Microsoft blocks Entra, AI scammer legislation, ASUS patches AiCloud

Cyber Security Headlines: Microsoft blocks Entra, AI scammer legislation, ASUS patches AiCloud

Podcast: Cyber Security Headlines
Host: Steve Prentiss, CISO Series
Date: November 28, 2025

Overview

In this episode, Steve Prentiss delivers a roundup of the latest cybersecurity news, including Microsoft’s plan to block unauthorized scripts in Entra ID sign-ins, new US legislative efforts to deter AI-enabled scams, ASUS’s critical firmware patches, a Mixpanel analytics leak impacting OpenAI users, major cyber incidents at London councils and Dartmouth College, Microsoft Exchange and security key issues, and more. The episode focuses on rising threats from AI-based deception and software vulnerabilities, as well as evolving defenses and regulations.

Key Discussion Points & Insights

1. Microsoft to Block Unauthorized Scripts in Entra ID Logins

Time: 00:15-01:16
Microsoft will enhance Entra ID (previously Azure AD) security starting late 2026 by blocking script injection attacks via a stricter Content Security Policy (CSP).
All browser-based sign-ins at login.microsoftonline.com will allow scripts only from trusted Microsoft domains, aiming to prevent cross-site scripting (XSS).
External ID sign-ins are reportedly unaffected.
Microsoft urges organizations to test early and avoid using browser extensions/tools that inject scripts.
Insight: Move is part of Microsoft’s Secure Future initiative, anticipating risks from third-party script injections.

"Microsoft urges organizations to test their sign-in flows early and avoid browser extensions or tools that inject scripts, recommending they switch to alternatives that do not modify the Entra sign-in experience."
– Steve Prentiss, 01:00

2. US Congress Introduces AI Scammer Deterrence Legislation

Time: 01:17-02:22
A bipartisan bill—the AI Fraud Deterrence Act—has been introduced to escalate criminal penalties for fraud or impersonation involving AI tools (fake audio, video, or text).
Penalties:
- Mail, wire, bank fraud, money laundering fines up to $2 million;
- Maximum prison sentences from 20 to 30 years if AI tools are used;
- Impersonation of government officials via AI: $1 million fine, up to 3 years in prison.
Insight: Lawmakers recognize and move to preemptively address the proliferation of convincing AI-driven scams.

"Using AI-assisted tools carries a maximum prison sentence of 20–30 years."
– Steve Prentiss, 01:54

3. ASUS Patches Critical AiCloud Authentication Flaw

Time: 02:23-03:08
ASUS has released firmware fixes for nine security vulnerabilities in routers with AiCloud enabled; at least one is a critical authentication bypass (CVSS 9.2).
Vulnerability linked to Samba functionality, allowing unauthorized access to specific router functions.
Detailed CVEs are in the episode’s show notes.
Insight: Home and small office devices with remote cloud features remain prime targets for attackers.

"The 9.2 vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to execution of specific functions without proper authorization."
– Steve Prentiss, 02:57

4. OpenAI Cuts Off Mixpanel After Analytics Data Leak

Time: 03:09-03:57
OpenAI’s former analytics provider Mixpanel suffered a breach, exposing API user details (names, emails, locations, system details, account IDs).
OpenAI responded by removing Mixpanel, notifying impacted users, and expanding its vendor security reviews.
Regular ChatGPT users are reportedly unaffected.
Insight: Highlights ongoing third-party risk management challenges for tech companies.

"The company reports no evidence of impact beyond Mixpanel's environment and emphasizes its commitment to transparency and strong security standards."
– Steve Prentiss, 03:52

5. Cyber Issue Affects Three London Councils’ Shared IT Services

Time: 04:55-05:32
The Royal Borough of Kensington and Chelsea, Westminster City Council, and Hammersmith and Fulham are impacted—some of London’s wealthiest districts.
Shared IT system has been taken down as a precaution; no attribution or data loss confirmed yet.
Insight: Shared infrastructure increases risk exposure and complicates incident response.

6. Dartmouth College Data Breach via Oracle EBS Campaign

Time: 05:33-06:04
Breach affected 35,000 people’s personal data (names, SSNs, financial info) after unauthorized access via Oracle E-Business Suite from August 9–12.
Insight: Education sector continues to be targeted by sophisticated campaigns.

7. Exchange Online Outage Disrupts Outlook Classic Users

Time: 06:05-06:31
Ongoing Microsoft Exchange Online outage prevents classic Outlook Desktop client users (Asia Pacific and North America) from mailbox access.
Microsoft has yet to assess total affected users.

