence officers from the unit, which is comparable to the US National Security Agency (NSA) in its surveillance capabilities, said that a mantra emerged internally that captured the project’s scale and ambition: “A million calls an hour.”

The system was built to sit on Microsoft’s servers behind enhanced layers of security developed by the company’s engineers with Unit 8200’s instructions. The leaked Microsoft files suggest that a large proportion of the unit’s sensitive data may now be sitting in the company’s data centers in the Netherlands and Ireland. (Harry Davies and Yuval Abraham / The Guardian)

Related: +972 Magazine, Local Call

Cisco disclosed that cybercriminals stole the basic profile information of users registered on Cisco.com following a voice phishing or vishing attack that targeted a company representative.

After becoming aware of the incident on July 24th, the networking equipment giant discovered that the attacker tricked an employee and gained access to a third-party cloud-based Customer Relationship Management (CRM) system used by Cisco.

This allowed the threat actor to steal the personal and user information of individuals with Cisco.com user accounts, including names, organization names, addresses, Cisco-assigned user IDs, email addresses, phone numbers, and account metadata such as creation dates.

However, the company said that the attacker didn't obtain "organizational customers' confidential or proprietary information, or any passwords or other types of sensitive information." Cisco added that the incident didn't impact its products or services, and no other Cisco CRM system instances were affected.

"Upon learning of the incident, the actor's access to that CRM system instance was immediately terminated, and Cisco commenced an investigation. Cisco has engaged with data protection authorities and notified affected users where required by law," the company said.

Although not yet confirmed, this incident is likely part of an ongoing wave of Salesforce data theft attacks using vishing and social engineering techniques that have been linked to the ShinyHunters extortion group. (Sergiu Gatlan / Bleeping Computer)

Related: Cisco, TechCrunch, Dark Reading, Entrepreneur, Ars Technica, Dataconomy, IT Web

Google confirmed that some customers’ information was stolen in a recent breach of one of its databases.

In a blog post, Google’s Threat Intelligence Group said one of its Salesforce database systems, used to store contact information and related notes for small and medium businesses, was breached by a hacking group popularly known as ShinyHunters, formally designated as UNC6040.

“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” the company said. (Zack Whittaker / TechCrunch)

Related: Google

Researchers with Cisco Talos report that a flaw in the chips used to secure tens of millions of Dell laptops could have given attackers the ability to steal sensitive data as well as maintain access even after a fresh operating system install.

The previously unreported analysis, validated by Dell in a June security advisory, affected more than 100 models of Dell laptops and targeted Broadcom's BCM5820X chip, a chip in the computer that stores passwords, biometric data, and security codes, and installs fingerprint, smartcard, and near-field communications drivers and firmware.

The vulnerabilities are specific to the BCM5820X chip used by Dell in its ControlVault security firmware and software. The flaw affects laptop models common in the cybersecurity industry and government settings, according to Philippe Laulheret, the senior vulnerability researcher at Cisco Talos who discovered and led the analysis. (AJ Vicens / Reuters)

Related: Cisco Talos, The Record, ComputerWeekly.com, HackRead, Help Net Security, Cyber Security News

Microsoft says it has created an advanced AI system it calls Project Ire that can reverse-engineer and identify malicious software on its own, without human assistance.

The prototype system automatically dissects software files to understand how they work, what they do, and whether they’re dangerous. Human security experts typically perform this kind of deep analysis.

Long-term, Microsoft says it hopes the AI will detect new types of malware directly in computer memory, helping to stop threats faster and on a larger scale.

The system “automates what is considered the gold standard in malware classification: fully reverse engineering a software file without any clues about its origin or purpose,” the company said.

This differs from existing security tools that scan for known threats or match files to existing patterns. It comes as security defenders and hackers engage in an arms race to use emerging AI models and autonomous agents to their advantage. (Todd Bishop / GeekWire)

Related: Microsoft Research, Microsoft Security, Axios, Windows Report, Help Net Security, PCMag, Cyber Security News, WinBuzzer, r/microsoft, Security Week, WebProNews

Nvidia published a blog post reiterating that its chips did not have backdoors or kill switches and appealed to US policymakers to forgo such ideas, saying it would be a "gift" to hackers and hostile actors.

The blog post, which was published in both English and Chinese, comes a week after the Chinese government summoned the US AI chip giant to a meeting, saying it was concerned by a US proposal for advanced chips sold abroad to be equipped with tracking and positioning functions.

The White House and both houses of Congress said that requiring US chip firms to include location verification technology with their chips to prevent them from being diverted to countries where US export laws ban sales.

