Posts by Ben Nahorney
Threat intel | 5 min read
Patch Tuesday: February 2026 (Expel’s version)We're highlighting three critical CVEs, and we're also sharing some thoughts around the deprecation timeline of NTLM.
Threat intel | 5 min read
Patch Tuesday: January 2026 (Expel’s version)We're highlighting five critical CVEs, and we're also recapping our vulnerability prioritization recommendations from 2025 to see how we did.
SOC | 2 min read
On the radar: Weeding out XMRigXMRig is a cryptocurrency miner considered less malicious than other threats, but it's still worth prioritizing.
SOC | 6 min read
Stories from the SOC: The second coming of Shai HuludA new variant of the Shai Hulud worm has been discovered, and we're sharing effective approaches to remediate the threat.
Threat intel | 5 min read
Patch Tuesday: December 2025 (Expel’s version)This month we're highlighting top critical vulnerabilities, including three zero-day and three critical remote code execution vulnerabilities.
SOC | 7 min read
Stories from the SOC: Mystery of the postponed proxyware installA PowerShell alert revealed an attack chain using a download cradle and in-memory execution to install proxyware on a compromised system.
Threat intel | 3 min read
Patch Tuesday: November 2025 (Expel’s version)This month, we're highlighting top critical vulnerabilities, including one zero-day and an update on Windows Server Update Services (WSUS).
Threat intel | 3 min read
Expel Quarterly Threat Report, Q3 2025: Threat intel recapHere's a refresher on the threat intel we shared throughout the third quarter of 2025. Catch up on what you missed.
Threat intel | 4 min read
Expel Quarterly Threat Report, Q3 2025: Q3 by the numbersPart I of our Quarterly Threat Report summarizes key findings and stats from Q3 of 2025. Learn what to focus on right now.
SOC | 4 min read
Stories from the SOC: The curious case of termination noticesOur new "Stories from the SOC" series shares real-world attacks we've seen and stopped. This one covers a phishing attack on a university.
Threat intel | 2 min read
Patch Tuesday: October 2025 (Expel’s version)This month, we're highlighting top critical vulnerabilities, including six zero-day vulnerabilities, and one in Cisco IOS.
SOC | 3 min read
Stories from the SOC: When threats come from inside the houseMDR email coverage is more than just flagging spam to contain threats. Here's what happens when malicious emails come from within an org.
Threat intel | 3 min read
Patch Tuesday: September 2025 (Expel’s version)This month, we're highlighting top critical vulnerabilities, including an SAP S/4HANA code injection vulnerability currently being exploited.
Threat intel | 4 min read
Patch Tuesday: August 2025 (Expel’s version)The August 2025 edition of Patch Tuesday is live, and this month we're highlighting targeted SharePoint vulnerabilities.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q2 2025: Threat intel recapHere's a refresher on the threat intel we shared throughout the second quarter of 2025. Catch up on what you missed.
Rapid response | 2 min read
Update on the SharePoint ToolShell vulnerability exploitation (CVE-2025-53770)Over the weekend, a zero-day vulnerability for SharePoint 16.0.0.0 and earlier versions was targeted. Here's what you need to know.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q2 2025: Q2 by the numbersPart I of our Quarterly Threat Report summarizes key findings and stats from Q2 of 2025. Learn what to focus on right now.
Threat intel | 3 min read
Patch Tuesday: July 2025 (Expel’s version)The July 2025 edition of Patch Tuesday is live, and this month we're highlighting a couple of vulnerabilities in Citrix NetScaler.
Threat intel | 3 min read
Are attackers retooling?Vulnerability exploitation as an initial access vector is up year-over-year, and attackers are shifting strategies, so what gets prioritized?
Threat intel | 3 min read
Patch Tuesday: June 2025 (Expel’s version)The June 2025 edition of Patch Tuesday is live, and this month we're highlighting a handful of Ivanti critical vulnerabilities.
Threat intel | 4 min read
Patch Tuesday (Expel’s version): May 2025The May 2025 edition of Patch Tuesday is live, and this month we highlighted a SAP NetWeaver vulnerability Expel has seen recently.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q1 2025: Cloud infrastructure trendsVolume IV of our Q1 2025 Quarterly Threat Report summarizes key findings for cloud infrastructure. Learn what to focus on right now.
Threat intel | 3 min read
Expel Quarterly Threat Report, Q1 2025: Endpoint threatsVolume III of our Q1 2025 Quarterly Threat Report summarizes key findings for endpoint threats. Learn what to focus on right now.
Threat intel | 5 min read
Expel Quarterly Threat Report, Q1 2025: Cloud-based service trendsVolume II of our Q1 2025 Quarterly Threat Report summarizes key findings for cloud-based services. Learn what to focus on right now.
Threat intel | 4 min read
Expel Quarterly Threat Report, Q1 2025: Q1 by the numbersVolume I of our Quarterly Threat Report summarizes key findings and stats from Q1 of 2025. Learn what to focus on right now.
Threat intel | 4 min read
Observing Atlas Lion (part two): Winning the battle, with an eye on the warThis is part two of our series on Atlas Lion, a threat group out of Morocco that targets organizations with fraudulent gift cards.
Threat intel | 4 min read
Observing Atlas Lion (part one): Why take control when you can enroll?Cybercrime group Atlas Lion targets orgs using gift cards. Their attacks highlight the importance of secure enrollment processes for devices.
Threat intel | 5 min read
Patch Tuesday (Expel’s version): April 2025The April 2025 edition of Patch Tuesday is live, and this month we included PHP vulnerability data Expel has seen recently.
SOC | 4 min read
Patch Tuesday (Expel’s version): March 2025The March 2025 edition of Patch Tuesday is live, and this month we included ColdFusion vulnerability data Expel has seen recently.