AI Security Weekly Mid-Week Intelligence Update

July 23, 2025

Author

Andres Guillen
July 23, 2025

Pulse Check:

Escalating: The exploitation of a new SharePoint zero-day vulnerability is spreading across government and enterprise networks.

Trending: EU finalizes a voluntary Code of Practice that previews enforcement priorities under the AI Act.

Progress: Ransomware groups are fracturing and rebranding, creating an opportunity to harden defenses before new affiliate models stabilize.

Active Threats

Critical SharePoint Zero-Day Under Active Exploitation: Chinese-linked attackers are bypassing current mitigations and weaponizing an unpatched SharePoint flaw against hundreds of organizations. Microsoft has issued temporary guidance; a comprehensive fix is due “within days.”

Status: Spreading – patch as soon as security update ships.

Immediate Action:

  1. Disable external access to vulnerable SharePoint instances.

  2. Enable advanced logging and hunt for anomalous w3wp.exe behaviour.

  3. Prepare emergency maintenance windows for rapid patch deployment. The Hacker News

Nine-Month Military Breach by “Salt Typhoon”: A Chinese APT Maintained Covert Access to a U.S. Army National Guard Network, Exfiltrating Identity and Operational Data That Could Accelerate Future Attacks on Defense and Critical-Infrastructure Partners. Status: Contained – investigation continuing. Immediate Action:

  1. Review privileged-account hygiene and enforce strict MFA on all VPN and internal admin portals.

  2. Validate zero-trust segmentation rules around identity stores.

  3. Initiate tabletop exercise on long-dwell adversary scenarios. FireCompass

Mid-Week Updates

AI & Policy

EU Code of Practice for General-Purpose AI Models. Brussels has published the final voluntary code, which describes transparency, copyright, and security expectations for model providers ahead of the formal enforcement of the AI Act. Early movers can shape supervisory relationships and reduce audit friction.

Security Angle: Treat the code as a de facto baseline for model risk disclosures and red team requirements. WSGR

Industry Movement

CISOs Rank AI-Driven Attacks as Top Risk. In a new CIO Dive survey, 68% of enterprise security leaders placed AI-enabled threat campaigns above vulnerability management and data loss concerns.

Implication: Budget allocations are shifting toward model-risk tooling, adversarial testing, and automated response. CIO Dive

Technology Update

Ransomware Ecosystem in Flux: Operators are Folding or Rebranding While Rolling Out AI-Powered Negotiation Bots and Victim-Profiling Engines.. Short-lived brands make attribution more challenging, but they often present patchy playbooks that blue teams can disrupt.

MSP Relevance: Strengthen client incident-response retainers now; new affiliates may target less-mature environments during the transition. FireCompass

Quick Hits

  • Ransomware attacks on education rose 23% year-over-year. Review backup immutability before the start of the new term. K-12 Dive

  • China-linked hackers are targeting African IT infrastructure to stage future supply-chain operations. The Hacker News

  • CISA issued an emergency directive forcing federal agencies to apply forthcoming SharePoint patches within 48 hours of release. Directive

Upcoming Events

Date Event Why It Matters:

July 25 SANS Webinar – Ransomware in 2025. Latest TTPs and DFIR lessons for blue teams.

July 29 MITER Webinar – Securing the AI Lifecycle: Practical controls for model integrity and data-poisoning defenses.

Aug 1AI Security Summit – Navigating Policy, Standards, and Threats Road-map for complying with the EU AI Act and forthcoming U.S. rule-making

Register links: SANS | MITRE | AI Security Summit

Mid-Week Focus

Prepare for out-of-cycle SharePoint patching over the next 72 hours. Confirm emergency communication channels, pre-approve downtime windows, and verify rollback plans. Organisations that patch by close of business Friday will eliminate the most active threat vector before the weekend.

Subscribe to AI Security Weekly for actionable intelligence every Monday, Wednesday, and Friday.

#CyberSecurity #Ransomware #CISOInsights #IncidentResponse #ThreatIntelligence