Daily Digest

Microsoft Patches Actively Exploited Office Zero-Day as Ransomware Groups Target Major Supply Chains

Microsoft Patches Actively Exploited Office Zero-Day as Ransomware Groups Target Major Supply Chains

January 27, 2026
8 articles (4 new, 4 updated)
24 min read

Summary

This cybersecurity brief for January 27, 2026, covers multiple critical incidents, led by an emergency out-of-band patch from Microsoft for an actively exploited zero-day (CVE-2026-21509) in Office, prompting a CISA directive. Concurrently, the RansomHub group has claimed a major attack on Apple supplier Luxshare, and the fallout from a previous breach at Under Armour sees 72 million customer records leaked. Other significant events include a critical RCE flaw patched in Zoom, active exploitation of a Fortinet SSO bypass, and the EU's proposal for a revised Cybersecurity Act to counter supply chain threats.

Filter by Category

New Articles (4)

Microsoft Scrambles to Patch Actively Exploited Office Zero-Day, CISA Issues Urgent Directive

CRITICAL

Microsoft Releases Emergency Patch for Actively Exploited Office Zero-Day (CVE-2026-21509)

Microsoft has issued an emergency out-of-band security update for a high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509. The flaw, a security feature bypass with a CVSS score of 7.8, is being actively exploited in targeted attacks, allowing threat actors to bypass OLE mitigations via specially crafted Office files. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the patch by February 16, 2026. The vulnerability affects multiple versions of Office, including Office 2016, 2019, LTSC 2021, and Microsoft 365 Apps for Enterprise.

January 27, 2026
5 min read
Zero-DayMicrosoft OfficeCISA KEVSecurity Feature BypassOLE
Microsoft Scrambles to Patch Actively Exploited Office Zero-Day, CISA Issues Urgent Directive
Vulnerability
Patch Management
Cyberattack

Cyberattack Cripples Digital Services at Germany's Dresden State Art Collections

MEDIUM

Dresden State Art Collections' Digital Infrastructure Disabled by Cyberattack

Germany's Dresden State Art Collections (SKD), one of Europe's most significant museum networks, has been hit by a cyberattack that caused widespread disruption to its digital infrastructure. The attack knocked out the SKD's online ticketing system, visitor services, museum shop website, and internal communications. On-site services were severely impacted, with ticket sales reverting to cash-only. While the operational disruption is significant, the SKD has stated that there is currently no evidence that any data, including sensitive collection or visitor data, was stolen during the incident. The attack highlights the increasing vulnerability of cultural institutions to cyber threats.

January 27, 2026
4 min read
CyberattackMuseumDisruptionGermanyCultural Heritage
Cyberattack Cripples Digital Services at Germany's Dresden State Art Collections
Cyberattack
Other

Widespread Phishing Campaign Abuses Microsoft Teams Guest Invites to Target 6,000+ Users

MEDIUM

Phishing Campaign Leverages Microsoft Teams Guest Invitations to Distribute Malicious Billing Notices

A large-scale phishing campaign is abusing Microsoft Teams' guest invitation feature to target thousands of users with fake billing notices. Researchers at Check Point have observed over 12,000 phishing emails sent to more than 6,100 users, primarily in the manufacturing, technology, and education sectors in the United States. Attackers create Teams groups with finance-related names and send guest invitations to targets. The invitation email, which comes from a legitimate Microsoft address, contains obfuscated text that appears to be a billing notification, lending it an air of authenticity and increasing the likelihood that a user will click the malicious link.

January 27, 2026
4 min read
PhishingMicrosoft TeamsSocial EngineeringCloud SecurityCredential Harvesting
Widespread Phishing Campaign Abuses Microsoft Teams Guest Invites to Target 6,000+ Users
Phishing
Cloud Security

Health-ISAC Report: AI-Enabled Attacks Named Top Threat to Healthcare Sector in 2026

INFORMATIONAL

AI-Driven Attacks, Supply Chain Risks Top Concerns in Health-ISAC's 2026 Threat Report

The Health Information Sharing and Analysis Center (Health-ISAC) has released its 2026 Global Health Sector Threat Landscape report, identifying AI-enabled attacks as the number one projected concern for the year. Based on surveys of healthcare executives and security professionals, the report highlights a shift in focus towards emerging, sophisticated threats. Alongside AI, the report emphasizes the persistent dangers of major supply chain vulnerabilities and the continued high impact of ransomware. The findings, drawn from extensive data including over 1,200 targeted alerts in 2025, urge healthcare organizations to move towards a more proactive and resilient security posture.

