Monday 4/13
Mailbox rules in O365—a post-exploitation tactic in cloud ATO (Proofpoint)
Mailbox rules are a high-risk post-exploitation tactic.?Attackers abuse native mailbox rules for exfiltration, persistence, and communication manipulation. Combined with third-party services and domain spoofing, attackers can hijack threads, impersonate victims, and manipulate vendor communications, all without network-level interception.
https://www.proofpoint.com/us/blog/threat-insight/mailbox-rules-o365-post-exploitation-tactic-cloud-ato
Tuesday 4/14
CIS Safeguard 9.3: Maintain and Enforce Network-Based URL Filters
https://www.gothamtg.com/blog/cis-safeguard-93-maintain-and-enforce-network-based-url-filters
Bring your everyday business apps into the flow of work with agents in Microsoft 365 Copilot (Microsoft)
Microsoft 365 Copilot can now bring your business apps directly into the conversation, which closes the gap between AI-powered insight and real, in-app action, allowing you to visualize content and do real work right from the chat, narrowing this fragmentation.
https://www.microsoft.com/en-us/microsoft-365/blog/2026/04/13/bring-your-everyday-business-apps-into-the-flow-of-work-with-agents-in-microsoft-365-copilot/
Replay data from object storage for long-term incident investigations (Cribl)
License costs and tool performance often prevent organizations from ingesting all their data or require them to limit data retention time in their primary SIEM or analytics platform. Security incidents are often discovered long after these retention windows expire, or require data that was never ingested in the first place, leaving teams without the full story.
https://cribl.io/blog/replay-data-from-object-storage-for-long-term-incident-investigations/
Wednesday 4/15
CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA)
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
https://www.cisa.gov/news-events/alerts/2026/04/14/cisa-adds-two-known-exploited-vulnerabilities-catalog
AI Won’t Fix Your IT Problems, But Your Data Will (ControlUp)
Many IT tools only capture detailed data when something goes wrong. That means you’re training your AI on incidents rather than on the full, continuous picture of what normal looks like. An AI that’s only ever seen broken environments has no baseline to work from.
https://www.controlup.com/resources/blog/ai-wont-fix-your-it-problems-but-your-data-will/
Thursday 4/16
Manufacturing Is the Most Targeted Sector in Ransomware. By a Wide Margin. (Halcyon)
Manufacturing absorbed more ransomware than any other sector in 2025. The attacks are getting more disruptive, and the data extortion component means encryption-based recovery planning addresses only part of the problem.
https://www.halcyon.ai/blog/manufacturing-is-the-most-targeted-sector-in-ransomware
Palo Alto Networks Completes Acquisition of Koi to Secure the Agentic Endpoint (Palo Alto Networks)
By integrating Koi's technology with Prisma AIRS, Palo Alto Networks will extend visibility and security to agentic AI on the endpoint, offering a single control plane to secure enterprise-wide AI adoption with AES. In addition, this acquisition enables Palo Alto Networks to introduce a new module for Cortex XDR to identify and remediate risks within the AI software ecosystem.
https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-completes-acquisition-of-koi-to-secure-the-agentic-endpoint
Monday 4/20
AVD Autoscale: Give Admins What They Actually Want (ControlUp)
At the end of the day, AVD power scaling should not feel like an exercise in working around the platform. It should be easy to understand, easy to change, and flexible enough to reflect how people actually work.
https://www.controlup.com/resources/blog/avd-autoscale-give-admins-what-they-actually-want/
Eliminating Enterprise Browser Complexity in the Age of Universal ZTNA (Cato Networks)
Different tools mean different policies, different inspection points, and different user experiences. Over time, gaps appear, operations slow down, and security becomes inconsistent, especially for unmanaged devices. Enterprise browsers were meant to simplify access. In practice, they introduced a new control plane with separate policies, enforcement, and operations. Instead of reducing complexity, they extend it.
https://www.catonetworks.com/blog/eliminating-enterprise-browser-complexity/
Tuesday 4/21
CIS Safeguard 9.4: Restrict Unauthorized Browser and Email Client Extensions
https://www.gothamtg.com/blog/cis-safeguard-94-restrict-unauthorized-browser-and-email-client
The Overlooked Mythos Security Risk: Why Unmanaged AI Agents Are Your Biggest Cyber Threat (Rubrik)
For the last couple of years, the industry has been focused on model safety, ensuring that our chatbots don’t hallucinate or say something inappropriate. But a safe foundation model means nothing if the deployment architecture is compromised.
https://www.rubrik.com/blog/ai/26/4/the-overlooked-mythos-security-risk-why-unmanaged-ai-agents-are-your-biggest-cyber-threat
The Microsoft Teams Security Stack: How Policies, Playbooks, and Automation Align to Secure Messaging (Abnormal AI)
Social engineering attacks don't announce themselves. They arrive looking exactly like the messages users trust most, from the right sender, at the right moment, through the right channel. Microsoft Teams has become the next frontier for exactly this kind of attack, a platform where the trust users extend to colleagues, vendors, and IT is the vulnerability.
https://abnormal.ai/blog/microsoft-teams-security-stack
Wednesday 4/22
How The Island Enterprise Browser Verifies Trusted DLLs (Island)
A single malicious or tampered DLL can execute arbitrary code within the process context, allowing attackers to bypass security boundaries, exfiltrate sensitive data, or undermine higher-level security guarantees.
https://www.island.io/blog/how-the-island-enterprise-browser-verifies-trusted-dlls
Thursday 4/23
Securing AI Application Development (Varonis)
Unlike traditional software, for AI applications, data isn’t an input; data determines how AI applications behave. As a result, the attack surface expands from protecting application logic to securing the data that teaches AI what to do.
https://www.varonis.com/blog/securing-ai-application-development
The Patch Cycle Is No Longer the Security Clock (Proofpoint)
Patching remains essential, but it is no longer sufficient as the primary control for a world where attackers can move faster than defenders can remediate. If your architecture assumes the patch arrives before the campaign, your architecture is already behind.
https://www.proofpoint.com/us/blog/ciso-perspectives/patch-cycle-no-longer-security-clock
Friday 4/24
Moving past bots vs. humans (Cloudflare)
For a website owner deciding how to handle incoming traffic, the meaningful distinction isn't necessarily bots vs. humans. It's about balancing the origin’s needs to understand the traffic it receives with the clients’ needs to preserve their privacy.
https://blog.cloudflare.com/past-bots-and-humans/
Closing the Security Gap in the Age of Agentic Coding (Wiz)
Automated remediation is powerful. But the most impactful thing any security team can do is prevent vulnerabilities from being introduced in the first place. That means moving security all the way to the left, to the moment code gets generated by the AI model.
https://www.wiz.io/blog/securing-software-age-of-agentic-coding