08.07.25

,

Securing Your Summer: Stay Ahead of the Cyber Waves

By Frankie Sclafani III, Director, Cybersecurity Enablement

Estimated Reading Time: 5 minutes

Navigating the Summer Cyber Storm: Key Microsoft Changes and Threat Mitigation

As summer temperatures rise, so does the intensity of cybersecurity threats. This year, significant changes from Microsoft are reshaping the digital landscape, demanding heightened vigilance. Now is not the time for complacency; threat actors are banking on common distractions.

Here’s a breakdown of critical areas requiring your attention:

1. Windows 10 End of Life (EOL) and Windows 11 Transition

October 14, 2025, marks the End of Life for Windows 10. This crucial deadline necessitates a strategic transition to Windows 11 or a move to Windows LTSC (Long-Term Servicing Channel) for your organization. However, Windows 11 introduces new considerations:

  • Bloatware Risks: The default Windows 11 installation often includes pre-installed applications like Xbox, Games, social media tools, and streaming services. These can expand your attack surface and consume resources.
  • Golden Image Strategy: To mitigate these risks, it’s essential to refine your “golden image” strategy for Windows 11 deployments. A “clean install” approach, focusing on essential components, is highly recommended to minimize unnecessary software and adhere to new image standards.

2. Microsoft Edge Scareware Protection

As of 2025, Microsoft Edge has enhanced its built-in protections against scareware attacks. However, legacy browser settings might leave users vulnerable. It’s crucial to:

  • Enable AI-Powered Protections: Ensure that the “Scareware Blocker” feature, powered by machine learning, is enabled in your users’ Edge browsers. This setting significantly reduces exposure to malicious advertisements (malvertisements) and drive-by downloads.
  • Review and Update Settings: Proactively review and update browser settings across your environment to leverage these new protections effectively.

3. Windows OneDrive Account Linking and Data Loss Prevention (DLP)

The seamless linking of personal and corporate OneDrive accounts presents a significant Data Loss Prevention (DLP) challenge. This integration can inadvertently facilitate the commingling of sensitive corporate data with personal files, increasing the risk of:

  • Unauthorized Data Exfiltration: Employees unintentionally or intentionally moving sensitive company data to personal cloud storage.
  • Compliance Violations: Breaches of regulatory requirements concerning data handling and privacy.

Organizations must implement robust DLP policies and user education to manage and prevent such data leakage.

4. Windows Recall: Privacy and Data Retention Concerns

A new memory-capturing feature, Windows Recall, is set to launch this summer. This feature records user activity through snapshots, raising substantial privacy and data retention concerns. For data protection teams, it is critical to:

  • Understand and Audit: Comprehend how Recall captures and stores data.
  • Implement Disabling Mechanisms: Develop and deploy strategies to disable Recall across your environment, especially for users handling sensitive information, to protect privacy and comply with data governance policies.

5. Remote Desktop Protocol (RDP) Cached Credentials

A persistent, and often misunderstood, risk lies within Remote Desktop Protocol (RDP): the caching of credentials. Microsoft has acknowledged this as a feature, not a bug, designed for offline access. However, it creates a significant lateral movement risk post-session.

To mitigate this “bigger fish to fry,” organizations must:

  • Deploy Remote Desktop Gateway (RD Gateway) and Network Policy Server (NPS): Implement these tools to centralize and secure RDP access.
  • Enforce Multi-Factor Authentication (MFA): Utilize RD Gateway and NPS to mandate MFA for all internal systems requiring RDP access. This significantly reduces the risk of old, cached credentials being exploited for unauthorized lateral movement.
  • Consider Privileged Access Management (PAM) Solutions: For enhanced security, explore and implement PAM solutions for all remote access. PAM solutions enforce just-in-time access, session monitoring, and automated credential management, providing a robust defense against credential-based attacks.

Call to Action:

Now is the opportune moment to strengthen your cybersecurity posture. Harden your environments, refine your baseline images, and proactively prepare your users for the evolving attack surface this summer.

This cybersecurity research aims to equip our partners with the knowledge to reduce their cyber risk. Before applying any changes, always set up a test environment and adhere to all cybersecurity best practices and company Change Advisory Board (CAB) policies.

Technical Annex: 

  1. Debloating Guide Windows 11 
    3rd party guide for a clean image for windows 11 installation.
  2. Window Edge Scareware & Chrome Setting 
    Edge’s Scareware Blocker using GPO, navigate to Administrative Templates/Microsoft Edge/Scareware Blocker settings and configure the “Configure Edge Scareware Blocker Protection” policy.

    Navigate to GPO Editor: Open the Group Policy Editor (gpedit.msc) on your domain controller.

    Locate Chrome Policies: Go to Computer Configuration > Administrative Templates > Google > Google Chrome.

    Disable Notifications: Find the “Notifications” policy (or similar wording) and configure it to “Disabled” or “Enabled” with “Block All”.

    Please test the GPO before making it global. Chrome is not as straightforward as Edge.
  3. Windows OneDrive && IT Policy OnDrive

    GPO Enable the policy “Prevent users from synchronizing personal OneDrive accounts” within the User Configuration > Administrative Templates > OneDrive
  4. Microsoft ReCall && ReCall Policy

    Here are the steps to check whether recall is enabled/disabled in your environment.

    1. Settings > Privacy & Security > Select Recall Snapshot

    2. Setting > in the search field type “Turn Window Feature on or off” > uncheck the recall box > restart

    3. GPO (gpedit.msc) User Configuration > Administrative Templates > Windows Components > Windows AI > Double Click “Disable Saving Snapshot for Windows” > Select Enabled > Apply > OK

    Path for the data C:\User\<NAMEofUser>AppData\Local\Microsoft\WindowsAI\CoreAIPlatform.00\
  5. Remote Desktop Gateway and NPS && Hybrid using Entra

    Leverage the power of Active Directory with Multi-Factor Authentication to enforce high security protection of your business resources.

    For your end-users connecting to their desktops and applications, the experience is similar to what they already face as they perform a second authentication measure to connect to the desired resource:

    Launch a desktop or RemoteApp from an RDP file or through a Remote Desktop client application.

    Upon connecting to the RD Gateway for secure, remote access, receive a mobile application MFA challenge.

    Correctly authenticate and get connected to their resource! https://cybersecuritynews.com/windows-rdp-bug/ 

Frankie Sclafani III, Director, Cybersecurity Enablement

Frank Sclafani is the Director of Cybersecurity Enablement at Deepwatch, where he links cutting-edge technology with well-informed people. He builds programs that equip Deepwatch experts and clients with a deeper understanding of the threat landscape and the knowledge to leverage industry-leading Managed Detection and Response. Frank’s extensive background includes key roles at Google Cloud, Mandiant, FireEye, CYBERCOM, and the NSA, providing him with a comprehensive perspective on cybersecurity challenges.

Read Posts

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog