No one saw this coming. Microsoft’s campaign to push Windows 10 users to upgrade to Windows 11 had been heading in just one direction. Until now. The Windows-maker has suddenly and quietly changed a critical deadline, which will surprise the 700 million PC owners yet to move to Windows 11. In January, I reported on yet another Microsoft deadline to push Windows 10 users to take the free Windows 11 upgrade. While some 240 million users don’t have a new enough PC to run the latest OS, hundreds of millions can upgrade but are currently choosing not to — albeit that number is reducing month-by-month. This deadline hit apps rather than the OS itself. “Microsoft 365 Apps will no longer be supported after October 14, 2025, on Windows 10 devices,” the company said. “To use Microsoft 365 Applications on your device, you will need to upgrade to Windows 11.” In a support document, the company confirmed “Microsoft 365 apps will no longer be supported on Windows 10 after it reaches end of support,” just as “Microsoft 365 apps are no longer supported on Windows 7, Windows 8 or Windows 8.1 now that these operating systems have reached their end of support dates.” That particular support document had not been changed at the time of writing. But as spotted by Neowin, “it looks like Microsoft has had a big change of heart. On a Tech Community blog post about Windows 10 extended security updates (ESU) it recently updated, the company has confirmed that Microsoft 365 apps will be supported for another three years till 2028. Neowin noticed this new addition while browsing.” That browsing hit on a different, newly updated support document, in which Microsoft says “to help maintain security while you transition to Windows 11, Microsoft will continue providing security updates for Microsoft 365 Apps on Windows 10 for three years after Windows 10 reaches end of support. These updates will be delivered through the standard update channels, ending on October 10, 2028.” Microsoft warns that “using an unsupported OS can cause performance and reliability issues when running Microsoft 365 Apps. More interestingly, although “if the issue occurs only with Microsoft 365 Apps on Windows 10, with or without Windows 10 Extended Security Updates, and doesn’t occur on Windows 11, support will ask the customer to move to Windows 11,” Microsoft also says “if the customer is unable to move to Windows 11, support will provide troubleshooting assistance only; technical workarounds might be limited or unavailable.” That comers across as a direct shout-out to the 240 million Windows 10 users who don’t have a TPM 2.0 PC and so can’t accept the free Windows 11 upgrade today. The primary issue for those users is security, and this has now been resolved for Microsoft 365 apps. Unlike the current plan for a Windows 10 ESU, this update extension offer is free. “To help maintain security while you transition to Windows 11,” Microsoft now says it “will continue providing security updates for Microsoft 365 Apps on Windows 10 for three years after Windows 10 reaches end of support. These updates will be delivered through the standard update channels, ending on October 10, 2028.” This will come across as a soft three-year extension for those users to extend a move and to hold off buying a new PC. More critically, it also signals that Microsoft is bedding down for a prolonged period of Windows 10 users running PCs with no support. Learn more visit OUR FORUM. America’s Android and iPhone users are under attack from a plague of dangerous text messages driven by organized Chinese gangs. The FBI has warned that such scams are sweeping the country “state to state,” and thus far no network or phone maker has been able to stem the tide. This is not getting better, it’s getting worse — much worse. While undelivered packages and unpaid tolls have grabbed the headlines, it’s a different type of malicious text that has been described by the police as “the latest, fastest growing digital scam,” and which was highlighted by the FTC as a threat to Americans. We’re talking wrong number lures, which have already been sent to tens of millions of Americans, with countless more sent every day. The intent of the text is to solicit a reply, to trick the recipient into a chat. The FTC warns these “often evolve into a conversation with romantic undertones that can lead to investment and other scams.” If you haven’t been hit up by these texts yet, the chances are that you will. It might be a simple call out to a name you don’t recognize or it might tempt a reply with a lure such as “Hey Stacy, just making sure you’re still on to meet at 6pm. I’m heading there now,” to trick you into a well-meaning reply to let the sender know it’s a wrong number. Other lures might include a doctor’s appointment, a social event, a funeral, a hospital visit, a message after a long absence, anything to solicit a reply. This is pure social engineering, the itchy texting fingers we all have. The texts will usually start with a name that isn’t yours. The intent is to be clear it’s a wrong number from the start. The goal of the text often isn’t to lead into a conversation of any kind — all the attacker needs is for you to reply, to reply with anything, and they hit their target. Your phone number is included in multiple databases that are held overseas by the organized criminal gangs behind these operations. Wrong number lures are a powerful way to confirm your number is active — the text goes through — and the user is willing to reply. If you do reply, an unrelated attack will follow. Not