8. Security Keys Now Require a PIN Following Microsoft Update

Time: 06:32-07:10
FIDO2 security keys may now prompt for a PIN after installing Windows updates (since September 2025).
Intentional change to comply with WebAuthn standards for user verification.

"After installing the Windows update of September 29, you might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration."
– Steve Prentiss quoting Microsoft, 06:55

Notable Quotes & Memorable Moments

"Microsoft plans to strengthen Entra ID security by blocking unauthorized script injection attacks starting in late 2026."
– Steve Prentiss, 00:16
"A bipartisan bill is called the AI Fraud Deterrence act...using AI assisted tools carries a maximum prison sentence of 20–30 years."
– Steve Prentiss, 01:34/01:54
"ASUS has released firmware to address nine security vulnerabilities, all of which have CVE numbers, with one—a critical authentication bypass—having a CVSS score of 9.2."
– Steve Prentiss, 02:30
"OpenAI announced that a data breach at its former analytics provider Mixpanel may have affected users of its API platform."
– Steve Prentiss, 03:09
“You might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration.”
– Steve Prentiss quoting Microsoft, 06:55

Key Segment Timestamps

Microsoft Entra ID script block: 00:15–01:16
AI scammer legislation: 01:17–02:22
ASUS AiCloud vulnerability: 02:23–03:08
OpenAI/Mixpanel breach: 03:09–03:57
London council cyber issue: 04:55–05:32
Dartmouth College breach: 05:33–06:04
Exchange Online outage: 06:05–06:31
Security key PIN change: 06:32–07:10

Conclusion

This episode underscores the rapidly evolving nature of the cybersecurity landscape—particularly the dual pressures of AI-driven deception and the vulnerabilities in widely used platforms and devices. With governments moving toward stricter regulation and industry leaders tightening security practices, staying informed is essential for both practitioners and end-users.

For more details, visit CISOseries.com.

Cyber Security Headlines: Microsoft blocks Entra, AI scammer legislation, ASUS patches AiCloud

Podcast: Cyber Security Headlines
Host: Steve Prentiss, CISO Series
Date: November 28, 2025

Overview

Key Discussion Points & Insights

1. Microsoft to Block Unauthorized Scripts in Entra ID Logins

Time: 00:15-01:16
Microsoft will enhance Entra ID (previously Azure AD) security starting late 2026 by blocking script injection attacks via a stricter Content Security Policy (CSP).
All browser-based sign-ins at login.microsoftonline.com will allow scripts only from trusted Microsoft domains, aiming to prevent cross-site scripting (XSS).
External ID sign-ins are reportedly unaffected.
Microsoft urges organizations to test early and avoid using browser extensions/tools that inject scripts.
Insight: Move is part of Microsoft’s Secure Future initiative, anticipating risks from third-party script injections.

"Microsoft urges organizations to test their sign-in flows early and avoid browser extensions or tools that inject scripts, recommending they switch to alternatives that do not modify the Entra sign-in experience."
– Steve Prentiss, 01:00

2. US Congress Introduces AI Scammer Deterrence Legislation

Time: 01:17-02:22
A bipartisan bill—the AI Fraud Deterrence Act—has been introduced to escalate criminal penalties for fraud or impersonation involving AI tools (fake audio, video, or text).
Penalties:
- Mail, wire, bank fraud, money laundering fines up to $2 million;
- Maximum prison sentences from 20 to 30 years if AI tools are used;
- Impersonation of government officials via AI: $1 million fine, up to 3 years in prison.
Insight: Lawmakers recognize and move to preemptively address the proliferation of convincing AI-driven scams.

"Using AI-assisted tools carries a maximum prison sentence of 20–30 years."
– Steve Prentiss, 01:54

3. ASUS Patches Critical AiCloud Authentication Flaw

Time: 02:23-03:08
ASUS has released firmware fixes for nine security vulnerabilities in routers with AiCloud enabled; at least one is a critical authentication bypass (CVSS 9.2).
Vulnerability linked to Samba functionality, allowing unauthorized access to specific router functions.
Detailed CVEs are in the episode’s show notes.
Insight: Home and small office devices with remote cloud features remain prime targets for attackers.

