Urgent Database Patch, New Microsoft Controls, And AI Security Moves

Urgent fixes from MongoDB and fresh cross-tenant controls in Teams set a prevention-first tone today, while NIST funded new AI research centers focused on manufacturing productivity and cyber resilience. Alongside these moves, researchers detailed active abuse paths and social-engineering campaigns, underscoring the need to patch quickly, harden collaboration surfaces, and scrutinize supply-chain touchpoints.

Platform controls and AI governance

Security administrators will gain centralized guardrails over external contact in Microsoft’s collaboration stack. Beginning in early January and completing by mid‑January 2026, the Tenant Allow/Block List in the Defender portal will let authorized teams block domains and addresses from messaging, calling, or sending meeting invites across clients. The feature supports up to 4,000 domains and 200 email addresses, requires enabling two settings in the Teams admin center, and will be paired with alerts about suspicious traffic, malicious URL detection, and stricter file-type handling. Availability aligns with Microsoft Defender for Office 365 Plan 1 or Plan 2 subscriptions.

On the public‑sector side, NIST awarded $20 million to two AI centers operated by nonprofit MITRE to bolster U.S. manufacturing productivity and protect critical infrastructure from cyber threats. The work aligns with national AI strategy pillars, targeting technology evaluations, market readiness, and commercialization pathways while countering adversarial use of AI. NIST said the centers complement broader initiatives, including the Center for AI Standards and Innovation and a planned $70 million AI for Resilient Manufacturing Institute.

OpenAI is reportedly developing “Skills” for ChatGPT—modular, composable components exposed as slash commands and convertible from custom GPTs. Modeled on Claude’s approach, Skills aim to encode workflows and domain knowledge and may include executable logic. The report notes potential productivity gains for complex tasks, alongside security and governance implications from portable, executable modules that widen attack surface and complicate provenance controls.

Advisories and patches under pressure

Administrators are urged to prioritize fixes for a critical remote code execution flaw, CVE‑2025‑14847, in MongoDB Server. The issue stems from improper length handling in zlib‑compressed protocol headers that can yield uninitialized heap memory and permit arbitrary code execution in unauthenticated, low‑complexity scenarios. Fixed releases include 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30; as a temporary mitigation, disabling zlib compression reduces exposure until upgrades are applied. Given broad deployment in production databases, teams should patch, restrict network exposure, and validate changes in staging before rollout.

Fortinet detailed in‑the‑wild abuse of FG‑IR‑19‑283 (CVE‑2020‑12812) where case sensitivity mismatches between FortiGate and LDAP let differently cased usernames bypass locally enforced 2FA and authenticate via an LDAP group fallback. Impacted deployments should treat systems as potentially compromised, reset credentials (including LDAP bind accounts), and harden by disabling username case sensitivity on supported versions, removing unnecessary LDAP fallbacks, and auditing policies that reference LDAP groups.

MacSync, a macOS stealer variant, is being distributed via a notarized, code‑signed Swift app inside a DMG. The installer strips quarantine attributes, rate‑limits execution, and decodes a Go‑based payload with C2 capabilities. Apple has revoked the signing certificate, but the package’s signed and notarized state helped it bypass initial Gatekeeper checks. Defenders should block unknown installers, verify signing and notarization details, and rely on managed endpoints to detect suspicious post‑install behavior.

Threats and disruption

Attackers continue to exploit researcher curiosity and typos. Webrat is being seeded through fake GitHub proof‑of‑concept repositories with polished READMEs and password‑protected ZIPs that ultimately deliver a RAT capable of credential theft, keylogging, and webcam/microphone spying. In a separate campaign, a typosquatted domain nearly matching the legitimate MAS activation site delivered malicious PowerShell that installed Cosmali Loader and, in some cases, XWorm; the attack relied on a single‑character domain difference to hijack scripted activation steps. The episode underscores the risk of running remote scripts and the value of isolated analysis environments. See MAS coverage for indicators and operator behavior.

La Poste experienced a major DDoS that left its main website inaccessible and degraded multiple services, including mobile and digital identity, while email and storage continued to function. The disruption affected parcel tracking and counter operations during a peak period. In the consumer privacy realm, Urban VPN’s browser extension was reported to capture AI chat traffic across multiple services—even when the VPN is off—collecting prompts, responses, session metadata, and identifiers; the behavior is enabled by default and lacks a user‑facing disable switch.

Enforcement and financial fraud

The FBI seized a domain and backend server that stored credentials stolen via fraudulent ads leading to fake banking portals, tying the operation to at least 19 identified U.S. victims, $14.6 million in confirmed losses, and roughly $28 million in attempted losses. In a separate action, the SEC filed charges against crypto platforms and investment clubs alleged to have run a $14 million scheme that used WhatsApp groups and supposed AI‑generated trading signals to direct deposits into sham exchanges and STOs, followed by withdrawal denials and fee demands.

ESET reported a 62% surge in the Nomani investment fraud, with operators deploying higher‑quality AI deepfake testimonials, short‑lived ad campaigns, and platform‑native harvesting to evade detection; more than 64,000 unique URLs were blocked in 2025. In the Middle East and North Africa, Group‑IB described coordinated fake online job ads that impersonate brands and ministries, lure applicants into private messaging apps, and escalate to deposits for “tasks,” reflecting organized reuse of scripts, branding, and infrastructure across countries.