"Embedding backdoors and kill switches into chips would be a gift to hackers and hostile actors. It would undermine global digital infrastructure and fracture trust in US technology," Nvidia said. It had said last week its products have no backdoors that would allow remote access or control. (Liam Mo and Brenda Goh / Reuters)

Related: Nvidia, TipRanks, PC Gamer, VideoCardz.com, Bloomberg, TechPowerUp, Reuters, PCMag, CNBC, Anadolu Ajansı

Federal judge John Mendez struck down a California law restricting AI-generated, deepfake content during elections, among the strictest such measures in the country, notching a win for Elon Musk and his X platform, which challenged the rules.

Mendez also declined to give an opinion on the free speech arguments that were central to the plaintiffs’ case, instead citing Section 230 of the federal Communications Decency Act, which shields online platforms from liability for what third parties post on their sites. “They don’t have anything to do with these videos that the state is objecting to,” Mendez said of sites like X that host deepfakes.

Mendez also said he intended to overrule a second law, which would require labels on digitally altered campaign materials and ads, for violating the First Amendment.

The judge’s decisions deal a blow to California Gov. Gavin Newsom, who signed the laws last year in a rebuke of Musk, vowing to take action after the tech billionaire and then-Donald Trump supporter shared a doctored video of former Vice President Kamala Harris ahead of the election. (Chase DiFeliciantonio / Politico)

Related: Courthouse News Service

Nigerian national Chukwuemeka Victor Amachukwu was arrested in France and extradited to the US on charges that he earned millions from a multinational scheme to hack into tax businesses and use stolen information to file tax returns, obtain loans, and defraud investors.

He was extradited from France on Monday and appeared in a New York District Court where he is now facing hacking, wire fraud, and identity theft charges that will lead to decades-long sentences if he is convicted.

Prosecutors said that starting in 2019, Amachukwu and multiple co-conspirators based in Nigeria hacked into US tax preparation businesses in New York, Texas, and other states using phishing emails.

One incident took place in May 2021, when the men sent a phishing email to an employee of a Manhattan-based tax preparation business, infecting the company with malware.

Once inside, the men allegedly stole the tax information of the business’s customers and used it to take several fraudulent actions.

Court documents say the group stole the identifying information of thousands of people and used it to file fake tax returns at the state and federal levels. The group sought refunds of about $8.4 million and was successful in obtaining about $2.5 million.

The group also used stolen identities to allegedly file fake claims with the Small Business Administration’s Economic Injury Disaster Loan program and successfully got $819,000 in fraudulent payouts. (Jonathan Greig / The Record)

Related: Justice Department, Punch, Nigerian Eye, Vanguard News, Nairametrics, Databreaches.net, Prompt News

According to researchers at SecurityScorecard, within hours of June’s 12-day war between Iran and Israel erupting, Iranian state-backed hackers and proxy groups launched phishing campaigns, defaced websites, and claimed to have leaked troves of stolen data tied to the conflict.

Telegram also served as a central hub for recruitment, propaganda, and orchestration of cyberattacks, according to some 250,000 messages exchanged by 178 Iranian proxy and hacktivist groups throughout the war that were analyzed by SecurityScorecard’s STRIKE threat intelligence team.

The analysis, one of the first comprehensive overviews of the cyberwarfare aspects of the nearly two-week-long conflict, found that Iranian operations were launched to intimidate civilians, undermine Israeli morale, and amplify Iran’s wartime narrative. (David DiMolfetta / NextGov/FCW)

Related: Security Scorecard, Security Scorecard, CyberScoop

Meta said that WhatsApp has taken down 6.8 million accounts linked to scammers targeting people around the world in the first half of this year, with many tied to scam centres run by organized criminals in Southeast Asia, who often used forced labour in their operations.

Meta made the announcement as WhatsApp rolled out new anti-scam measures to alert users to potential fraudulent activity, such as a user being added to a group chat by someone not in their contacts list.

The crackdown targets an increasingly common tactic in which criminals hijack WhatsApp accounts or add users to group chats promoting fake investment schemes and other scams.

Meta said WhatsApp "proactively detected and took down accounts before scam centres were able to operationalise them."

In one case, WhatsApp worked with Meta and ChatGPT developer OpenAI to disrupt scams linked to a Cambodian criminal group that offered cash for likes on social media posts to promote a fake rent-a-scooter pyramid scheme.

It said scammers had used ChatGPT to create the instructions issued to potential victims. (Osmond Chia / BBC News)

Related: Meta, The Independent, The Tribune, UNN, TRT Global, Neowin, NewsBytes

​Microsoft paid a record $17 million this year to 344 security researchers across 59 countries through its bug bounty program, up from the $16.6 million in bounty awards to 343 security researchers from 55 countries the previous year.

Between July 2024 and June 2025, the researchers submitted a total of 1,469 eligible vulnerability reports, with the highest individual bounty reaching $200,000.

These reports helped resolve more than 1,000 potential security vulnerabilities across various Microsoft products and platforms, including Azure, Microsoft 365, Dynamics 365, Power Platform, Windows, Edge, and Xbox.

