ZeroFox Daily Intelligence Brief - December 15, 2025

ZeroFox Daily Intelligence Brief - December 15, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Cyberattack Hits French Interior Ministry Email Servers
• Legitimate PayPal Emails Used in Social Engineering Attacks
• Geopolitical Focus: Casualties, Shootings, and Accidents

Cyberattack Hits French Interior Ministry Email Servers

Source: https://www.reuters.com/technology/french-interior-ministrys-e-mail-servers-hit-by-cyber-attack-minister-says-2025-12-12/

What we know: French Interior Minister Laurent Nunez has disclosed a cyberattack targeting the ministry’s email servers. The Interior Minister added that while the threat actor accessed some files, there is no evidence of a serious compromise yet.

Context: The origin of the cyberattack is still unknown and an investigation is currently underway. The incident comes amid heightened concerns in Europe about Russia-backed hybrid attacks. Separately, Germany summoned Russia’s ambassador on December 12, 2025, over an increase in threatening hybrid activities.

Analyst note: A compromise of the French Interior Ministry’s files is likely to expose the country’s internal security details, including police activity and identities of citizens and residents. Leaked sensitive information can likely be misused for multiple agendas or further cyberattacks.

Legitimate PayPal Emails Used in Social Engineering Attacks

Source: https://www.bleepingcomputer.com/news/security/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails/

What we know: Scammers are abusing PayPal’s legitimate Subscriptions feature to send real PayPal emails that look like fake purchase confirmations. By reportedly manipulating the Customer Service URL field in a subscription, they embed scam text claiming an expensive device purchase and listing a fake “PayPal support” phone number.

Context: Because the emails are sent from service@paypal[.]com and pass email authentication protocols, they bypass spam filters. The scammers then forward these legitimate emails to targets via a mailing list.

Analyst note: Since threat actors are successfully abusing PayPal’slegitimate platform functionality to deliver phishing emails, they are likely to test and exploit similar automated workflows in major e-commerce and payment platforms to replicate the attack.

Geopolitical Focus: Casualties, Shootings, and Accidents

• Investigations continue into the two gunmen who carried out a terrorist attack at Bondi Beach, Australia, targeting a Jewish Hanukkah celebration, killing 15 and hospitalizing 40. Police declared the shooting a terrorist incident after safely rendering two active but “basic” explosive devices found at the scene.
• German authorities arrested five individuals suspected of planning an attack on a Christmas market on December 14, 2025, in southern Bavaria, Germany. German authorities remain on alert especially after past attacks, including the 2024 Magdeburg and 2016 Berlin incidents.
• Authorities have arrested a suspect in connection with the Brown University shooting and have recovered two firearms from their hotel room. The attack killed two people and injured nine, forcing students into an overnight lockdown on December 14, 2025.
• On December 14, 2025, seventeen people were killed with 20 injured when a bus carrying school children fell off a cliff in northern Colombia during a return trip from a graduation celebration.

DEEP AND DARK WEB INTELLIGENCE

700Credit data breach: A data breach at 700Credit, which carries out credit checks and identity verification services for auto dealerships across the United States, has exposed personally identifiable information (PII) of at least 5.6 million people. The leaked data includes names, addresses, dates of birth, and Social Security numbers (SSNs). Exposed individuals are likely to be targeted in phishing, social engineering, and impersonation attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-43529 and CVE-2025-14174: Apple has released security patches for two WebKit vulnerabilities, one of which (CVE-2025-14174) was also patched by Google in Chrome browser. The vulnerabilities have been disclosed as actively exploited in the wild, with reports stating they may have been exploited in highly-targeted mercenary spyware attacks. Successful compromise is likely to enable threat actors to steal credentials, sensitive information, and monitor user activity on applications and browsers.

Affected products: The affected Apple products are listed in this advisory.