Insights

SentinelOne Alert Surge Related to :Zone.Identifier Files Date: February 2, 2026Prepared by: Critical Path Security Executive Summary On February 2, 2026, Critical Path Security observed a brief but widespread surge of SentinelOne "Malware" alerts across multiple monitored environments. These alerts were triggered almost simultaneously and referenced otherwise legitimate business documents containing the Windows :Zone.Identifier alternate data stream. Based on initial analysis, this activity does not indicate active malware infections. Instead, it appears consistent with a SentinelOne detection anomaly related to how :Zone.Identifier metadata is interpreted. What Is :Zone.Identifier? Zone.Identifier is a standard Windows alternate data stream (ADS) used to mark files that originate from external sources, such as: Web downloads Email attachments Files transferred from external systems Alert Characteristics Observed Threat Name Format: [filename]:Zone.Identifier Detection Classification: Malware Confidence Level: Malicious Analyst Verdict: Undefined Incident Status: Unresolved (pending vendor clarification) Detection Window: Approximately two minutes File Types Involved: PDF XLSX /…

AI is changing how attacks are built, delivered, and adapted - and not in subtle ways. We're seeing more activity designed to evolve mid-attack, blend into normal behavior, and bypass defenses that rely too heavily on static rules or single data sources. That doesn't mean defenders are losing. But it does mean the old assumptions don't hold anymore. The biggest shift isn't simply that attackers are using AI. It's that defenders can't afford to rely on isolated tools and partial visibility in response. Where Traditional Defenses Start to Break Down Endpoint detection remains important. But endpoint signals alone rarely explain what's actually happening across an environment, especially when attacks are designed to look normal in isolation. AI-assisted threats don't announce themselves. They: Change behavior based on feedback Move laterally before triggering obvious alerts Exploit gaps between tools instead of breaking a single control When each system tells only part of the story,…

MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol designed to provide efficient data transmission over wireless networks, such as those found in the Internet of Things (IoT). It is commonly used for device management and monitoring, allowing for real-time communication between devices and back-end servers. MQTT is known for its low overhead and high scalability, making it an ideal choice for large-scale IoT deployments. One of the primary concerns with MQTT is security. Without proper authentication measures in place, unauthorized devices can access sensitive data and even modify or disrupt the functionality of other devices on the network. For example, a rogue device could send forged messages to other devices, causing them to malfunction or behave unpredictably. Additionally, without authentication, attackers could gain access to the MQTT broker itself, compromising the security of all connected devices. To address these concerns, it is essential to enable authentication for MQTT…

Veeam has released urgent security updates for its widely deployed Backup & Replication platform after identifying multiple high-severity vulnerabilities, including flaws that could allow remote code execution (RCE) under certain conditions. The issues affect Veeam Backup & Replication v13.0.1.180 and earlier v13 builds. Organizations running affected versions should apply the latest patches immediately. What's at Risk? The newly released update (v13.0.1.1071) addresses several vulnerabilities that, if exploited, could allow authenticated users to execute code with elevated privileges. While some of these vulnerabilities require specific roles or access levels, they remain high-risk in real-world environments where credential compromise is common. Key issues include: Remote code execution as the postgres user via manipulated interval or order parameters Remote code execution as root through maliciously crafted backup configuration files Arbitrary file write as root, which can be chained with other flaws for full system compromise Command execution via parameter injection leading to privilege…