"By incentivizing independent researchers to identify vulnerabilities in high-impact areas, including the rapidly evolving field of AI, we're able to stay ahead of emerging threats," Microsoft stated in its annual bounty program review.

"Through Coordinated Vulnerability Disclosure, these researchers play a critical role in reinforcing the trust that millions of users place in Microsoft technologies every day."

The company has also expanded several bounty programs this year, such as Copilot AI, Defender products, and various identity management systems.

For instance, the Copilot bounty program now includes traditional online service vulnerabilities, the Dynamics 365 and Power Platform programs introduced a new AI category, and the Windows program has added awards for remote denial-of-service attacks and local sandbox escape scenarios. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft Security

Researchers at Recorded Future found new infrastructure believed to be used by the spyware manufacturer Candiru called DevilsTongue to attack computers through Windows malware.

Their research revealed eight distinct operational clusters linked to the spyware, which is tracked as DevilsTongue. Five of them are highly likely to be active, including clusters tied to Hungary and Saudi Arabia.

The researchers also found another tied to Indonesia that appeared to be active until November 2024.

They were unable to determine if two additional clusters associated with Azerbaijan remain active, the report said. (Suzanne Smalley / The Record)

Related: Recorded Future, Recorded Future

Kidney dialysis company DaVita confirmed it notified 915,952 people of an April 2025 data breach that compromised a wide range of their personally identifiable data.

The attack disrupted internal operations at DaVita, which told Comparitech at the time that it was aware of the ransom demand and was conducting an investigation.

Ransomware gang Interlock took credit for the breach on April 25, saying it stole 1.5 TB of data from DaVita. To prove its claim, Interlock posted images of what it says are documents stolen from DaVita.

DaVita has not verified Interlock’s claim. (Paul Bischoff / Comparitech)

Related: DaVita Data Breach Notification, The Record, Tom's Guide

Canada's privacy commissioner has opened an investigation into a cyberattack on WestJet, which saw a "malicious actor" gain access to the airline's systems.

The airline said in a statement last month that a "sophisticated, criminal" third party was able to access some personal and travel-related data in June.

WestJet said the safety of its airline operations was never under threat.

A statement from the office of Privacy Commissioner of Canada Philippe Dufresne says the investigation will look into the security safeguards that WestJet had in place at the time of the breach and the adequacy of its notifications to affected individuals. (Canadian Press)

Related: CTV News, Coast Reporter, Mobile Reporter, BNN Bloomberg, CityNews Kitchener

Pandora, the global jewelery brand, confirmed that it suffered a cyber attack that allowed unauthorised access to certain customer data.

The company informed customers directly via email, explaining that the breach occurred through a third-party platform it uses, not its core internal systems.

While no financial or highly sensitive information was compromised, the breach still affected personal data, including names, phone numbers, and email addresses. Pandora reassured customers that the attack has been contained and that its security systems have since been reinforced.

The company made it clear that passwords, credit card details, and similar information were not part of the breach. Still, cybersecurity experts warn that even limited personal data can be used as a gateway for more targeted scams. (Waqas / HackRead)

Related: Bleeping Computer, Forbes, Dark Reading, The420, City AM, Cyber Insider

PBS suffered a data breach exposing the corporate contact information of its employees and those of its affiliates, with a file circulated on Discord servers allegedly containing this information.

This data was not distributed on dark web sites, hacking forums, or other mediums frequented by threat actors. Instead, it was being shared on Discord servers for fans of "PBS Kids," where young adults, teenagers, and younger kids can talk about the favorite shows they grew up watching.

"The young adults, teenagers, and kids sharing it seem to be doing it more out of a sense of novelty, rebellious curiosity, or simply to gain a bit of notoriety within their peer groups," BleepingComputer was told. "That being said, the potential for misuse is obviously there."

BleepingComputer obtained the file and can confirm it includes the corporate contact information for 3,997 PBS employees and affiliates.

Each record in the JSON file contains an employee's name, corporate email, title, timezone, department, location, job functions, hobbies, and their supervisor's name.

After contacting PBS about the breach, the company confirmed that it was stolen from an internal service used for public television employees. (Lawrence Abrams / Bleeping Computer)

A ransomware attack hit Manassas Park City Schools (MPCS) in Virginia, and school officials revealed that private data may be compromised.

Hackers gained access to the network on June 12 at the latest, according to an internal MPCS investigation, and deployed ransomware to encrypt portions of the network. Network access was terminated when it was detected on June 14.

The outside agents may have gained the full names, Social Security numbers, passport numbers, or financial account information of individuals associated with the school, according to school staff.

Individuals with a relationship to the school are encouraged to review bank account statements and monitor credit reports for suspicious activity.

