31Wedge

Source: CQURE Academy

Author: Kate Chrzan

URL: https://cqureacademy.com/blog/65-ntlm-reflection-smb-flaw/

1. ONE SENTENCE SUMMARY: CVE-2025-33073 enables attackers to exploit legacy SMB protocols and coercion methods for full system compromise via NTLM relay.

2. MAIN POINTS:

3. SMB signing must be disabled on the target machine to allow authentication relay attacks.

4. The target must be vulnerable to coercion techniques like PetitPotam for exploitation to proceed.

5. Initial attack attempts without a DNS record fail due to inability to authenticate properly.

6. Adding a DNS record pointing to the attacker’s machine enables successful NTLM relay and SAM dump.

7. Changing the IP to the DNS record value allows the machine to relay authentication to itself.

8. LLMNR poisoning via Responder enables attacks without needing the DNS record.

9. Using impacket-ntlmrelayx with netexec and coerce_plus exploits the PrinterBug vulnerability.

10. Successful execution allows retrieval of local admin hash and local authentication.

11. Module LSA from netexec can be used to dump LSASS and gain further access.

12. The vulnerability highlights critical risks from legacy authentication protocols and misconfigurations.

13. TAKEAWAYS:

14. Disable SMB signing only if absolutely necessary, as it allows dangerous relay attacks.

15. Monitor and restrict DNS records to prevent abuse in authentication redirection.

16. Employ modern authentication mechanisms to mitigate legacy protocol exploitation.

17. Use tools like Responder and PetitPotam carefully during red team engagements or internal audits.

18. Regularly update systems and audit for coercion vulnerabilities like PrinterBug.

Source: Help Net Security

Author: Help Net Security

URL: https://www.helpnetsecurity.com/2025/07/14/microsoft-365-attack-surface/

1. ONE SENTENCE SUMMARY: Despite claiming advanced Microsoft 365 security, many organizations face frequent attacks due to misconfigurations, weak oversight, and misunderstood responsibilities.

2. MAIN POINTS:

3. 60% of organizations rate their Microsoft 365 security as strong, yet still suffer account compromise incidents.

4. Complexity from managing multiple tenants increases risk, with 78% of organizations using multi-tenant setups.

5. 49% of IT leaders incorrectly assume Microsoft backs up configurations automatically.

6. Misconfigurations and overlooked admin roles introduce serious vulnerabilities due to limited governance and visibility.

7. Organizations with 10+ tenants face 2.3x higher operational overhead compared to those with fewer tenants.

8. Only 20% of organizations have over 10 global admins, aligning with best practices.

9. 51% of organizations have over 250 Entra apps with read-write permissions, posing significant security risks.

10. 16% have no app permission oversight; most rely on manual or inadequate tools.

11. 68% of organizations face frequent Microsoft 365 access attempts by attackers.

12. Only 41% of organizations have effectively implemented MFA, despite its proven effectiveness in preventing breaches.

13. TAKEAWAYS:

14. Declaring strong security doesn’t equate to actual protection—oversight and enforcement are critical.

15. Multi-tenant architecture adds complexity, necessitating robust management and governance frameworks.

16. Many organizations neglect to back up configurations, exposing them to disaster recovery failures.

17. MFA is underutilized despite its proven ability to prevent 99.9% of account compromises.

18. Formal change control and disaster recovery plans significantly reduce misconfiguration and operational disruptions.

Source: Help Net Security

Author: Mirko Zorz

URL: https://www.helpnetsecurity.com/2025/07/09/why-cybersecurity-friction/

1. ONE SENTENCE SUMMARY: Internal cybersecurity friction, driven by complex tools, unclear processes, and cautious culture, hinders security teams more than external threats.

