In today’s cybersecurity news…
Microsoft to enforce MFA for Microsoft 365 admin center sign-ins
Starting in February, Microsoft will “start enforcing multi-factor authentication for all users accessing the Microsoft 365 admin center.” MFA requirements actually started one year ago in February 2025, but as of February 9th of this year, Microsoft will block those without MFA enabled from signing in to the Microsoft 365 administrative portal. This will affect a number of admin center URLs used by IT administrators to manage Microsoft 365 accounts. The specific addresses are: portal.office.com/adminportal/home, admin.cloud.microsoft, and admin.microsoft.com
Cisco patches ISE security vulnerability after PoC release
This is in response to a public proof-of-concept (PoC) exploit in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). Rated as medium security, with a CVSS score of 4.9, this vulnerability “resides in the licensing feature and could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information.” It was discovered by Bobby Gould of Trend Micro Zero Day Initiative. Cisco said there are no workarounds to address the flaw, nor are there any indications that it has been exploited in the wild.
Illinois state agency breaches itself
The Illinois Department of Human Services (IDHS) has revealed that it inadvertently exposed personal information belonging to more than 700,000 state residents by posting it on the open internet where it remained for as long as four years before being taken down last September. The information consisted of PII and was left on the open web “after agency officials created planning maps on a mapping website to help direct resource allocations.” The data exposed in the breach is protected health information under the Health Insurance Portability and Accountability Act (HIPAA).
Microsoft Exchange Online outage blocks access to mailboxes
This outage, which started Wednesday evening, intermittently prevents users from accessing their mailboxes via the Internet Mailbox Access Protocol 4 (IMAP4). Microsoft says the issues were caused by “a code conflict that introduced an authentication misconfiguration.” Details on regions and how many users were impacted were not immediately released.
Huge thanks to our sponsor, Hoxhunt
OpenAI prompt injection problems keep festering
We have covered a number of stories about the seemingly permanent problem of prompt injection in recent weeks. Now, security researchers at Radware say “they identified several vulnerabilities in OpenAI’s ChatGPT service that allow the exfiltration of personal information.” These flaws were “identified in a bug report filed on September 26, 2025, were reportedly fixed on December 16, but the problem seems to still evolve. The current issue surrounds an indirect prompt injection attack called ShadowLeak that, in short, allows malicious instructions in a Gmail message, for example, to get ChatGPT to transmit a password without any intervention from the agent’s human user. The successor to ShadowLeak, dubbed ZombieAgent, has evolved to circumvent the fixes and defenses being put up. A link to a more complete description of these attacks is available in the show notes to this episode.
CISA adds two actively exploited flaws to its KEV catalog
In adding these vulnerabilities, both of which can allow for remote code execution, CISA warns that both are now being actively abused by attackers. The first (CVE-2025-37164), is a code injection flaw in HPE OneView, which is used to centrally manage servers, storage, and networking infrastructure. It has a maximum-severity CVSS score of 10.0. The other (CVE-2009-0556), is a “long-patched Microsoft PowerPoint code injection flaw” with a CVSS score of 8.8. Despite being having been fixed in 2009, it has been included in the KEV catalog because unpatched or unsupported systems are still being successfully targeted.
Phaas attackers exploit misconfigured email routing to spoof internal emails
According to a report from Microsoft, “phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations’ domains and deliver phishing emails that appear, superficially, to have been sent internally.” They are using a wide variety of phishing messages related to phishing-as-a-service (PhaaS) platforms such as Tycoon2FA. “These include messages with lures themed around voicemails, shared documents, communications from human resources departments, password resets or expirations, and others, leading to credential phishing.” The report suggests “setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols, deploying reject and SPF hard fail (rather than soft fail) policies, and properly configuring any third-party connectors.
Veeam patches a critical RCE flaw in backup and replication
The patch, one of many released by the company, addresses a vulnerability with a CVSS score of 9.0 that allows a backup or tape operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.” (CVE-2025-59470) A Veeam Tape Operator is “a limited Veeam backup and replication user role designed to manage tape-based backup operations without full administrative privileges.” The vulnerability was discovered during internal testing.