Microsoft 365 Security
The latest Microsoft 365 Security coverage — news, analysis, and updates from the WindowsNews.AI desk.
No Patch to Install: How the Outlook Copilot Command Injection Flaw Changes Your Security Playbook
Microsoft has disclosed a command injection vulnerability in Outlook Copilot, but this isn't a typical Patch Tuesday update. CVE-2026-55145, published on July 14, 2026, carries a CVSS base score of...
Malta Tops EU in Daily Microsoft Copilot Usage, Eurobarometer Finds: IT Admins Must Build AI Rules Now
Malta has emerged as the European Union country with the highest daily usage of Microsoft Copilot, according to a recent Eurobarometer survey, signaling that generative AI is no longer a novelty but...
Attackers Are Tricking Microsoft Users Into Adding Rogue Passkeys—Here’s the Fix
A vishing campaign that preys on Microsoft 365 users—persuading them by phone to enroll attacker-controlled passkeys—has been active since early 2025, security firm Okta warned on Wednesday. The...
User-Reported Scams Land Directly in Teams Admin Center’s Protection Reports
Microsoft has quietly turned on a security feature that many Teams admins have been waiting for: user-reported suspicious messages from Teams now appear right inside the Teams admin center’s...
July 2026 and Still No Federal Privacy Law: The Windows Data Resilience Imperative
It’s July 2026, and the United States remains the only major economy without a comprehensive national consumer privacy law. Instead, a patchwork of more than a dozen state laws—each with its own...
Stop ConsentFix Phishing: Lock Down OAuth App Consent in Microsoft Entra ID Now
A new breed of phishing attack is automating the theft of Microsoft 365 access tokens—and it works by exploiting a single, often-overlooked setting in every Entra ID tenant. Security researchers...
ARToken Panel: How a React-Based Phishing Kit Is Hijacking Microsoft 365 Sessions via Device Code Attacks
Cisco Talos has unearthed a menacing new threat actor panel dubbed ARToken, a React-based operator dashboard that streamlines the entire kill chain for compromising Microsoft 365 accounts. Tightly...
Anthropic’s Claude Tag Launches on Slack, Leaving Microsoft Teams Users with a Fragmented AI Experience
Anthropic dropped a not-so-subtle challenge to Microsoft’s enterprise dominance on June 23, 2026, when it opened the beta for Claude Tag—but only within Slack, snubbing Microsoft Teams for the...
Microsoft Retires AI-102 Exam on June 30, 2026: What It Means for Azure AI Engineers
Microsoft has set June 30, 2026, as the effective retirement date for the AI-102: Designing and Implementing an Azure AI Solution exam. Anyone currently studying for this certification or planning to...
Huntress Managed ISPM Now Generally Available, Hardening Microsoft 365 Identities for MSPs
Managed service providers (MSPs) now have a new weapon in the escalating battle against identity-based attacks targeting Microsoft 365 tenants. Huntress announced the general availability of its...
Huntress Demo: Standard M365 User Hits Global Admin in 5 Minutes 30 Seconds—No Exploit Needed
A standard Microsoft 365 user was escalated to Global Administrator in five minutes and 30 seconds during a live product launch demonstration by cybersecurity firm Huntress. The attack required no...
FBI Alert: Kali365 Phishing Kit Bypasses MFA via Device Code Phishing on Microsoft 365
The FBI issued a warning in May 2026 about a new phishing-as-a-service platform called Kali365 that hijacks Microsoft 365 accounts without a single fake login page. The platform, first spotted in...