Security

Email attacks are becoming smarter, faster, and harder to detect. In its latest security report, Microsoft revealed how phishing campaigns evolved during the first quarter of 2026 — and why traditional defenses are no longer enough.

Attackers are moving away from simple spam emails and using more advanced social engineering tactics. One of the biggest changes is the rapid growth of QR code phishing (sometimes called quishing). Instead of clicking suspicious links, users are tricked into scanning QR codes that lead to fake login pages. Microsoft reported that these attacks more than doubled during the quarter.

Another rising tactic is CAPTCHA-gated phishing, where fake verification steps make malicious websites appear trustworthy. These campaigns are designed to bypass automated security tools and create a false sense of legitimacy.

The report also highlighted the continued rise of Business Email Compromise (BEC) attacks. Rather than using malware, attackers impersonate coworkers, managers, or finance teams to request payments, payroll updates, or sensitive information.

Key lessons from the report:

• Email threats are becoming more personalized
• QR codes are increasingly used to bypass filters
• Multi-factor authentication alone may not stop modern phishing
• Passwordless sign-ins and phishing-resistant authentication are becoming essential

The main takeaway: cybersecurity today is not only about blocking malware — it’s about protecting identities and recognizing manipulation before damage is done.

Original article: Microsoft Security Blog

A single compromised account can sometimes open the door to an entire cloud environment. That’s the key lesson from Microsoft’s recent report on the threat actor known as Storm-2949.

The attackers did not rely on traditional malware. Instead, they used social engineering and legitimate cloud management tools to quietly move through Microsoft 365 and Azure environments. Once they gained access to one identity, they expanded their reach by targeting additional accounts and cloud services.

How the attack worked

The campaign started with fake support-style interactions designed to trick users into approving authentication requests. After taking control of accounts, the attackers:

• Explored cloud directories and user permissions
• Accessed shared files and sensitive documents
• Targeted Azure services such as Key Vaults, storage accounts, and databases
• Used built-in administrative features to avoid raising suspicion
• Extracted large amounts of data from cloud systems

Why this matters

Modern attacks increasingly focus on identity instead of devices. If attackers gain access to privileged accounts, they can often move through cloud systems using normal administrative actions that appear legitimate.

Key security lessons

Organizations can reduce risk by:

• Using phishing-resistant MFA
• Limiting privileged access
• Monitoring unusual cloud activity
• Protecting secrets and credentials stored in cloud platforms
• Applying behavior-based threat detection

The report highlights an important shift in cybersecurity: attackers are now targeting the cloud control layer itself, not just endpoints or servers.

Original article: Microsoft Security Blog

Most people think of Microsoft Teams as a tool for meetings and remote work. But in a surprising real-world case, it became an important source of digital evidence in a government investigation.

The case involved former IT workers accused of deleting a large number of government databases after losing access to their jobs. What made the story unusual was that a recorded Teams session reportedly captured conversations connected to the incident. That recording later helped investigators understand what happened and supported the legal case.

Why this matters

This situation highlights how modern workplace tools can unintentionally create detailed digital records. Platforms like Teams store:

• Meeting recordings
• Chat history
• Shared files
• User activity logs

These records can become valuable during investigations, especially in cybersecurity or insider-threat cases.

Key lessons for organizations

• Digital trails: Collaboration apps can preserve important evidence automatically
• Security controls: Access management after employee departures is critical
• Compliance: Organizations should understand how communication data is stored
• Awareness: Employees often forget how much activity is recorded

The story also reminds businesses that cybersecurity is not only about hackers from outside. Internal actions, mistakes, or misuse of access can create major risks as well.

Original article: Neowin Article

Zero Trust defined

Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real-time.

Azure AD Conditional Access is at the heart of the new identity-driven control plane.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.

Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

What is Conditional Access in Azure Active Directory?