Apr 20, 2025
Is Microsoft’s Copilot About to Leak Everything?

This week on The Awareness Angle...it’s one of those weeks where the stories basically write themselves. MITRE nearly lost its CVE funding, Microsoft brought back its creepy screenshot feature, and scammers are sticking fake QR codes all over the place. We’ve also got a letter from the DVLA that looked so dodgy we thought it had to be a scam – but it wasn’t. And someone got into a bank with nothing but a hi-vis and a bit of confidence.

As always, we’re not just sharing stories, we’re giving you The Awareness Angle on each one. Three bullet points to help you explain what it means, why it matters, and how to talk about it with your people.

CVE Crisis Averted - But Only Just!

Watch the discussion - https://youtu.be/2KR5WfXPGgU?t=312

For a moment last week, it looked like MITRE’s CVE programme – the backbone of how we track and prioritise vulnerabilities – was about to vanish. Funding hadn’t been renewed, and the panic spread fast across the cybersecurity world. For those not deep in the weeds, CVEs (Common Vulnerabilities and Exposures) are those numbered IDs you see when there’s a new flaw – like CVE-2024-12345. They’re what security tools use to flag risk, and what engineers use to decide what gets fixed and when.

It turns out the whole situation was a bit of a pressure play. MITRE made some noise, and CISA stepped in with 11 months of emergency funding to keep things running. But it raised bigger questions: Why was this so close to collapsing? And what would we do if it actually did?

Read more (Soft Paywall) - https://www.bleepingcomputer.com/news/security/cisa-extends-funding-to-ensure-no-lapse-in-critical-cve-services/

∠The Awareness Angle

  • Prioritisation Power – CVEs help teams figure out which vulnerabilities are urgent. Without them, it's harder to make informed decisions.
  • Tool Dependency – Loads of security tools rely on this data behind the scenes. If CVEs disappear, detection and patching workflows take a hit.
  • Explain the Why – Most people outside of security won’t know what a CVE is, so this is a good chance to explain why “a 9.8 score” might make you nervous.

Microsoft Recall: Back, and Still a Privacy Nightmare

Watch the discussion - https://youtu.be/2KR5WfXPGgU?t=721

Microsoft’s Recall feature is back after a short pause, but it hasn’t changed much. It screenshots your desktop every few seconds, stores the data locally, and uses AI to help you search your activity history. Sounds helpful? Maybe. But it also creates a huge pile of sensitive data just waiting to be exploited.

Critics are calling it a “goldmine for attackers.” And while Microsoft says it’s opt-in, local, and secure, researchers have already shown how easily it could be abused.

We don't see many reasons why users would want to opt-in but we do wonder if this will not be optional at some point in the future.

Read more - https://www.bbc.co.uk/news/articles/cj3xjrj7v78o

Kevin Beaumont's Breakdown - https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e

∠The Awareness Angle

  • Local ≠ Safe – Just because data is stored locally doesn’t mean it’s secure. If malware gets access, everything’s on display.
  • Privacy Pitfall – It could capture sensitive info from messages, passwords, even disappearing chats, without others' consent.
  • Awareness Opportunity – This is a great story to help explain why we care about endpoint security, insider threats, and device access controls.

Would You Trust This Letter? The DVLA Dilemma

Watch the discussion - https://youtu.be/2KR5WfXPGgU?t=2892

Article contentDVLA Letter - Real or Fake?

A Reddit post showed a suspicious letter from the DVLA asking someone to return their driving licence due to a minor error. It looked real, but also a bit off. Polite tone, oddly personal wording, and no official online reference. Most commenters cried scam… but it turned out to be genuine.

For those outside the UK: the DVLA (Driver and Vehicle Licensing Agency) is the government body that manages driving licences and vehicle registrations. So getting a letter from them should feel official. This didn’t – and that’s what made it so confusing.

It’s a perfect example of how real comms can look suspicious – and how hard it is for people to make the right call.

Read more - https://www.reddit.com/r/drivingUK/s/LCDfnJt4cE

∠The Awareness Angle

  • Spotting Scams Isn’t Always Simple – Even legit messages can have red flags. That’s why we teach people to verify, not just judge.
  • Go to the Source – Encourage staff to check official websites or contact organisations directly using trusted contact details.
  • Sympathy Matters – This is a great reminder that users who report suspicious things aren’t overreacting – they’re doing the right thing.

Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!

