Security Briefing 🔴 Critical

Microsoft Patch Tuesday: 6 Zero-Days Under Attack

8 min read
CRITICAL URGENCY

Executive Summary

This week demands immediate action. Microsoft's Patch Tuesday revealed 6 zero-day vulnerabilities already being exploited in the wild. Apple pushed an emergency patch for what they called an "extremely sophisticated" attack. Meanwhile, a new Outlook malware has already stolen 4,000+ credentials, and ransomware gangs have escalated to swatting executives' families.

⚡ Bottom line: If you haven't patched in the last 48 hours, you're already behind.

🔴
Critical

Microsoft Patch Tuesday — 6 Zero-Days Under Active Exploitation

Why You Need to Know This

Microsoft's February 2026 Patch Tuesday is one of the most severe in recent memory. Six vulnerabilities are being actively exploited right now by threat actors — meaning attackers aren't waiting for you to patch. They're already using these flaws to break into systems worldwide.

What's At Risk — Worst Case Scenario

CVE Component CVSS Worst Case Impact
CVE-2026-21391 Windows Kernel 9.8 Full system takeover — attacker gains SYSTEM privileges
CVE-2026-21402 Exchange Server 9.1 Complete email compromise — read all emails, pivot to AD
CVE-2026-21415 Windows Defender 8.8 Security bypass — malware can disable your antivirus
CVE-2026-21423 NTLM Authentication 8.5 Credential theft — attacker captures Windows passwords
CVE-2026-21438 SMB Protocol 8.4 Ransomware deployment — worm-like spreading (think WannaCry)
CVE-2026-21441 Print Spooler 7.8 Lateral movement — attackers use printers as pivot points
Real-world impact: Organizations that don't patch within 72 hours of a zero-day disclosure see a 400% increase in successful attacks.

How to Protect Yourself — Action Items

Immediate (Today)
  • Run Windows Update on ALL systems — servers, workstations, laptops
  • Prioritize internet-facing Exchange servers
  • If you can't patch immediately, disable Print Spooler service on non-print servers
This Week
  • Review SMB exposure — disable SMBv1 if still enabled
  • Audit NTLM usage and migrate to Kerberos where possible
  • Check Windows Defender is functioning
# Check if February patches are installed
Get-HotFix | Where-Object {$_.InstalledOn -gt (Get-Date).AddDays(-7)}
🍎
Urgent

Apple Emergency Patch — "Extremely Sophisticated" Attack

Why You Need to Know This

Apple rarely uses alarming language. When they describe an attack as "extremely sophisticated," pay attention. This patch addresses a zero-click exploit — meaning attackers can compromise your device without you clicking anything.

📱

iPhones & iPads

Complete device compromise. Read all messages, access photos, activate microphone/camera.

💻

Macs

Full access to filesystem, keychain passwords, ability to install persistent backdoors.

🎯

Who's Being Targeted

Journalists, executives, activists — but exploit code often leaks to criminal groups.

How to Protect Yourself — Action Items

  • Update ALL Apple devices: iOS 19.3.1, iPadOS 19.3.1, macOS 15.3.1
  • Settings → General → Software Update → Install Now
  • High-risk individuals: Enable Lockdown Mode
  • Push MDM policy requiring minimum OS version
📧
New Threat

"AgreeToSteal" — Malicious Outlook Add-In Steals 4,000+ Credentials

Why You Need to Know This

A new attack called "AgreeToSteal" is spreading through what looks like a legitimate Outlook add-in. Unlike obvious phishing, this malware lives inside Outlook itself, intercepting every email you send and receive.

Known Malicious Names

"MailAssist Pro"
"Calendar Sync Helper"
"Outlook Performance Booster"

How to Protect Yourself — Action Items

  • In Outlook: File → Options → Add-ins → Manage COM Add-ins → Go
  • Remove ANY add-in you don't recognize
  • Restrict add-in installation via Microsoft 365 Admin Center
  • If compromised: Change all passwords immediately from a clean device
💀
Escalation

SLSH Ransomware Gang Now Swatting Executives' Families

Why You Need to Know This

Ransomware gangs are no longer satisfied with just encrypting data. The SLSH group has begun swatting the families of executives who refuse to pay — making fake emergency calls that send armed police to victims' homes.

This isn't theoretical — three confirmed swatting incidents tied to SLSH in the past month, including one involving an executive's teenage children.

How to Protect Yourself — Action Items

  • Remove personal address from data broker sites (DeleteMe, Kanary)
  • Inform local police department about potential swatting risk
  • Executive protection briefings should include cyber-physical threats
  • Contact FBI immediately if targeted — do NOT engage with attackers

Run a KENSAI scan now to see if your systems are affected

🗡️ Scan Your Systems →

Your Action Checklist for This Week

Critical — Do Today
  • Patch all Windows systems (6 zero-days being exploited NOW)
  • Update all Apple devices to iOS/macOS latest
  • Audit Outlook add-ins for unauthorized installations
High — Do This Week
  • Brief executives on swatting threat
  • Audit IoT devices and update firmware
  • Review data broker removal for executive personal info
Medium — Ongoing
  • Implement add-in restrictions in Microsoft 365
  • Schedule threat hunting exercise
  • Review network segmentation

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →