How a Business Email Compromise Attack Cost Zephyr Energy Nearly $1 Million

A sophisticated cyberattack has resulted in a significant financial blow for Zephyr Energy, a British oil and gas firm. The company confirmed that a malicious actor successfully diverted a payment of £700,000—approximately one million dollars—from one of its U.S. subsidiaries. This incident serves as a stark reminder of the persistent and costly threat posed by business email compromise schemes.

According to a filing with the London Stock Exchange, the funds were intended for a contractor but were rerouted to an account controlled by the hacker. Consequently, Zephyr is now collaborating with its banks and external consultants in an effort to recover the stolen money. The company has stated that the incident is contained and its day-to-day operations continue unaffected.

Understanding the Mechanics of a Business Email Compromise

While Zephyr did not disclose the exact method of intrusion, the attack bears all the hallmarks of a classic business email compromise. Typically, hackers first gain access to corporate email accounts or accounting systems. This access is then used to monitor communications and identify upcoming payments. At the critical moment, the attacker intervenes, subtly altering the bank account and routing numbers on an invoice or payment instruction. The result? Funds flow directly into the criminal’s account instead of the legitimate recipient’s.

This form of cybercrime is notoriously effective and lucrative. In fact, the FBI’s latest annual report on internet crime, published in April, highlighted business email compromise as a leading source of financial loss. The scale is staggering, with victim losses exceeding $3 billion in 2025 alone. For more on protecting your financial operations, see our guide on secure payment processes.

The Aftermath and Corporate Response

Following the discovery of the fraud, Zephyr Energy moved quickly to assess the damage. The company emphasized that its existing technology and payment platforms adhered to “industry standard practices.” However, in response to the breach, it has already implemented “additional layers of security.” This reactive step is common but underscores a critical point: standard practices are often insufficient against determined attackers.

Building on this, the incident raises important questions about the security protocols surrounding high-value transactions. A spokesperson for Zephyr did not respond to requests for further comment, leaving specifics about the new security measures undisclosed. This lack of transparency, while understandable, makes it harder for other organizations to learn from the event.

Why Business Email Compromise Attacks Are So Pervasive

Several factors contribute to the enduring success of BEC attacks. First, they often rely on social engineering rather than complex technical exploits, making them harder for traditional security software to catch. Second, they target the fundamental human element of business: trust in communication. An email that appears to come from a known colleague or partner requesting a urgent payment change is often acted upon without sufficient verification.

Therefore, combating this threat requires a multi-faceted approach. Technological solutions like email authentication (DMARC, SPF, DKIM) are vital, but they must be paired with rigorous procedural controls. For instance, any request to change payment details should require verification through a separate, pre-established communication channel, such as a phone call to a known number. Discover more strategies in our article on email security best practices.

Protecting Your Organization from Financial Cybercrime

So, what can businesses learn from Zephyr Energy’s experience? Proactive defense is non-negotiable. Regular security awareness training for all employees, especially those in finance and procurement, is essential. Staff must be trained to recognize the subtle signs of phishing and fraudulent requests.

In addition, companies should conduct periodic audits of their accounts payable processes. This means reviewing and tightening controls around payment authorization and vendor information management. Implementing a system where dual approvals are needed for any payment over a certain threshold or any change to vendor banking details can create a crucial barrier.

Ultimately, the Zephyr Energy case is not an isolated event but part of a global trend. As the FBI data confirms, business email compromise remains a top-tier cyber threat. By understanding the tactics, reinforcing human vigilance, and strengthening financial controls, organizations can better shield themselves from suffering a similar seven-figure loss.

Storm-1175: How a High-Tempo Cybercrime Group Exploits the Patch Gap

A financially motivated cybercrime group, identified as Storm-1175, has been conducting a relentless campaign of Medusa ransomware attacks for three years. According to a recent Microsoft report, the group’s success hinges on a simple, brutal strategy: exploiting the critical window between when a software vulnerability is disclosed and when organizations manage to patch it. This focus on the patch gap has made the Storm-1175 ransomware operation particularly damaging.

Building on this, the group’s operational speed is a key differentiator. Microsoft notes that Storm-1175 can move from initial network access to full ransomware deployment in as little as one day, though the process sometimes takes up to six. This high tempo, combined with skill in finding exposed assets, has led to significant intrusions. Consequently, sectors like healthcare, education, professional services, and finance in Australia, the UK, and the US have borne the brunt of the attacks.

The Exploit Arsenal of Storm-1175

Since 2023, the group has weaponized at least 16 different vulnerabilities. Alarmingly, this includes three zero-day flaws—vulnerabilities exploited before the vendor is even aware or has issued a fix. A prime example is CVE-2025-10035, a flaw in GoAnywhere Managed File Transfer software, which Storm-1175 exploited a full week before it was publicly disclosed. This pattern underscores their proactive threat-hunting capabilities.

In addition to zero-days, the group heavily relies on n-day exploits—those targeting recently disclosed but still unpatched vulnerabilities. Their target list reads like a who’s who of enterprise software, including Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, and BeyondTrust. Therefore, any delay in applying security updates creates an immediate and exploitable opportunity for this actor.

Inside the Attack Chain: From Access to Encryption

Understanding their methods is crucial for defense. After breaching a network, often through an unpatched public-facing application, Storm-1175 follows a calculated playbook. First, they establish an initial foothold by deploying a web shell or a remote access payload. Immediately after, they work to ensure persistence, typically by creating a new user account and adding it to the local administrators group.

Lateral Movement and Evasion Tactics

With a secure beachhead established, the group begins reconnaissance and lateral movement. They adeptly use living-off-the-land binaries (LOLBins) like PowerShell and PsExec, which are native to Windows environments and harder to detect. To move between systems, they often deploy Cloudflare tunnels to channel traffic over Remote Desktop Protocol (RDP).

Furthermore, they employ multiple Remote Monitoring and Management (RMM) tools for post-compromise activities. These legitimate tools are repurposed to create accounts, establish backup command-and-control channels, and deliver final payloads. In some cases, they even use the software deployment tool PDQ Deployer to silently install malicious applications across the network. To avoid detection, they have been known to modify Microsoft Defender Antivirus settings in the Windows registry to prevent it from blocking their ransomware payload.

How Organizations Can Mitigate the Threat

Given the sophisticated and rapid nature of these Storm-1175 ransomware attacks, a proactive and layered defense is non-negotiable. Microsoft’s guidance starts with fundamental visibility. Organizations must use perimeter scanning tools to fully understand their external attack surface. Any web-facing system should be isolated from the public internet behind a secure network boundary and accessed strictly through a VPN.

For systems that must remain connected, placing them behind a Web Application Firewall (WAF), reverse proxy, or a demilitarized zone (DMZ) is essential. This creates an additional buffer that can filter malicious traffic before it reaches the core asset.

Critical Security Hardening Recommendations

On the internal network, several specific actions can drastically reduce risk. First, adhere to strict credential hygiene principles and implement measures to limit lateral movement, as outlined in general ransomware defense guidance. Enabling Credential Guard helps protect sensitive credentials stored in system memory from being harvested by tools like Impacket, which Storm-1175 sometimes uses.

Another vital step is to turn on tamper protection in your endpoint security solutions. This prevents attackers from disabling security services or creating antivirus exclusions, a tactic this group employs. Additionally, audit and remove any unapproved RMM software installations. For approved RMM tools, enforce multi-factor authentication (MFA) to block unauthorized access.

Finally, ensure your extended detection and response (XDR) tools are configured to recognize and block the common techniques seen in these attacks. By understanding the tools and TTPs of groups like Storm-1175, security teams can create more effective detection rules. The race between patching and exploitation defines modern cyber defense, and against a determined adversary like Storm-1175, speed and vigilance are everything.