January 27, 2026
4 min read
Threat IntelligenceHealthcareAIRansomwareSupply Chain Attack +1 more
Health-ISAC Report: AI-Enabled Attacks Named Top Threat to Healthcare Sector in 2026
Threat Intelligence
Policy and Compliance
Ransomware

Updated Articles (4)

Everest Ransomware Leaks Data of 72 Million Under Armour Customers After Failed Talks

HIGH

Everest Ransomware Group Claims Under Armour Breach, Publishes Data of 72 Million Customers on Dark Web

Update:

New developments in the Under Armour data breach, attributed to the Everest ransomware group, include the filing of a class-action lawsuit against the company in the U.S. This legal action highlights the escalating consequences for Under Armour following the exposure of 72 million customer records. Furthermore, the leaked dataset has been confirmed to include additional Personally Identifiable Information (PII) such as customer genders and dates of birth, alongside previously reported names, emails, phone numbers, locations, and purchase histories. The initial ransomware attack occurred in November 2025, leading to the data leak in January 2026 after failed ransom negotiations. The lawsuit underscores the increased legal and financial repercussions for the company and heightened risks for affected individuals.

January 22, 2026
Updated: January 27, 2026
4 min read
EverestRansomwareData BreachUnder ArmourDark Web +1 more
Everest Ransomware Leaks Data of 72 Million Under Armour Customers After Failed Talks
Ransomware
Data Breach
Threat Actor

Zoom & GitLab Race to Patch Critical Flaws, Including a 9.9 CVSS RCE Bug

CRITICAL

Zoom and GitLab Release Patches for Critical Vulnerabilities, Including Near-Perfect 9.9 CVSS RCE Flaw in Zoom Node

Update:

The new article provides crucial specifics for CVE-2026-22844, clarifying the vulnerability as a command injection exploitable by an authenticated participant within a meeting, a more precise attack vector than previously stated. Affected versions are identified as prior to 5.2.1716.0. The update also includes detailed cyber observables and detection methods, such as monitoring for unusual child processes and outbound network connections from Zoom Node routers. Zoom reports no active exploitation in the wild. This new information significantly enhances understanding of the threat and mitigation strategies.

January 22, 2026
Updated: January 27, 2026
4 min read
ZoomGitLabRCEDoSVulnerability +2 more
Zoom & GitLab Race to Patch Critical Flaws, Including a 9.9 CVSS RCE Bug
Patch Management
Vulnerability

New 'Osiris' Ransomware Borrows TTPs from Medusa and Inc Gangs, Uses Signed Driver to Kill AV

HIGH

Osiris Ransomware Emerges with Advanced TTPs, Including Custom-Signed Driver for Defense Evasion

Update:

Further analysis of the Osiris ransomware confirms its continued use of the 'Poortry' malicious kernel driver for defense evasion. New information indicates this driver is deceptively signed and designed to masquerade as a legitimate Malwarebytes component, allowing it to terminate security software processes more effectively. This specific deceptive tactic aims to bypass detection and complicate forensic analysis, reinforcing the ransomware's sophisticated evasion capabilities. The use of Rclone for data exfiltration to Wasabi cloud storage remains a core tactic.

January 23, 2026
Updated: January 27, 2026
6 min read
RansomwareBYOVDKernel DriverDefense EvasionDouble Extortion +2 more
New 'Osiris' Ransomware Borrows TTPs from Medusa and Inc Gangs, Uses Signed Driver to Kill AV
Ransomware
Malware
Threat Actor

Warning: Fully Patched FortiGate Firewalls Are Being Compromised via New SSO Bypass

CRITICAL

New Attack Path Allows Compromise of Fully Patched FortiGate Firewalls with SAML SSO Enabled

Update:

Fortinet has officially confirmed active exploitation of a critical authentication bypass vulnerability affecting its FortiCloud Single Sign-On (SSO) feature on FortiGate firewalls. This vulnerability, explicitly linked to CVE-2025-59718 and CVE-2025-59719, is being successfully exploited even on fully patched devices. Attackers are leveraging specially crafted SAML messages to gain unauthorized administrative access. Post-exploitation activities include creating persistent administrative accounts, enabling remote access VPNs, and exfiltrating sensitive device configurations, posing a severe risk of long-term network compromise.

January 25, 2026
Updated: January 27, 2026
6 min read
FortiGateFortinetSSOSAMLauthentication bypass +2 more
Warning: Fully Patched FortiGate Firewalls Are Being Compromised via New SSO Bypass
Vulnerability
Cyberattack
Patch Management

📢 Share This Publication

Help others stay informed about cybersecurity threats