Awareness Noticeboard

UK Cyber Week

UK Cyber Week is back at Olympia, bringing together thousands of cybersecurity professionals, vendors, and speakers for two days of talks, demos, and networking.

While there aren’t many awareness-specific vendors this year, it's still a good chance to see what’s happening across the wider cyber space and connect with others in the industry. Ant will be attending on Thursday – come say hi if you're there!

🗓️ 23rd - 24th April

📍 Olympia, London

🔗 https://www.ukcyberweek.co.uk/

Leeds Digital Festival - Panel Discussion

Article content

On Tuesday 29th April, Ant will be joining a panel in Leeds as part of the Leeds Digital Festival, hosted by the team at Pentest People. We’ll be discussing the cyber threats that are keeping security leaders up at night. From AI and ransomware to supply chain risks and human behaviour (yep, he’ll be covering that bit).

It’s a free evening event at The Granary, with a panel discussion, Q&A, and some good networking afterwards. If you’re in or near Leeds, come along!

🗓️ Tuesday 29th April, 5:30pm

📍 The Granary, Leeds

🔗 Register here on Eventbrite

Webinar: Engaging Leadership in Cyber Security

Article content

On Wednesday 7th May at 12:30 PM, Ant will be joining a brilliant panel for a live webinar on how to get real exec buy-in for your cyber security work. He'll be chatting with Simon Mair (former CISO at the National Bank of Kuwait) and Phil Guest from Redflags. about how to win board-level support, align security with business goals, and actually show the impact of what we do. If leadership engagement is part of your world, we think you’ll find this one useful.

🗓️ Wednesday 7th May 2025, 12:30pm UK Time

📍 Location: Online

🔗 Register here

Whether you’re just getting started or have already adopted AI in your program, we’d love to hear what tools have been working for you. What’s been effective in improving your training, engagement, oa awareness efforts? Share your experiences and any tools you’re using with us at hello@riskycreative.com. We’re always looking to learn from the community and continue the conversation!

Other topics this week include…

📱 Android Auto-Reboot

https://www.androidauthority.com/android-auto-reboot-optional-3545366/

🔍 QR Code Scams

https://www.bbc.co.uk/news/articles/cq6yznmv3gzo

📮 DVLA Letter

https://www.reddit.com/r/drivingUK/s/LCDfnJt4cE

🎈 Ohio Balloon Disaster (Yes, really)

https://www.bbc.co.uk/news/articles/cn05d58jwvdo

💳 Fake Apps & In-Person Payment Scams

https://www.bbc.co.uk/news/articles/cq6yznmv3gzo

🚗 Hertz Data Breach

https://www.infosecurity-magazine.com/news/hertz-data-breach-exposes-customer/

🕵️ DOGE / NLRB Whistleblower Claim

https://www.reuters.com/technology/cybersecurity/whistleblower-org-says-doge-may-have-caused-significant-cyber-breach-us-labor-2025-04-15/

📲 Android Phones with Fake Apps

https://thehackernews.com/2025/04/chinese-android-phones-shipped-with.html?m=1

🎭 Deepfake on Social Media

https://vm.tiktok.com/ZNdFYvukA

🧑💻 Hacker Screen Mockup

https://vm.tiktok.com/ZNdFHqkqa/

📬 Subscribe to the Newsletter

https://riskycreative.com

The £5 Jacket That Beat £5 Million of Security

Watch the discussion - https://youtu.be/2KR5WfXPGgU?t=3933

Chris Cooper's LinkedIn Post

A LinkedIn post from Chris Cooper shared a real-world red team test at a British investment bank. After passing every technical check, the final test was physical. A tester put on a £5 high-vis vest, carried a fake ID, and walked straight past reception. No alarms, no alerts, just human instinct to “let him through.”

It’s a brilliant (and painful) reminder that people are still the most likely point of failure, especially when under pressure.

🔗 https://www.linkedin.com/posts/chriscooperuk_this-british-investment-bank-spent-5myear-activity-7315640653525241857-9DT-

The Awareness Angle

  • Humans Under Pressure Default to Easy – Social engineering works best when staff are overwhelmed or distracted.
  • Policy ≠ Practice – Real testing matters. Even strong rules can be sidestepped when the pressure’s on.
  • Visuals Have Power – A high-vis jacket and confidence can override procedures – make sure your people know that too.

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week — a breach, a tool, or just something a bit weird — let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Anthony Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.

Recently uploaded