< ciso
brief />
Tag Banner

All news with #microsoft tag

836 articles · page 14 of 42

Microsoft April 2026 Patch Tuesday: 167 Flaws, 2 Zero-Days

🔒 Microsoft released its April 2026 Patch Tuesday addressing 167 vulnerabilities, including two zero-days and eight Critical flaws. The updates patch an actively exploited SharePoint Server spoofing bug (CVE-2026-32201) and a publicly disclosed Microsoft Defender elevation-of-privilege flaw (CVE-2026-33825) that can grant SYSTEM privileges. Multiple Microsoft Office RCEs exploitable via preview panes or malicious documents were fixed; administrators should prioritize installing these patches immediately.
read more →

Microsoft Fast-Tracks Reinstatement for Hardware Developers

🔐 Microsoft has introduced a temporary fast-track to reinstate accounts suspended from the Windows Hardware Program after developers reported being locked out without prior notice. The process asks affected partners to open a support case, provide a clear business justification, and resolve outstanding compliance requirements before full access is restored. Microsoft also provided guidance on correct sign-in and alternative support contacts to address workflow issues.
read more →

CISA Adds Two Exploited Microsoft Vulnerabilities to KEV

🛡️ CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2009-0238, a Microsoft Office remote code execution flaw, and CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server. The additions reflect evidence of active exploitation. Under BOD 22-01 FCEB agencies must remediate cataloged CVEs by the due date; CISA urges all organizations to prioritize remediation.
read more →

CISA Adds Six Actively Exploited Flaws in Major Software

🛡️ CISA on Apr 14, 2026 added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing active exploitation. The flaws affect Fortinet FortiClient EMS, Microsoft components (Exchange Server, Windows drivers, Host Process for Windows Tasks, VBA) and Adobe Acrobat Reader, and include SQL injection, deserialization, out-of-bounds read, use-after-free and insecure library loading. Federal civilian agencies must remediate by April 27, 2026.
read more →

Mailbox Rule Abuse in Microsoft 365: A Rising Threat

🔒 Security researchers report a rise in attackers abusing mailbox rules inside Microsoft 365 accounts to maintain post-compromise access, exfiltrate data and manipulate communications. The Proofpoint analysis found that roughly 10% of breached accounts in Q4 2025 had malicious rules created within seconds of takeover. Rules are often given minimal or nonsensical names and configured to delete messages or move them to low-visibility folders to evade detection. Defensive steps include disabling external auto-forwarding, enforcing MFA, monitoring OAuth and promptly removing malicious rules and revoking sessions.
read more →

Microsoft: Payroll pirate attacks target Canadian staff

🔒 Microsoft says financially motivated group Storm-2755 is stealing Canadian employees' salary payments by hijacking Microsoft 365 accounts using malicious sign-in pages and AiTM tactics that capture authentication tokens and session cookies. Attackers used malvertising and SEO poisoning to promote fake Microsoft 365 sign-in forms, allowing them to bypass legacy MFA. They create inbox rules to hide payroll messages and either social engineer HR to change direct deposit details or directly update payroll platforms such as Workday using stolen sessions.
read more →

Amazon RDS Adds Latest Microsoft SQL Server CU/GDR Patches

🔔 Amazon RDS for SQL Server now supports the latest Microsoft cumulative updates (CU) and General Distribution Release (GDR) packages for SQL Server 2016 SP3, 2017, 2019, and 2022. The GDRs remediate security issues tracked as CVE-2026-21262 and CVE-2026-26115. AWS recommends upgrading RDS instances via the Management Console, AWS SDK, or CLI to apply these fixes. See the Microsoft KBs and the Amazon RDS SQL Server User Guide for upgrade guidance.
read more →

VENOM PhaaS Phishing Targets C-Suite Microsoft Logins

🔒 Abnormal researchers disclosed a targeted phishing-as-a-service called VENOM that has been active since at least last November and focuses on stealing C-suite Microsoft credentials. The campaign uses personalized SharePoint-style emails, injected fake threads, and Unicode QR codes to move victims to mobile-based landing pages while evading scanners. VENOM hides target addresses using double Base64 in URL fragments and filters out researchers before presenting an AiTM proxy or device-code flow that captures passwords, MFA codes, and session tokens. Researchers recommend FIDO2, disabling unused device-code flows, and tighter conditional access to mitigate token abuse.
read more →

Microsoft Named Leader in Forrester Wave for Sovereign Cloud

🏆 Microsoft has been named a Leader in The Forrester Wave: Sovereign Cloud Platforms, Q2 2026, reflecting strong scores for current offering and strategy. The recognition highlights Microsoft’s platform approach that applies consistent sovereign controls across public cloud, private cloud, and partner-operated national clouds using technologies such as Azure Arc, Azure Local, and region-specific residency controls like EU Data Boundary. It underscores Microsoft’s commitment to help organizations adopt cloud and AI while maintaining control, compliance, and operational independence.
read more →

Investigating Storm-2755: Payroll pirate attacks in Canada

🔒 Microsoft Incident Response researchers detail a Storm-2755 campaign that used malvertising and SEO poisoning to phish Canadian users and capture OAuth tokens and credentials via adversary-in-the-middle (AiTM) proxying. The actor replayed tokens (notably using the Axios/1.7.9 user-agent) to hijack authenticated sessions and bypass non-phishing-resistant MFA. Compromised accounts were used to search for payroll and HR data, create hidden inbox rules, and in some cases directly modify Workday payment information, resulting in at least one confirmed payroll diversion. Microsoft urges immediate token revocation, removal of malicious inbox rules, and adoption of phishing-resistant MFA and device-based conditional access.
read more →