necessarily straight away, but soon. And it won’t just be one further attempt, the gangs have multiple different ways to try to trick you into clicking a link, giving away your passwords, your financial information, and potentially even your identity. This is fraud on an industrial scale. McAfee warns “these messages may seem harmless, but they’re often the first step in long-game scams designed to steal personal data — or even life savings. McAfee research shows 1 in 4 Americans have received one. Best advice? Don’t engage.” The power in this approach is the message itself doesn’t seem to be a scam. As Bitdefender says, “these texts though are not so obvious from the beginning, with no red flags such as suspicious links or mentions of you winning a prize.” A new report from XConnect and Mobilesquared highlights the scale of the market when it comes to “harmful” traffic, swhcuh is defined as “SMSes that can have a direct or indirect negative impact on consumers and enterprise, including smishing, SIM farms, AIT, trashing, SIM swap, and so on.” The report suggests “harmful traffic levels peaked in 2023 and are projected to gradually decline over the remainder of the forecast period to 2029. Harmful traffic peaked at just over 18% of total traffic and will drop to around 16.5%." That said, a reduction from 18% to 16.5% is not the game-changer most would hope for, and they’d certainly want to see better filtering of such threats by networks or devices. The other factor that plays here is the likelihood for detection and whether the fraud will hit its targeted outcome. It’s here that the acceleration of AI-fueled scams will have a devastating impact, making attacks much more efficient and effective. “Over half of telecoms service providers expect SMS to experience an increase in fraud in 2025,” says Digit News, citing these latest findings, "with less than a third expecting SMS to become a cleaner channel in this period." That’s not a good news story. Fortunately this works both ways — or will when it starts to make more of a dent. Google Messages, essentially the stock texting client on Android, “now uses AI to flag conversational text patterns commonly associated with scams, so you can identify messages that seem harmless, but turn dangerous over time." Follow this and more on OUR FORUM. Here we go again. Google has confirmed another attack on Gmail users that combines inherent vulnerabilities in the platform with devious social engineering. The net result is a flurry of headlines and viral social media posts followed by an urgent platform update. Google’s security warning is clear. Users should stop using their passwords. This latest attack has been bubbling on X and in a number of crypto outlets given the victim was an Ethereum developer. Nick Johnson says he was “targeted by an extremely sophisticated phishing attack,” one which “exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more.” The attack started with an email from a legitimate Google address warning Johnson that it has been served with a subpoena for his Google account. “This is a valid, signed email,” Johnson says, “sent from This email address is being protected from spambots. You need JavaScript enabled to view it.. It passes the DKIM signature check, and Gmail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts.” This is clever, and technically the attackers have exploited a way to send a correctly titled Google email to themselves from Google, which they can then forward to others with the same legitimate DKIM check even though it’s a copy of the original. But the objective is more simple. A credential phishing page that mimics the real thing. “We’re aware of this class of targeted attack,” Google has now confirmed in a statement, “and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns." That’s all that matters. Stop using your password to access your account, even if you have two-factor authentication (2FA) enabled and especially if that 2FA is SMS-based. It’s now too easy to trick you into giving up your login and password and then bypassing or stealing the SMS codes as they come into your device. There’s nothing to stop an attacker using your password and 2FA code on their own device. What does stop them is a passkey. This is linked to your own physical device and requires your device security to unlock your Google account. That means if an attacker does not have your device they can’t login. While Google has not yet gone as far as deleting passwords completely — which is Microsoft’s stated intention, you will know not to use your password to sign-in which will stop a malicious phishing page stealing it. The cleverness in this latest attack added to others we have seen in recent months is easily thwarted by updating your account security. These attacks are getting ever more sophisticated, and AI will enable this level of “targeting” to be done on a massive scale. As Microsoft warns, “AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate. This latest Google scam, exploiting weaknesses in its core infrastructure to mask an attack, is now getting more media pick up (1,2). Unfortunately, most of this misses the point. Google has been very clear each time such stories make headlines, emphasizing two key points. First, that the company will never reach out proactively to users to warn them about a support or security issue or to recommend they take actions to stay safe. And second, enhancing account security per its advice will keep those accounts safe.”Learn more by visiting OUR FORUM. |
Latest Articles
|