Salt Typhoon’s Global Campaign, NIST’s CSF 2.0 Quick-Start, and the Next Generation of Phishing

Boardroom Breakdown

Introduction
This week’s headlines expose cyber risk from all fronts. Salt Typhoon’s expansion shows nation-state campaigns are reaching deep into business and infrastructure. At the same time, NIST’s latest draft guide confirms that cyber policy and risk governance need to evolve. And attackers continue innovating against MFA, targeting employee behavior with next-generation phishing.

1. Salt Typhoon’s Global Espionage Surge

Key Point: Chinese cyber group Salt Typhoon has infiltrated over 200 U.S. firms across 80 countries.

Attack Vector: Living-off-the-land tactics, credential misuse, and router infiltration.

Business Impact: This isn’t a single exploit—it’s a coordinated campaign. It blurs the line between national security and business risk, exposing companies to surveillance, disruption, or collateral damage.

Leadership Takeaway: Extend monitoring and response beyond core IT systems to routers and infrastructure. Verify identity and credential hygiene. Ensure your incident response plan includes coordination with government and industry peers.

2. NIST SP 1331 CSF 2.0 Quick-Start Guide

Key Point: NIST has published a draft guide to help organizations use CSF 2.0 for managing emerging risks.

Implication: Cybersecurity governance must evolve from reactive defenses to proactive, integrated risk management. Regulators are signaling higher expectations for board-level engagement.

Leadership Takeaway: Map emerging risks to CSF 2.0 functions, especially “Govern” and “Identify.” Assign risk owners at the leadership level. Consider submitting feedback on SP 1331 before the September 21 deadline to shape the standard.

3. Salty 2FA Bypasses MFA

Key Point: A new phishing service, Salty 2FA, bypasses multi-factor authentication to steal Microsoft 365 credentials.

Attack Vector: Phishing-as-a-Service platform with advanced obfuscation and redirect tricks.

Business Impact: As organizations rely heavily on MFA, this shows attackers are innovating to keep pace. Employees can be tricked into handing over credentials despite multiple protections.

Leadership Takeaway: Expand training to highlight next-gen phishing risks. Require security teams to monitor nontraditional phishing channels like OAuth redirects and AD-based attacks. Track phishing resilience metrics in executive dashboards.

Closing Thoughts
Cyber risk is both orchestrated and opportunistic. Sophisticated nation-state campaigns, evolving governance requirements, and user-targeted threats all demand board-level attention. Leadership should treat cybersecurity as a layered risk: infrastructure, regulation, and people.