2. MAIN POINTS:

3. Security teams face internal friction due to tool sprawl, unclear ownership, and rigid processes.

4. Disconnected tools require analysts to switch dashboards, slowing response and increasing alert fatigue.

5. Approval-heavy workflows delay incident response, risking critical containment windows.

6. Lack of context in access requests leads to repeated clarification cycles, wasting time.

7. Ambiguities in responsibilities cause delays and confusion during handoffs between teams.

8. Caution culture discourages initiative, pushing decisions upward and reducing overall team agility.

9. Burnout and normalized inefficiencies lower morale and inhibit improvement efforts.

10. Evolving security roles now require balancing protection with enabling business growth.

11. Integration and shared data visibility can reduce both friction and risk.

12. Clear thresholds and role clarity empower faster, accountable responses without sacrificing security.

13. TAKEAWAYS:

14. Streamlining tools and processes can significantly improve security team efficiency and morale.

15. Trust frameworks and role clarity reduce the need for excessive approvals.

16. Culture change must promote speed and responsibility, not just caution.

17. Shared visibility and system-level enforcement reduce manual friction.

18. Internal delays are a silent threat that can undermine security more than external attacks.

Source: Unit 42

Author: Haizhou Wang, Ashkan Hosseini, Ashutosh Chitwadgi

URL: https://unit42.paloaltonetworks.com/lnk-malware/

1. ONE SENTENCE SUMMARY: Attackers increasingly exploit Windows LNK files, using varied techniques such as exploits, malicious file execution, and embedded scripts for malware delivery.

2. MAIN POINTS:

3. Malicious LNK samples surged from 21,098 in 2023 to 68,392 in 2024.

4. LNK files act as shortcuts to other files, applications, or folders in Windows.

5. Attackers abuse LNK flexibility, disguising malware as legitimate files to trick users.

6. Four types of LNK malware: exploit execution, malicious file execution, in-argument scripts, and overlay content execution.

7. Most malicious LNK files contain LINKTARGET_IDLIST, RELATIVE_PATH, or COMMAND_LINE_ARGUMENTS structures.

8. Common system targets abused include powershell.exe, cmd.exe, rundll32.exe, conhost.exe, and mshta.exe.

9. COMMAND_LINE_ARGUMENTS can embed malicious scripts directly within LNK files.

10. Overlay content execution techniques involve find/findstr, mshta, or PowerShell commands.

11. CVE-2010-2568 vulnerability is notably exploited using corrupted LNK binaries.

12. Users should carefully inspect LNK file properties, especially target paths, to detect malware.

13. TAKEAWAYS:

14. Windows users should be cautious and verify LNK files’ properties before execution.

15. Cybersecurity teams must understand LNK malware techniques to enhance defenses.

16. Palo Alto Networks products offer protection against various LNK-based attacks.

17. Overlay content execution techniques are increasingly used to hide malicious payloads.

18. Awareness of common system targets and malware structures significantly aids malware detection.

Source: Help Net Security

Author: Help Net Security

URL: https://www.helpnetsecurity.com/2025/07/04/ntlm-relay-attacks/

ONE SENTENCE SUMMARY: NTLM relay attacks remain prevalent, simple to execute, and effective at compromising Active Directory environments, requiring proactive mitigation strategies.

MAIN POINTS:

1. NTLM relay attacks exploit authentication exchanges without needing password cracking or weak passwords.
2. Relay attacks often combine with authentication coercion techniques like Printer Bug or PetitPotam.
3. SMB servers, LDAP/LDAPS services, and ADCS web enrollment are primary NTLM relay targets.
4. SMB relay attacks can grant attackers access to sensitive shares and enable lateral movement.
5. LDAP relay attacks exploit unenforced LDAP signing and channel binding on domain controllers.
6. ADCS web enrollment relay attacks enable attackers to impersonate victims using malicious certificates.
7. Microsoft is introducing mitigations such as enforced SMB signing and LDAP sealing starting Windows Server 2025.
8. NTLM is still widely used due to legacy software hard-coded to use it instead of Kerberos.
9. Default configurations often leave older Windows environments highly vulnerable to relay attacks.
10. Enforcing signing, channel binding, and regularly evaluating environments are critical for defense.

TAKEAWAYS:

1. NTLM relay attacks remain a significant threat, commonly used in real-world attacks.
2. Authentication coercion makes relay attacks viable anytime, not relying on victim-initiated authentication.
3. Default configurations leave many organizations vulnerable; proactive changes are necessary.
4. Upcoming Windows Server 2025 security defaults will help, but organizations shouldn’t wait to implement mitigations.
5. Regular security evaluations, SMB/LDAP signing enforcement, and channel binding are essential defensive practices.