In response, MPCS has implemented additional security to prevent future incidents, including hiring a service provider to monitor cybersecurity systems, reviewing system architecture, and implementing "stronger" policies. (Katie Bourque / WJLA)

Related: Manassas Park City Schools, WUSA

The financial information and academic performance of Columbia University students and alums were stolen in a recent breach.

The data includes bank account and routing numbers, student loan and scholarship disbursements, standardized test scores, grade-point averages, class schedules, home addresses, and other contact information, a Bloomberg review of 53.6 gigabytes of the stolen files shows.

Nine current and former students who began attending Columbia undergraduate and graduate programs as early as the 1990s confirmed the accuracy of their data in the files. (Cameron Fozi / Bloomberg)

Related: WebProNews

Microsoft will offer up to $5 million in bounty awards at this year's Zero Day Quest hacking contest, which the company describes as the "largest hacking event in history."

Last year's Zero Day Quest has also generated significant participation from the security community, following Microsoft's offer of $4 million in rewards for vulnerabilities in cloud and AI products and platforms. After the November hacking competition concluded, Microsoft announced that it had paid $1.6 million, having received more than 600 vulnerability submissions.

For this year's competition, Redmond has increased the prize pool to $5 million, with a focus on addressing security issues in cloud computing and artificial intelligence.

Between August 4 and October 4, 2025, Microsoft will accept submissions as part of a research challenge open to all security researchers, with participants also eligible for multiplied bounty payouts for reporting critical vulnerabilities.

The contest is part of Microsoft's Secure Future Initiative (SFI), a cybersecurity engineering effort launched in November 2023, following a report from the Cyber Safety Review Board of the US Department of Homeland Security, which stated that the company's security culture was "inadequate and requires an overhaul." (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, Security Week, Security Affairs

The Australian Ministry of Defence (MoD) has recruited cybersecurity group Castlepoint Systems to prevent data leaks through its AI data control technology.

The Canberra-based firm has been tasked with strengthening the department’s data protection to avoid harmful leaks, such as the 2022 Afghan data breach that saw the details of nearly 19,000 individuals mistakenly sent outside secure channels.

Castlepoint will provide AI data labelling services to automatically identify sensitive information and apply the correct security classifications to it.

This also extends to legacy records that may contain missing or outdated labels in a process called retrospective classification. (Oscar Hornstein / UKTN)

Related: TechEU, Computer Weekly, Silicon Canals

SK Telecom, South Korea’s largest mobile carrier, reported that its second-quarter profits plummeted after a significant data security breach triggered widespread customer defections and costly compensation expenses, weighing heavily on its primary wireless business.

For the April-June period, operating profit fell 37.1 percent from a year earlier to 338.3 billion won ($244 million), missing analysts’ expectations. Net income plunged 76 percent to 83.2 billion won, while revenue dropped 1.9 percent to 4.34 trillion won, the company said in a regulatory filing. Compared to the previous quarter, operating profit and net income were down 40.4 percent and 77 percent, respectively. (Ahn Sung-mi / The Korea Herald)

Related: RTT News, TelecomLead, The Investor, TipRanks, Tripura Times, Maeil Business Newspaper, Yonhap News Agency

Former CISA director Jen Easterly is joining the advisory board at cybersecurity company Huntress, marking the first private sector role for Easterly since she left government and her first job announcement since West Point rescinded her teaching job offer last week following far-right pressure.

"It was disappointing given my association with West Point — I was a cadet there, I was a professor there for two and a half years — and I was excited about the opportunity to go back and be part of the department where I'd spent so much time," Easterly said. (Sam Sabin / Axios)

Related: Globe Newswire

SentinelOne is acquiring Prompt Security, a pioneer in securing AI in runtime, preventing AI-related data leakage, and protecting intelligent agents, in a deal valued at approximately $250 million.

SentinelOne said that by adding Prompt Security’s capabilities, it can give CISOs and IT leaders the control they need to enable safe AI adoption at scale, while unlocking a new frontier of growth and platform expansion for SentinelOne and its partners. (Sophie Shulman / CTech and Business Wire)

Related: SentinelOne, SentinelOne, Globes, Silicon Angle, Techzine, CRN, TipRanks

Best Thing of the Day: Being Conservation Conscious by Reusing Patient Records

An unnamed major private hospital in Thailand has been fined 1.2 million baht (around $37,000) after paper patient records were found being used as snack bags.

Worst Thing of the Day: How Is Ransomware Not Like Lightning?

One in three Australian organisations affected by ransomware have been hit multiple times in the last 12 months.

Bonus Worst Thing of the Day: Make Sure You Have a Cloud Backup to Your Cloud Backup

Open source developer Abdelkader Boudih, pen name Seuros, says that after 10 years of paying fees to AWS, the cloud giant just up and deleted his account and all its data with no warning, no grace period, or anything.

Closing Thought