Alex: It's Thursday, June 4th, 2026. This is Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: So Jordan, you want to start us off with the one that's been sitting with you since this morning?

Jordan: Yeah. Someone sat inside a stock exchange executive's Outlook mailbox for five months. Five months of reading every email, every attachment, every calendar invite. And nobody noticed. Because they were smart about it—they siphoned the data out in tiny batches through Dropbox and OneDrive, so it just looked like normal cloud traffic. Symantec and Carbon Black's Threat Hunter Team published the attribution this week. This is espionage, not a money grab. And it's exactly the kind of intrusion that should terrify every CISO listening to this show.

Alex: Five months. And this wasn't some mid-level analyst's inbox. This was a senior executive at a major global stock exchange. The kind of person whose emails contain market-moving information, regulatory correspondence, board communications. That's the crown jewels.

Jordan: Right. And the tradecraft here is what matters. They didn't exfil a giant PST file at two in the morning. They dripped it out over sanctioned cloud platforms that every enterprise already whitelists. Your DLP is looking for anomalies. This wasn't anomalous. It was designed to look exactly like someone syncing their work files to the cloud. If you're a CISO and your executive email monitoring relies on volumetric triggers or endpoint alerts alone, this is your wake-up call.

Alex: And I'll say it plainly—most organizations do not monitor C-suite mailboxes with the intensity this threat demands. There's a cultural reluctance. Executives don't want to feel surveilled. But the adversary knows that, and they exploit it. If you haven't had the conversation with your CEO about why their inbox needs the same security scrutiny as a production database, today is the day.

Jordan: Agreed. And honestly, this connects to a bigger theme we're going to hit several times today, which is the commercial data and cloud infrastructure that enterprises use every day being weaponized against them.

Alex: Perfect segue. Let's talk about the NATO story, because Risky Business broke down something this week that I think is going to reshape how a lot of security leaders think about data broker risk.

Jordan: So the US military confirmed—and this is on the record now—that commercial location data was used to identify and target personnel involved in Epic Fury, the US military operation against Iran. Let me be precise about what that means. You could buy data from a broker that tells you where specific phones are, when, and how often. And the US military used exactly that kind of data for operational targeting.

Alex: Which means every sophisticated adversary can do the same thing.

Jordan: Exactly. And the analysis from Tom Uren at Risky Business makes the point I've been making for years—China is almost certainly exploiting these same commercial data flows right now, in peacetime, for counter-intelligence and espionage. They don't need to hack anything. They can just buy it.

Alex: So for the CISO audience, here's the translation. If your enterprise is purchasing, holding, or processing commercial location data, you are holding intelligence-grade targeting information. The risk calculus on that data just changed. It's not just a privacy liability anymore. It's an espionage magnet. Your data governance framework needs to reflect that.

Jordan: And on the NATO side, allies are re-evaluating their collective cyber posture. The conference made clear that the current frameworks aren't keeping pace with how cyber operations are actually being conducted—not by adversaries, but by allies. There's a real reckoning happening about what offensive cyber means when it's built on top of commercial infrastructure.

Alex: Let's stay in the geopolitical lane because there's a cluster of stories that belong together. CISA, FBI, NSA, and the Department of Energy jointly issued a warning this week about active attacks on automatic tank gauge systems. These are the OT systems that monitor fuel and liquid storage tanks across energy, agriculture, and transportation.

Jordan: And the vector is embarrassingly simple. These systems are internet-exposed. Not theoretically. Actually. Right now. Someone can find them on Shodan in about thirty seconds. And threat actors are actively targeting them.

Alex: If you're a CISO at a critical infrastructure organization and you haven't done a comprehensive audit of your OT and ICS internet exposure in the last ninety days, this advisory is your mandate. A four-agency joint advisory is not a suggestion. It's a flare.

Jordan: The frustrating thing is we've been talking about internet-exposed OT for a decade. And yet here we are with a multi-agency advisory because the problem persists. The gap is almost never technical. It's organizational. OT teams and IT security teams still don't have unified asset inventories. You can't protect what you can't see, and in a lot of these environments, the CISO literally does not know these systems exist on the network.

Alex: Meanwhile, TA4922—a newly attributed China-linked group—has expanded phishing operations into the UK, Germany, Italy, and South Africa. The operational tempo is described as rapid, and their tooling includes ValleyRAT, Atlas RAT, and previously undocumented malware families.

