Microsoft Investigates Classic Outlook Bug Blocking Access to Mailboxes
Microsoft is currently investigating a major issue affecting the classic Outlook desktop client on Windows, which is preventing users from accessing their email accounts. Identified in late September 2025, this issue affects individuals who encounter repeated errors when launching Outlook, receiving messages stating that the application cannot start or connect to their Exchange mailbox. Microsoft has linked recent cases to authentication failures caused by an Exchange concurrency limit, which occurs when too many simultaneous login attempts are being processed. This issue has been classified as under investigation, with Microsoft confirming that it primarily affects Microsoft 365 customers using Exchange Online. As a result, businesses depending on classic Outlook for daily communications are facing significant disruptions, with employees unable to access their inboxes, calendars, or shared resources through the desktop application. Currently, Microsoft’s only permanent resolution requires organizations to open a support case through the Microsoft 365 Admin portal, where Exchange Online engineers can apply service-level changes to mitigate the bug. In the meantime, users are advised to switch to Outlook Web Access (OWA) or Microsoft’s new Outlook for Windows client, both of which remain unaffected. Organizations should watch for signs of this issue, including persistent Outlook launch failures, repeated prompts that the Outlook window cannot be opened, and authentication errors referencing “ClientBackoffException” or “concurrency limits.” IT teams should also monitor support advisories and proactively inform end-users about temporary alternatives to minimize workflow disruptions. To minimize business impact, companies are encouraged to transition affected staff to OWA or the new Outlook client until Microsoft delivers a permanent fix, while maintaining close communication with Microsoft support for updates.
Malicious SoopSocks Package Abuses PyPI for Windows Backdoor Access
Researchers uncovered a malicious package named SoopSocks that was uploaded to the Python Package Index (PyPI), disguised as a tool to create SOCKS5 proxies. On the surface, the package appeared to function normally, but hidden within it was a sophisticated backdoor specifically designed for Windows systems. Over time, the developers behind SoopSocks released updates that expanded its capabilities—from a basic proxy service to a package able to install itself as a Windows service, deploy compiled executables, and even bypass User Account Control (UAC). Its design allowed attackers to both provide seemingly legitimate functionality while secretly maintaining a covert channel to communicate with compromised machines. This dual-purpose nature made it particularly dangerous because unsuspecting developers or organizations could have installed it, thinking it was a standard networking utility. The malicious behavior of SoopSocks centered on stealth and persistence. Once installed, it dropped an executable that launched PowerShell commands designed to bypass security policies, run silently, and evade user alerts. It then copied itself into system directories, created a persistent Windows service, and set up scheduled tasks as a backup method to guarantee it would restart if interrupted. To strengthen its foothold, it automatically modified firewall rules to open network ports, giving attackers a reliable entry point into the system. The malware communicated back to its operators using encrypted channels, ensuring that its traffic blended into normal network activity. Organizations should be alert for suspicious indicators such as the sudden appearance of unfamiliar Windows services, scheduled tasks, or new firewall rules opening port 1080. Signs of unusual PowerShell execution, such as “ExecutionPolicy Bypass” or unexplained encrypted outbound traffic, may also indicate a compromise. To defend against this threat, companies are advised to thoroughly validate and audit all open-source packages before deployment, restrict unnecessary package installations on production systems, and closely monitor developer endpoints. Maintaining robust endpoint protection, enforcing application whitelisting, and monitoring network activity for suspicious traffic will further reduce risk. Ultimately, vigilance in software supply chain security and strict access controls remain the best defense against threats hidden in public repositories.
New Android Trojan “Klopatra” Disguised as IPTV/VPN App
A new Android banking and remote access trojan (RAT) called Klopatra has been discovered by Cleafy researchers, already infecting more than 3,000 devices across Europe and other regions, with the potential to expand globally. Disguised as an IPTV and VPN app named Modpro IP TV + VPN, the malware is distributed outside the official Google Play Store, tricking users into sideloading it from third-party websites. Klopatra is a highly capable tool; it can record keystrokes, monitor screens in real time, and simulate taps and gestures to steal banking credentials and cryptocurrency wallet information. One of its most concerning features is a hidden Virtual Network Computing (VNC) mode, which allows attackers to remotely control an infected device while displaying only a black or locked screen to the victim. This will enable criminals to perform banking transactions in the background, draining accounts while the user is unaware. Researchers have tracked at least 40 versions of Klopatra since its discovery in March 2025, showing that its operators, believed to be a Turkish-speaking cybercrime group, are rapidly developing and improving the malware to stay ahead of defenses. Klopatra is designed to remain hidden and difficult to remove. It uses advanced evasion tactics, including commercial-grade code protection, string encryption, and anti-analysis measures, to avoid detection. It also exploits Android’s Accessibility Service to obtain dangerous permissions, granting it complete control over navigation and user input. To make matters worse, it attempts to uninstall popular antivirus software on infected devices, ensuring attackers maintain access. Indicators that a device may be compromised include unusual requests for Accessibility permissions, an unexplained “black screen” while charging or idle, missing antivirus apps, and unauthorized logins to banking or crypto accounts. To defend against this threat, Android users should avoid downloading apps from unofficial sources, never grant Accessibility permissions unless necessary, and keep Google Play Protect enabled. Organizations should educate employees about the risks of sideloading apps, enforce mobile security controls, and monitor for suspicious logins and financial activity. Taking these steps can significantly reduce the risk of falling victim to this evolving mobile banking trojan.