Source: Secure by Choice

Author: Sarah Aalborg

URL: https://securebychoice.com/blog/108175-we-see-what-we-expect-and-miss-what

ONE SENTENCE SUMMARY: Forensic investigations are impacted by cognitive biases like confirmation and anchoring, requiring deliberate strategies to mitigate their influence effectively.

MAIN POINTS:

1. Forensic analysis, despite being data-driven, is heavily influenced by cognitive biases.
2. Human brains naturally create stories, filtering new data through existing assumptions.
3. Confirmation bias leads investigators to focus only on evidence supporting initial theories.
4. Anchoring bias causes undue emphasis on the first piece of evidence discovered.
5. A Guardian-cited study found forensic experts influenced by contextual biases reached differing conclusions.
6. Bias affects even highly experienced experts, often without their awareness.
7. Explicitly naming biases can help teams recognize and counteract their impact.
8. Conducting pre-mortems encourages consideration of alternative hypotheses before deep investigation.
9. Introducing fresh perspectives can reduce anchoring effects and improve investigative accuracy.
10. Tracking multiple scenarios and reflecting on assumptions enhances learning and accuracy in forensics.

TAKEAWAYS:

1. Recognize that even expert investigators are vulnerable to cognitive biases.
2. Explicitly acknowledging biases helps mitigate their negative impact.
3. Regularly question initial assumptions and entertain multiple theories.
4. Seek input from individuals not influenced by initial investigative contexts.
5. Reflecting systematically on investigative processes improves future outcomes.

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/

1. ONE SENTENCE SUMMARY: Cisco has patched a critical backdoor vulnerability (CVE-2025-20309) in Unified Communications Manager allowing attackers remote root access.

2. MAIN POINTS:

3. Cisco Unified CM had a critical backdoor root account vulnerability identified as CVE-2025-20309.

4. The vulnerability arises from static, default credentials used during development and testing.

5. CVE-2025-20309 affects Unified CM and SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1.

6. Exploitation allows unauthenticated attackers root-level remote access to affected systems.

7. No workarounds exist; admins must upgrade or apply the CSCwp27755 security patch.

8. Cisco provided indicators of compromise to assist detection and response efforts.

9. Successful exploitation creates log entries under /var/log/active/syslog/secure accessible by admins.

10. Cisco previously experienced similar backdoor vulnerabilities in IOS XE, DNA Center, and Emergency Responder.

11. Earlier this year, Cisco patched similar issues in Smart Licensing Utility and IOS XE devices.

12. No current evidence indicates active exploitation or available proof-of-concept code online.

13. TAKEAWAYS:

14. Immediately apply the Cisco-provided security patch or upgrade to mitigate this severe vulnerability.

15. Regularly check logs at /var/log/active/syslog/secure for suspicious root user activities.

16. Stay vigilant for security advisories from Cisco regarding hardcoded credential vulnerabilities.

17. Maintain awareness that even reputable products may have hidden backdoor accounts.

18. Prioritize patch management to rapidly address high-severity vulnerabilities in critical infrastructure.

Source: Blog RSS Feed

Author: Gilad David Maayan

URL: https://www.tripwire.com/state-of-security/critical-security-risks-facing-cobol-mainframes

1. ONE SENTENCE SUMMARY: COBOL remains vital in global enterprise systems yet faces significant security risks requiring proactive measures and modern security practices.

2. MAIN POINTS:

3. COBOL is deeply embedded in critical global systems like banking, insurance, and government.

4. Legacy COBOL systems face growing cybersecurity threats due to outdated security configurations.

5. COBOL’s stability and batch processing efficiency sustain its widespread use in mainframe environments.

6. Industries relying on COBOL include finance, insurance, government, retail, manufacturing, and healthcare.

7. Dynamic SQL in COBOL applications can lead to SQL injection attacks if input isn’t sanitized.

8. Legacy communication protocols (FTP, TN3270) transmit sensitive data without encryption, increasing vulnerability.

9. Weak authentication and outdated access control methods expose COBOL systems to unauthorized access risks.

10. Privilege escalation vulnerabilities arise from poor application logic, misconfigurations, or insecure scripts.

11. COBOL applications often lack adequate input validation and error handling, risking exploitation.

12. Best practices include regular code reviews, pentesting, proactive patching, developer training, and compliance adherence.

13. TAKEAWAYS:

14. Regularly review and update legacy COBOL code to address potential vulnerabilities.

15. Employ comprehensive mainframe penetration testing to identify hidden security weaknesses.

16. Implement proactive patch management strategies to protect against known threats.

17. Provide ongoing developer training on secure coding practices specific to COBOL environments.

18. Ensure strict adherence to industry compliance standards for maintaining secure COBOL-based systems.

Source: Windows Incident Response

Author: Unknown

URL: http://windowsir.blogspot.com/2025/06/program-execution-follow-up-pt-ii.html

ONE SENTENCE SUMMARY: Validating program execution through multiple correlated data sources is crucial, rather than assuming artifacts alone indicate successful execution.

MAIN POINTS:

1. ShimCache and AmCache artifacts alone do not reliably indicate successful program execution.
2. Security Event Log (4720) confirms successful creation of user accounts beyond just command execution.
3. “net user” commands may inaccurately imply new account creation when only password is changed.
4. Application Event Log MsiInstaller records confirm actual installations via msiexec.exe.
5. Application Pop-up or Windows Error Reporting logs can show unsuccessful program launches.
6. Antivirus logs indicate if threats were successfully quarantined or if malware execution continued.
7. WMI-Activity/5861 event logs confirm successful creation of malicious WMI event consumers.
8. Parsing Objects.DATA file can verify if malicious event consumers persist in the WMI repository.
9. Correlating multiple data sources provides a system-level confirmation of actual execution outcomes.
10. Validating findings prevents incorrect decisions and ensures accurate resource allocation.

TAKEAWAYS:

1. Always validate artifact interpretations with complementary log sources.
2. Single artifacts alone rarely indicate successful execution; cross-reference multiple logs.
3. Consider transient and persistent data sources when confirming program execution.
4. Build timelines from multiple event logs to accurately validate threat actor actions.
5. Ensure your analysis is robust and data-supported, as critical decisions depend on accurate findings.

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/

1. ONE SENTENCE SUMMARY: A phishing campaign exploiting Microsoft 365’s Direct Send feature bypasses security measures, targeting numerous U.S. organizations to steal credentials.

2. MAIN POINTS:

3. Phishing attacks exploit Microsoft 365’s Direct Send, bypassing standard authentication and email security protocols.

4. Direct Send enables unauthenticated email delivery via a tenant’s smart host, designed for devices like printers.

5. Microsoft advises using Direct Send only if companies can properly manage and configure email servers.

6. Varonis MDDR team discovered the phishing campaign targeting over 70 U.S. organizations since May 2025.

7. Attackers primarily target financial services, manufacturing, healthcare, insurance, construction, and engineering sectors.

8. Phishing emails impersonate voicemail or fax notifications, including PDF attachments branded with company logos.

9. PDFs instruct victims to scan QR codes, redirecting them to fake Microsoft login pages for credential theft.

10. Attackers utilize PowerShell scripts sent from external IP addresses to send internal-looking emails.

11. Emails fail SPF, DKIM, DMARC checks yet pass through security as trusted internal traffic via smart host.

12. Microsoft introduced “Reject Direct Send” setting in Exchange Admin Center to mitigate these phishing attacks.

13. TAKEAWAYS:

14. Carefully evaluate if Direct Send is necessary, and if not, disable or restrict it immediately.

15. Enable “Reject Direct Send” in Exchange Online to prevent unauthorized internal-looking emails.

16. Implement strict DMARC policies (p=reject) to block unauthorized internal domain usage.

17. Train employees regularly to recognize and avoid phishing attempts, especially those involving QR codes.

18. Regularly monitor internal email traffic for signs of spoofing or abnormal behavior.

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/new-citrixbleed-2-netscaler-flaw-let-hackers-hijack-sessions/

1. ONE SENTENCE SUMMARY: Citrix warns of critical “CitrixBleed 2” vulnerabilities affecting NetScaler ADC and Gateway devices, potentially exposing sensitive user data.

2. MAIN POINTS:

3. Citrix disclosed vulnerabilities CVE-2025-5777 and CVE-2025-5349 affecting NetScaler ADC and Gateway devices.

4. CVE-2025-5777 is an out-of-bounds memory read allowing unauthenticated attackers memory access.

5. Vulnerable configurations include Gateway setups like VPN virtual servers, ICA Proxy, CVPN, and AAA servers.

6. Cybersecurity researcher named flaw “CitrixBleed 2” due to similarities with older CitrixBleed vulnerability.

7. Attackers exploiting CVE-2025-5777 could hijack sessions, bypass MFA, and access sensitive credentials.

8. CVE-2025-5349 involves improper access control in NetScaler Management Interface through various IPs.

9. Citrix recommends updating to safe versions: 14.1-43.56, 13.1-58.32, 13.1-NDcPP 13.1-37.235 (FIPS), and 12.1-55.328 (FIPS).

10. Admins should terminate all active ICA and PCoIP sessions after installing patches.

11. End-of-life versions ADC/Gateway 12.1 (non-FIPS) and ADC/Gateway 13.0 will not receive patches.

12. Over 56,500 publicly exposed NetScaler endpoints exist, unclear how many remain vulnerable.

13. TAKEAWAYS:

14. Immediately update NetScaler ADC and Gateway devices to mitigate “CitrixBleed 2” vulnerabilities.

15. Regularly monitor and terminate suspicious ICA and PCoIP sessions post-update.

16. Replace unsupported end-of-life versions promptly to maintain security posture.

17. Assess publicly exposed NetScaler endpoints to prioritize patching vulnerable systems.

18. Leverage automation to simplify and accelerate patch management processes.

Source: Dark Reading

Author: Fahmida Y. Rashid

URL: https://www.darkreading.com/endpoint-security/nist-outlines-real-world-zero-trust-examples

ONE SENTENCE SUMMARY: NIST’s new SP 1800-35 guidance provides practical examples and phased implementation strategies for organizations adopting end-to-end zero-trust architectures.

MAIN POINTS:

1. NIST released SP 1800-35 guidance demonstrating real-world zero-trust architectures using commercial technologies.
2. The guidance includes 19 practical example implementations developed over four years with 24 industry partners.
3. SP 1800-35 builds upon NIST SP 800-207, moving from conceptual to practical ZTA implementation advice.
4. Organizations must customize zero-trust deployments due to their unique network environments and security requirements.
5. Zero-trust architectures continuously evaluate and verify access requests, removing implicit trust in users or devices.
6. Implementing zero trust significantly reduces lateral movement and privilege escalation by malicious actors.
7. NCCoE team installed, configured, and tested each example, providing troubleshooting assistance and best practices.
8. Guidance aligns solutions with NIST Cybersecurity Framework and NIST SP 800-53 standards.
9. Organizations should incrementally adopt foundational elements like identity management and multifactor authentication.
10. Zero trust is an ongoing journey requiring continual adaptation to evolving threats, technologies, and organizational needs.

TAKEAWAYS:

1. Leverage NIST’s practical examples to start customized zero-trust deployments.
2. Begin ZTA implementation with a thorough inventory of existing organizational assets and capabilities.
3. Formulate clear access policies based on least privilege and continuous verification principles.
4. Incrementally implement ZTA components, starting with foundational security solutions.
5. Continuously monitor and evolve zero-trust architectures to address changing threats and business requirements.

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity-account-takeover-missing-auth-issues/

1. ONE SENTENCE SUMMARY: GitLab urgently released patches for critical vulnerabilities allowing account takeover, malicious CI/CD job injections, and denial-of-service attacks.

