Today’s SMB cyber lookout: leaked cloud credentials, ‘trusted platform’ phishing, and supplier disruption noise

Today’s look-out: Supplier credential leak scams + phishing using trusted services + knock-on disruption from takedowns

What to look out for today

1) Supplier/contractor credential leaks becoming scam fuel: reporting suggests a major government agency is still trying to contain a leak involving cloud keys and sensitive data posted to a public code repository. Even if you’re not connected to that organisation, incidents like this regularly trigger copycat scam emails and supplier-impersonation attempts aimed at smaller firms.

2) Phishing themed around trusted platforms and learning tools: a campaign has been observed using lures related to an online learning platform to get targets to open malicious content. The wider lesson for SMEs: attackers increasingly piggyback on “normal” services staff recognise (training, HR portals, e-sign, shared docs).

3) Disruption and ‘noise’ from takedowns/seizures: authorities announced the dismantling of a criminal VPN service used by multiple ransomware groups, and separately seized a large number of servers linked to a hosting firm accused of enabling cyberattacks. These events can cause ripple effects (blocked infrastructure, changed attacker tactics) and often lead to a short-term spike in phishing and extortion emails.

Why this matters to smaller businesses

You are in the blast radius of big incidents through scam follow-ups: “We’ve detected suspicious activity, click to re-authenticate,” “new payment details,” or “urgent security check” messages that look credible because they reference a real story.
Trust is the new attack surface: staff are more likely to click when an email references familiar services (training platforms, shared drives, HR/payroll, IT tickets).
Third-party dependency risk: if your website, email services, marketing tools, or apps are hosted with providers that get disrupted, you can see downtime, delays, or sudden support requests—prime conditions for social engineering.

Warning signs

Emails claiming you must re-verify Microsoft 365/Google/HR/training accounts due to a “security incident” or “leaked credentials”.
Messages urging you to open a document or portal and enable macros, download a “security update”, or run a “scanner”.
Supplier emails that suddenly change tone: new bank details, “please pay to avoid service suspension”, or “we’ve moved our support portal”.
Unexpected calls from “IT support” asking for MFA codes or to approve a sign-in.
Staff reporting that a normal website/service they use is “down” and they’ve been offered an alternative link via email/chat.

How attackers may exploit the situation

Incident-referencing phishing: attackers cite a real, newsworthy breach/takedown to add credibility and push urgent logins or payments.
Credential stuffing & account takeover: if any reused passwords exist, attackers test them against email, payroll, and finance systems, then use compromised inboxes to request invoice/bank changes.
Supplier impersonation during disruption: when hosting/services are unstable, attackers pose as the provider and direct victims to “temporary” login pages or payment routes.

What to do today

Brief staff (10 minutes): “No one will ever ask for your MFA code. Don’t re-log in from email links. If in doubt, type the website address yourself.”
Finance control: enforce call-back verification for any bank detail changes or urgent payment requests—even if the email appears to come from a known contact.
Mailbox rule check: look for suspicious inbox rules/forwarding in shared finance mailboxes (common after account takeover).
Harden sign-ins: confirm MFA is enabled for email and key SaaS; ensure recovery options are controlled (no personal emails/phone numbers without approval).
Prepare for disruption: confirm who internally can authorise an outage comms message and how you will operate if a key SaaS/host is unavailable for a day.

Ask your IT provider

Are we monitoring for impossible travel, suspicious sign-ins, and new MFA enrolments on Microsoft 365/Google and other critical SaaS?
Do we have alerts for new mailbox forwarding rules or changes to email security settings?
Can you show our current backup and restore position for Microsoft 365/Google/critical SaaS data (and the last successful restore test date)?
If a supplier/hosting provider is disrupted, what’s our fallback plan (alternate comms channel, access to DNS/domain registrar, emergency admin contacts)?

Patch watch - only one short paragraph, and only if relevant

CISA has flagged an actively exploited issue in Drupal (CVE-2026-9082). If you run a Drupal-based website (including older charity/school sites) ask your web provider today to confirm whether you use Drupal and, if so, whether they have checked and addressed this risk—especially for any internet-facing contact forms, portals, or admin logins.

One action today

Send a same-day staff note: “Don’t re-login from email links; never share MFA codes; report any ‘security incident’ emails or bank detail change requests to finance/IT for verification.”

Related Actions On Cyber resource

Actions On Cyber checklist: Supplier payment-change verification (anti-invoice fraud call-back process)

Sources

Lawmakers Demand Answers as CISA Tries to Contain Data Leak (Krebs on Security)
Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware (The Hacker News)
First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups (The Hacker News)
Netherlands seizes 800 servers of hosting firm enabling cyberattacks (BleepingComputer)
CISA Adds One Known Exploited Vulnerability to Catalog (CISA Cybersecurity Advisories)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.