Jordan: This is the PRC broadening its aperture. For years, the primary targets were US defense industrial base and Asia-Pacific. Now they're going after European enterprise organizations with purpose-built tooling that keeps evolving. If you're running a multinational security team, your threat model for European operations needs updating. TA4922 is well-resourced, adaptive, and clearly has tasking that extends beyond the usual suspects.

Alex: And rounding out the geopolitical picture, OFAC sanctioned Nobitex—Iran's largest cryptocurrency exchange—for facilitating ransomware payments and terrorist financing.

Jordan: This is the Treasury continuing to tighten the financial noose around Iranian cyber actors. For CISOs, the practical implication is compliance. If you have any cryptocurrency exposure, any Iran-adjacent transaction monitoring, the OFAC list just got longer. And the penalties for getting this wrong are severe. Make sure your compliance team has updated their screening.

Alex: Let's shift to governance, because there are two stories that I think every CISO needs to weigh together. First, DHS Secretary Mullin told Congress he wants about 600 more staff for CISA than the agency currently has.

Jordan: Which sounds like good news until you realize that even with those 600 people, CISA would still be well below its pre-2025 staffing levels. This is a partial restoration, not a comeback.

Alex: And that matters because a lot of security programs—especially in critical infrastructure—have built real dependencies on CISA's advisory services, incident response support, and vulnerability coordination. If CISA is operating at reduced capacity, you need to know that. You need to calibrate your assumptions about what federal support looks like if you get hit.

Jordan: It's not that CISA is going away. It's that the response times will be longer, the advisories might be thinner, and the hands-on support in a crisis may not materialize the way it did three years ago. Plan accordingly.

Alex: The second governance story pairs with that perfectly. Cyber insurance premiums are dropping, but exclusions are widening. Insurers are getting more aggressive about carving out coverage for social engineering attacks—including ClickFix-style campaigns, which are among the most prevalent attack techniques right now.

Jordan: So your premium goes down and your board thinks you're saving money. But the fine print now says that the attack most likely to actually hit you isn't covered. That's not a good trade.

Alex: It's a terrible trade. And I've seen this pattern before. CISOs present their cyber insurance renewal to the board, everyone's happy about the lower premium, and nobody reads the exclusion schedule. Then an incident happens, the claim gets denied, and suddenly the CISO is answering very uncomfortable questions. Read your policy. Read the exclusions. Bring your broker into a room with your threat intel team and map the exclusions against your actual risk profile. If there's a gap, you need to know before the incident, not after.

Jordan: I'd add—if your insurer is excluding social engineering, that tells you something about the loss data they're seeing. They're not excluding it because it's rare. They're excluding it because it's expensive and frequent.

Alex: Quick hit on the vulnerability front. Cisco patched a critical-severity flaw in Unified Communications Manager. Root privilege escalation, and proof-of-concept exploit code is already public.

Jordan: If you run Unified CM—and a lot of enterprises do because it's the backbone of their voice and collaboration infrastructure—patch this now. Public PoC means the exploitation timeline just collapsed. This is not a "schedule it for the next maintenance window" situation.

Alex: Agreed. Prioritize it today.

Jordan: So Alex, when I look across everything we covered—the stock exchange mailbox compromise, commercial data weaponization, OT systems exposed to the internet, expanding Chinese espionage operations—there's a theme.

Alex: There is. The common thread is that the infrastructure enterprises rely on every day—cloud platforms, commercial data, OT systems, even their voice infrastructure—is the attack surface. The adversary isn't trying to break through the wall anymore. They're living in the house.

Jordan: And the detection paradigm most organizations have deployed was built for the wall-breaking model. Perimeter alerts, volumetric anomalies, signature-based detection. That executive's mailbox was compromised for five months because the exfiltration looked like normal work. Commercial location data is being used for targeting because it's legally purchased and openly available. Tank gauge systems are being attacked because they were never supposed to be on the internet in the first place.

Alex: So the watch item for the rest of this week and into next—if you haven't done a comprehensive review of what your organization considers "normal" cloud traffic, normal data flows, normal OT exposure, you're operating on assumptions that the adversary has already mapped and is exploiting. The CISOs who are going to have a good second half of 2026 are the ones who challenge those assumptions right now.

Jordan: Well said.

Alex: That's our show for Thursday, June 4th. Show notes and links to every story we covered are at cleartext.fm. We'll be back tomorrow.

Jordan: See you then.