2. MAIN POINTS:

3. GitLab issued security updates for Community and Enterprise editions 18.0.2, 17.11.4, and 17.10.8.

4. CVE-2025-4278 vulnerability allows attackers to hijack accounts through HTML injection.

5. CVE-2025-5121 flaw permits malicious CI/CD job injection into future project pipelines.

6. CVE-2025-2254 addresses a cross-site scripting vulnerability affecting legitimate user sessions.

7. CVE-2025-0673 fixes a denial-of-service issue involving infinite redirect loops and memory exhaustion.

8. GitLab.com and Dedicated customers already have the security patches applied.

9. GitLab strongly urges immediate upgrades for all self-managed installations.

10. Attackers exploiting CVE-2025-5121 require authenticated access to GitLab Ultimate licensed instances.

11. Recent breaches affected Europcar Mobility Group and Pearson through compromised GitLab repositories.

12. GitLab platform serves over 30 million users, including half of Fortune 100 companies.

13. TAKEAWAYS:

14. Immediately upgrade self-managed GitLab instances to patched versions.

15. Ensure strict authentication and access controls, especially for GitLab Ultimate environments.

16. Recognize the high-value target GitLab represents due to sensitive information in repositories.

17. Regularly monitor GitLab security advisories to respond swiftly to emerging threats.

18. Automate patching processes to streamline security updates and reduce administrative overhead.

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/06/over-80000-microsoft-entra-id-accounts.html

ONE SENTENCE SUMMARY: Attackers exploit TeamFiltration to target Microsoft Entra ID accounts, compromising over 80,000 users via password spraying and enumeration methods.

MAIN POINTS:

1. New ATO campaign named UNK_SneakyStrike targets Microsoft Entra ID user accounts.
2. Attackers leveraged open-source framework TeamFiltration, originally for penetration testing.
3. Over 80,000 user accounts breached across numerous cloud tenants since December 2024.
4. Microsoft Teams API and AWS servers were utilized to perform attacks.
5. Primary attack methods include password spraying, user enumeration, and data exfiltration.
6. Malicious files were uploaded to victims’ Microsoft OneDrive accounts for persistent access.
7. Attack waves originated from geographically dispersed AWS servers to evade detection.
8. Top attacking regions were United States (42%), Ireland (11%), and Great Britain (8%).
9. Attacks occurred in concentrated bursts followed by quiet periods of four to five days.
10. Smaller cloud tenants experienced broad targeting, while larger tenants had selective targeting.

TAKEAWAYS:

1. Security tools intended for protection can be weaponized by attackers.
2. Organizations must monitor for abnormal login attempts and geographic patterns.
3. Regularly review and tighten user account access and permissions in cloud environments.
4. Implement proactive defenses such as multi-factor authentication to counteract password spraying.
5. Remain vigilant about publicly available security frameworks being misused by threat actors.

Source: Rapid7 Cybersecurity Blog

Author: Adam Barnett

URL: https://www.rapid7.com/blog/post/2025/06/10/patch-tuesday-june-2025/

ONE SENTENCE SUMMARY:

Microsoft’s June 2025 Patch Tuesday addresses 67 vulnerabilities, including two notable zero-days and eight critical remote code execution flaws.

MAIN POINTS:

1. Microsoft released patches for 67 vulnerabilities in June 2025 Patch Tuesday update.
2. Only one vulnerability, CVE-2025-33053 (WebDAV RCE), is actively exploited in-the-wild.
3. WebDAV vulnerability exploited by threat actor Stealth Falcon targeting Middle Eastern governments.
4. Windows WebDAV implementation has been deprecated since November 2023, reducing default exposure risk.
5. CVE-2025-33073 in Windows SMB Client is a publicly disclosed elevation of privilege vulnerability.
6. Critical RCE vulnerability CVE-2025-33071 affects Windows KDC Proxy Service with exploitation considered likely.
7. Three Office vulnerabilities (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167) leverage Preview Pane for exploitation.
8. Microsoft 365 Apps for Enterprise patches for critical Office vulnerabilities not yet available.
9. Eight critical remote code execution vulnerabilities were disclosed, requiring immediate attention.
10. Two browser vulnerabilities previously published separately are not included in the June 2025 totals.

TAKEAWAYS:

1. Prioritize patching actively exploited WebDAV vulnerability CVE-2025-33053 immediately.
2. Urgently address critical Windows KDC Proxy vulnerability CVE-2025-33071 on exposed servers.
3. Monitor closely the SMB Client vulnerability CVE-2025-33073 due to public disclosure and potential exploitation.
4. Understand Office Preview Pane vulnerabilities significantly increase exploitation risk.
5. Keep aware of the delayed availability of patches for Microsoft 365 Apps for Enterprise.