Anthropic Unveils Mythos: A New Frontier AI Model for Cybersecurity Defense

The landscape of artificial intelligence and cybersecurity is shifting once again. This week, Anthropic introduced a preview of its latest and most advanced AI system, dubbed Mythos. This frontier model marks a significant step in applying sophisticated AI to the critical task of protecting digital infrastructure. While not exclusively designed for security, its initial deployment is focused on a groundbreaking defensive initiative called Project Glasswing.

Project Glasswing: A Collective Defense Initiative

So, what exactly is Project Glasswing? In essence, it’s a collaborative security effort where a select group of twelve leading organizations will harness the power of the Anthropic Mythos AI model. Their mission is clear: to conduct defensive security work and secure vital software systems. This means deploying the model to scan both proprietary and open-source code for hidden weaknesses. The goal isn’t just to find bugs, but to create a more resilient software ecosystem for everyone.

Therefore, the initiative is built on a principle of shared knowledge. Partners, which include tech giants like Amazon, Apple, Microsoft, and security leaders like CrowdStrike and Palo Alto Networks, will ultimately pool their insights from using Mythos. This collective intelligence is intended to benefit the wider technology industry, raising the baseline for security practices. Access to the Mythos preview remains limited, with only 40 organizations outside the core partnership gaining entry.

The Power and Purpose of the Mythos Model

Building on this collaborative framework, the Anthropic Mythos AI model itself is a general-purpose system within the Claude family. Anthropic classifies it as a frontier model, representing their most sophisticated and high-performance offering to date. It’s engineered for complex tasks that require advanced reasoning and agentic capabilities, particularly in coding. This makes it uniquely suited for the intricate work of parsing millions of lines of code to identify subtle flaws.

In fact, the early results are striking. Anthropic reports that in just a few weeks of testing, Mythos identified thousands of previously unknown zero-day vulnerabilities, many classified as critical. Remarkably, a significant portion of these security holes had lurked undetected in codebases for ten to twenty years. This demonstrates the model’s potential to audit legacy systems that human teams might struggle to review comprehensively. For more on how AI is transforming code analysis, see our article on the future of automated code review.

From Leak to Launch: The Mythos Backstory

The path to Mythos’s official announcement was unconventional. News of the model first surfaced last month due to a data security incident reported by Fortune. A draft blog post, which referred to the model under the codename “Capybara,” was inadvertently left in an unsecured, publicly accessible data cache. The leaked document was unequivocal, calling it “by far the most powerful AI model we’ve ever developed” and noting it far exceeded the capabilities of their current public models in areas like software coding and cybersecurity.

This leak highlighted a core tension in developing such powerful technology. The same capabilities that make Mythos a potent tool for defense could, in theory, be weaponized by malicious actors to find and exploit vulnerabilities instead of fixing them. Anthropic has acknowledged engaging in discussions with federal officials regarding the model’s use, though these talks are reportedly complicated by an ongoing legal dispute with the Pentagon over supply-chain risk designations.

Navigating the Risks of Advanced AI Development

Consequently, the rollout of Mythos occurs against a backdrop of heightened scrutiny for AI labs. The accidental exposure of source code files in a recent Claude software update serves as a reminder of the operational challenges these companies face. As they push the boundaries of capability, ensuring robust internal security and responsible deployment becomes paramount. The controlled, partner-focused launch of Project Glasswing appears to be a deliberate strategy to mitigate potential misuse while maximizing defensive benefits.

Ultimately, the debut of the Anthropic Mythos AI model represents more than just a technical milestone. It signals a growing trend of applying frontier AI to systemic, real-world problems like cybersecurity. By focusing its initial power on a collaborative, defensive mission, Anthropic is attempting to set a precedent for how the most advanced AI systems can be integrated into critical infrastructure safely and effectively. The success of Project Glasswing could redefine industry standards for proactive software defense. Learn about other enterprise AI security projects shaping the market.