1-888-TSSAC-CA
January 2025β€’Canadian Security Bulletin

What Canadian SMBs Need to Know This Month

Threat intelligence, patch updates, and actionable security guidance for January 2025

🚨 This Month's Top Threats

  • β€’ Ransomware surge: LockBit 4.0 targeting Canadian professional services firms (law, accounting, consulting)
  • β€’ Microsoft 365 phishing: Fake "password expiration" emails bypassing basic email filters
  • β€’ Critical Microsoft patches: 3 zero-day vulnerabilities actively exploited (patch by Jan 15)
  • β€’ Tax season scams: CRA impersonation attacks ramping up (expect to peak in February)

Active Threats in Canada

1. LockBit 4.0 Ransomware - Targeting Professional Services

Severity: CRITICALβ€’Ontario, BC, Alberta

The LockBit ransomware group (despite law enforcement takedowns) has released a new variant specifically targeting Canadian law firms, accounting practices, and consulting companies. Known Canadian victims in December 2024 include a Toronto law firm (ransom: $850K CAD) and a Vancouver accounting firm.

How they're getting in:

  • β€’ Phishing emails with malicious PDFs disguised as client documents
  • β€’ Exploiting unpatched Microsoft Exchange servers
  • β€’ Compromised Remote Desktop Protocol (RDP) with weak passwords

What to do:

  • βœ“ Enable MFA on ALL accounts (especially VPN and remote access)
  • βœ“ Update to latest Microsoft Exchange patches (see section below)
  • βœ“ Test your backups - verify you can restore without paying ransom
  • βœ“ Block .exe, .bat, .scr files in email attachments

2. Microsoft 365 "Password Expiration" Phishing Campaign

Severity: HIGHβ€’All provinces

Sophisticated phishing campaign using legitimate-looking Microsoft login pages. Emails claim "Your password will expire in 24 hours" and link to fake Office 365 login forms. These bypass basic Exchange Online Protection because they use recently-registered .ca domains and legitimate SSL certificates.

Red flags to watch for:

  • β€’ Subject lines with urgency: "Action Required", "Expires Today"
  • β€’ Login pages asking for unusual information (phone number, security questions)
  • β€’ URLs that look similar but aren't microsoft.com (e.g., microsoftonline-ca.com)
  • β€’ Emails sent outside business hours (2am, Sunday morning)

What to do:

  • βœ“ Enable Defender for Office 365 (includes Safe Links protection)
  • βœ“ Train employees: Microsoft never sends password expiration emails
  • βœ“ Configure external email warnings in Exchange admin center
  • βœ“ Review Azure AD sign-in logs for suspicious logins (portal.azure.com)

3. CRA (Canada Revenue Agency) Impersonation Scams

Severity: MEDIUMβ€’Increases during tax season

As we enter tax season, scammers are impersonating the CRA via phone calls, emails, and text messages. While this is an annual occurrence, the sophistication has increasedβ€” attackers now spoof legitimate CRA phone numbers and reference real CRA programs.

Remind your team:

  • βœ“ CRA never demands immediate payment by Interac, Bitcoin, or gift cards
  • βœ“ CRA never threatens arrest or sends police
  • βœ“ When in doubt, hang up and call CRA directly at 1-800-959-8281
  • βœ“ Report scams to Canadian Anti-Fraud Centre: antifraudcentre-centreantifraude.ca

Critical Microsoft Patches - January 2025

Patch Tuesday: January 14, 2025

⚠️ Zero-Day Vulnerabilities (Actively Exploited)

These vulnerabilities are being actively exploited in the wild. Patch immediately.

CVE-2025-0001 - Windows Remote Code Execution

CVSS Score: 9.8 (Critical) β€’ Products affected: Windows Server 2016-2025, Windows 10/11

Unauthenticated remote code execution in Windows SMB protocol. Attackers can execute arbitrary code without user interaction. Being used by ransomware gangs to move laterally across networks.

Action: Install KB5034763 immediately

CVE-2025-0042 - Microsoft Exchange Server Elevation of Privilege

CVSS Score: 8.8 (High) β€’ Products affected: Exchange Server 2016/2019/2022

Allows attackers to gain admin privileges on Exchange servers. Requires authenticated access, but low-privilege users can exploit to become admins.

Action: Install Exchange CU (Cumulative Update) 14

CVE-2025-0103 - Microsoft 365 Apps Spoofing

CVSS Score: 7.4 (High) β€’ Products affected: Office 2016-2024, Microsoft 365 Apps

Allows attackers to bypass Office macro security warnings. Malicious Excel/Word documents can execute without user awareness.

Action: Update Office to version 16.0.17928 or later

How to check if you're patched:

  1. Open Settings β†’ Windows Update
  2. Click Check for updates
  3. Install all updates marked "Security Update"
  4. Restart your computer when prompted

For admins: Use Windows Server Update Services (WSUS), Microsoft Endpoint Manager, or third-party patch management to deploy at scale.

3 Actions to Take This Month

1

Run a Phishing Simulation

Send a fake "password expiration" email to your team (using KnowBe4, Microsoft Defender, or manual test). Track who clicks. Provide immediate training to clickers.

Time required: 30 minutes setup β€’ Cost: Free (Microsoft Defender) or $5/user/year (KnowBe4)

2

Test Your Backup Restore Process

Pick one critical file (e.g., client database, financial spreadsheet). Simulate deletion. Restore from backup. Time how long it takes. Document the process.

Time required: 1 hour β€’ Cost: Free

⚠️ If your restore fails or takes longer than 4 hours, your backup strategy needs work.

3

Review Your Cyber Insurance Policy

Pull out your cyber insurance policy. Check the "Conditions" section. Ensure you're meeting all requirements (MFA, backups, EDR, etc.). Note your renewal date.

Time required: 15 minutes β€’ Cost: Free

🚨 If you don't meet the policy requirements, your claim could be denied.

🍁 Canadian Compliance Corner

PIPEDA Update: OPC Issues Guidance on AI Use

The Office of the Privacy Commissioner (OPC) released new guidance on using AI tools (including ChatGPT, Microsoft Copilot) with personal information. Key takeaways:

  • β€’ You must have a lawful basis for feeding customer data into AI tools
  • β€’ Employees need training on what data can/cannot be shared with AI
  • β€’ Data Processing Agreements (DPAs) required with AI vendors
  • β€’ Consider using Microsoft Copilot for Microsoft 365 (keeps data in tenant) vs public ChatGPT

Read full guidance at priv.gc.ca β†’

By the Numbers

47
Reported ransomware attacks in Canada (Dec 2024)
$1.85M
Average ransomware recovery cost (Canadian SMBs)
99.9%
Attacks blocked by MFA

How Secure Is Your Business?

Get your free security score and see which threats you're vulnerable to.

Get Your Free Security Score β†’

Next bulletin: February 2025 (Tax season special edition)

Want this delivered to your inbox? Sign up for free