Originally reported by BleepingComputer, SentinelOne Labs, Malwarebytes Labs
TL;DR
The EU's top court adviser suggests banks must immediately refund phishing victims regardless of fault, while threat actors exploit .arpa domains and IPv6 reverse DNS to bypass email security. Research also advances on AI-powered threat intelligence extraction.
The .arpa DNS evasion technique represents a novel attack vector that could impact email security defenses across organizations, while EU regulatory changes may significantly affect incident response procedures.
Athanasios Rantos, the Advocate General of the Court of Justice of the EU (CJEU), issued a formal opinion suggesting banks must immediately refund account holders affected by unauthorized transactions, even when customers fall victim to phishing attacks. This non-binding but influential opinion could reshape liability frameworks across European financial institutions if adopted by the full court.
The opinion addresses a case where a customer lost funds after entering credentials on a fraudulent banking website. Traditional bank policies often delay or deny refunds when customers are deemed at fault for security breaches. Rantos argues that immediate refunds should be provided regardless of customer culpability, with banks able to recover funds later through separate legal proceedings.
Threat actors are leveraging the special-use .arpa domain namespace and IPv6 reverse DNS infrastructure to circumvent email security gateways and domain reputation systems. The .arpa domain, typically reserved for technical DNS infrastructure operations, enjoys reduced scrutiny from security tools due to its legitimate administrative functions.
Researchers documented campaigns where attackers register IPv6 addresses and use their corresponding reverse DNS entries in the .arpa space to host phishing infrastructure. Email security solutions often whitelist or deprioritize .arpa domains, assuming they represent legitimate network operations rather than malicious content.
This technique exploits the gap between IPv6 adoption and security tool coverage, as many organizations maintain incomplete IPv6 monitoring capabilities compared to their IPv4 defenses.
SentinelOne Labs published research on using Large Language Models to transform unstructured cyber threat intelligence narratives into machine-readable knowledge graphs. The approach addresses the challenge of processing vast volumes of threat reports, blog posts, and intelligence feeds that arrive in natural language formats.
The research identifies critical trade-offs between processing speed and accuracy when deploying LLMs for operational CTI workflows. While automated extraction can process intelligence at unprecedented scale, maintaining precision for actionable defensive measures requires careful prompt engineering and validation frameworks.
The findings suggest that hybrid human-AI workflows offer the most practical approach for organizations seeking to operationalize narrative threat intelligence without sacrificing analytical rigor.
Malwarebytes Labs released their weekly security roundup covering developments from March 2-8, 2026. The digest format continues the organization's practice of consolidating threat landscape observations and security industry developments into accessible summaries for security practitioners.
Malwarebytes' Lock and Code podcast featured an interview with Matthew Guariglia examining the surveillance implications of Ring smart doorbells and similar connected devices. The discussion explores how residential security devices create expansive monitoring networks that extend beyond individual property boundaries.
The analysis addresses privacy concerns arising from the aggregation of doorbell camera data and its potential integration with law enforcement surveillance programs. These considerations become increasingly relevant as smart home adoption accelerates across residential and commercial environments.
Originally reported by BleepingComputer, SentinelOne Labs, Malwarebytes Labs