Microsoft patched CVE-2026-26133 on March 11, 2026 — a cross-prompt injection vulnerability in Copilot’s email and Teams summarization that let attackers shape what your AI told you, without a single attachment or macro. The specific exploit is closed. But the attack exposed something a patch alone cannot fix: Copilot trusts the content it reads, and in a misconfigured tenant, that trust is a liability. Here is what happened, why it matters beyond the CVE, and what admins should actually do about it.
Microsoft has announced a significant change in how new Accepted Domains in Exchange Online are provisioned with MX records. Between early and late July 2026 (previously February), MS will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft. *.mx.microsoft At first glance, this may look like a …
Still running with legacy join settings? Attackers love it. Learn the modern model: MAQ=0, OU-scoped delegation (not SeMachineAccountPrivilege), DC allow-list for account reuse, and a guarded Staging OU before production. Bonus: Offline Domain Join for segmented OT sites.