Microsoft Suspends Dev Accounts for Open-Source Projects

⚠️ Microsoft has suspended developer accounts used to maintain multiple high-profile open-source projects, blocking them from publishing Windows builds and security patches without prior notice or a quick reinstatement path. Affected projects include WireGuard, VeraCrypt, MemTest86, and Windscribe. Maintainers report no emails, warnings, or clear appeals process and say they can still publish Linux and macOS updates but not Windows releases. Microsoft said accounts were automatically suspended for failing mandatory verification for the Windows Hardware Program and that outreach and press attention have prompted follow-up from company representatives.
read more →

Microsoft Agent Governance Toolkit Addresses OWASP AI Risks

🛡️ Microsoft has released the open-source Agent Governance Toolkit to monitor and control AI agents during runtime as organizations move them into production. The toolkit enforces policies aligned with OWASP top risks for agentic systems, such as prompt injection, identity abuse, and tool misuse, while improving visibility across multi-step workflows. It ships as multi-language components and integrates with existing frameworks like LangChain without requiring agent rewrites. The project is in public preview under an MIT license.
read more →

Microsoft rolls out fix for broken Windows Start search

🔧 Microsoft has deployed a server-side fix after a Bing update disrupted Windows 11 23H2 Start Menu search on a small number of devices. The issue, first noted around April 6 and reportedly seen by some users for months, produced blank but clickable search results. Microsoft rolled back the problematic server-side Bing update and says reports of failures are decreasing; the company advises ensuring the device is online and that Web Search has not been disabled by Group Policy.
read more →

Storm-1175 (Medusa) Accelerates Ransomware Attacks

⚠️ Microsoft warns that Storm-1175 — an actor linked to Medusa ransomware — is rapidly exploiting internet-facing systems, often moving from initial access to data theft and encryption within 24 hours. The group has abused more than 16 vulnerabilities since 2023, including zero-days, and frequently chains exploits to establish persistence and accelerate operations. Targets include healthcare, education, professional services, and finance in Australia, the UK and the US.
read more →

Microsoft fixes Classic Outlook email delivery bug

🛠️ Microsoft implemented a server-side fix to resolve a known issue that prevented some Classic Outlook users from sending messages via Outlook.com. Affected users received non-delivery reports (NDRs) showing error codes such as 0x80070005-0x0004dc-0x000524 and a warning that messages could not be sent. The Outlook Team says the change was deployed to production on April 3, 2026. If problems persist, Microsoft recommends using the New Outlook client or Outlook on the web and provides a temporary workaround to download the Outlook Address Book for impacted accounts.
read more →

Microsoft Removes SaRA Tool from Supported Windows

🛠️ Microsoft has deprecated and removed the Support and Recovery Assistant (SaRA) command‑line utility from all in‑support Windows updates effective March 10. The company recommends administrators migrate to the Get Help command‑line tool (GetHelpCmd.exe), which offers similar diagnostic capabilities and runs on a more secure infrastructure. Get Help can be scripted and executed remotely to troubleshoot Microsoft 365 apps, Outlook, Teams, and Windows clients.
read more →

Microsoft Continues Fixes for Exchange Online Access Issues

🔧 Microsoft is investigating intermittent Exchange Online mailbox access problems that have affected users of the Outlook mobile apps and the new Outlook for Mac client for several weeks. The issue was initially tracked as EX1256020 and marked resolved on April 1, but was re‑added under EX1268771 after tenants reported ongoing impact. Microsoft says it is restarting the Notification Broker service on affected infrastructure while continuing root‑cause analysis and deploying additional mitigations to prevent recurrence.
read more →

Microsoft forces upgrade of unmanaged Windows 11 24H2

🔁 Microsoft has begun force-upgrading unmanaged devices running Windows 11 24H2 Home and Pro editions to Windows 11 25H2. The company says its machine-learning-based intelligent rollout now targets all Home and Pro 24H2 systems not managed by IT, and those devices will stop receiving fixes, time zone updates, technical support, and monthly security updates once 24H2 reaches end of support on October 13, 2026. Users can manually check for the 25H2 update in Settings > Windows Update, pause updates temporarily, or follow Microsoft's support guidance if issues occur.
read more →

AI-Enabled Attacks Transform Cyber Threat Operations

🤖 Microsoft describes a shift from AI as a tool to AI as an embedded attack surface, accelerating tempo, precision, and scale across reconnaissance, malware development, and post-compromise activity. AI-enhanced phishing campaigns now report click-through rates near 54% versus roughly 12% for traditional campaigns, a 450% increase. The blog highlights Tycoon2FA, tied to Storm-1747, as an industrialized, subscription-based phishing ecosystem that automated MFA bypass at scale. Microsoft’s Digital Crimes Unit disrupted the operation, seizing 330 domains with Europol and partners, and urges organizations to prioritize agent inventory, agentic accountability, and lifecycle-integrated intelligence and defenses.
read more →

EvilTokens Abuses Microsoft Device-Code Flow for Takeovers

⚠️ Sekoia researchers uncovered a phishing-as-a-service toolkit named EvilTokens that abuses Microsoft's device code authentication flow to capture valid access tokens by tricking victims into entering device codes on official Microsoft login pages. The kit bundles phishing lures, AI-driven automation, inbox harvesting and post-compromise modules to weaponize access. Operators distribute the service through Telegram bots and channels, and Sekoia observed activity since at least mid-February targeting countries including the US, Australia, Canada, France, India, Switzerland and the UAE.
read more →