"The 9.2 vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to execution of specific functions without proper authorization."
– Steve Prentiss, 02:57

4. OpenAI Cuts Off Mixpanel After Analytics Data Leak

Time: 03:09-03:57
OpenAI’s former analytics provider Mixpanel suffered a breach, exposing API user details (names, emails, locations, system details, account IDs).
OpenAI responded by removing Mixpanel, notifying impacted users, and expanding its vendor security reviews.
Regular ChatGPT users are reportedly unaffected.
Insight: Highlights ongoing third-party risk management challenges for tech companies.

"The company reports no evidence of impact beyond Mixpanel's environment and emphasizes its commitment to transparency and strong security standards."
– Steve Prentiss, 03:52

5. Cyber Issue Affects Three London Councils’ Shared IT Services

Time: 04:55-05:32
The Royal Borough of Kensington and Chelsea, Westminster City Council, and Hammersmith and Fulham are impacted—some of London’s wealthiest districts.
Shared IT system has been taken down as a precaution; no attribution or data loss confirmed yet.
Insight: Shared infrastructure increases risk exposure and complicates incident response.

6. Dartmouth College Data Breach via Oracle EBS Campaign

Time: 05:33-06:04
Breach affected 35,000 people’s personal data (names, SSNs, financial info) after unauthorized access via Oracle E-Business Suite from August 9–12.
Insight: Education sector continues to be targeted by sophisticated campaigns.

7. Exchange Online Outage Disrupts Outlook Classic Users

Time: 06:05-06:31
Ongoing Microsoft Exchange Online outage prevents classic Outlook Desktop client users (Asia Pacific and North America) from mailbox access.
Microsoft has yet to assess total affected users.

8. Security Keys Now Require a PIN Following Microsoft Update

Time: 06:32-07:10
FIDO2 security keys may now prompt for a PIN after installing Windows updates (since September 2025).
Intentional change to comply with WebAuthn standards for user verification.

"After installing the Windows update of September 29, you might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration."
– Steve Prentiss quoting Microsoft, 06:55

Notable Quotes & Memorable Moments

"Microsoft plans to strengthen Entra ID security by blocking unauthorized script injection attacks starting in late 2026."
– Steve Prentiss, 00:16
"A bipartisan bill is called the AI Fraud Deterrence act...using AI assisted tools carries a maximum prison sentence of 20–30 years."
– Steve Prentiss, 01:34/01:54
"ASUS has released firmware to address nine security vulnerabilities, all of which have CVE numbers, with one—a critical authentication bypass—having a CVSS score of 9.2."
– Steve Prentiss, 02:30
"OpenAI announced that a data breach at its former analytics provider Mixpanel may have affected users of its API platform."
– Steve Prentiss, 03:09
“You might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration.”
– Steve Prentiss quoting Microsoft, 06:55

Key Segment Timestamps

Microsoft Entra ID script block: 00:15–01:16
AI scammer legislation: 01:17–02:22
ASUS AiCloud vulnerability: 02:23–03:08
OpenAI/Mixpanel breach: 03:09–03:57
London council cyber issue: 04:55–05:32
Dartmouth College breach: 05:33–06:04
Exchange Online outage: 06:05–06:31
Security key PIN change: 06:32–07:10

Conclusion

For more details, visit CISOseries.com.

wavePod

Powered by Wave AI

Summary

Cyber Security Headlines: Microsoft blocks Entra, AI scammer legislation, ASUS patches AiCloud

Overview

Key Discussion Points & Insights

1. Microsoft to Block Unauthorized Scripts in Entra ID Logins

2. US Congress Introduces AI Scammer Deterrence Legislation

3. ASUS Patches Critical AiCloud Authentication Flaw

4. OpenAI Cuts Off Mixpanel After Analytics Data Leak

5. Cyber Issue Affects Three London Councils’ Shared IT Services

6. Dartmouth College Data Breach via Oracle EBS Campaign

7. Exchange Online Outage Disrupts Outlook Classic Users

8. Security Keys Now Require a PIN Following Microsoft Update

Notable Quotes & Memorable Moments

Key Segment Timestamps

Conclusion

Summary

Cyber Security Headlines: Microsoft blocks Entra, AI scammer legislation, ASUS patches AiCloud

Overview

Key Discussion Points & Insights

1. Microsoft to Block Unauthorized Scripts in Entra ID Logins

2. US Congress Introduces AI Scammer Deterrence Legislation

3. ASUS Patches Critical AiCloud Authentication Flaw

4. OpenAI Cuts Off Mixpanel After Analytics Data Leak

5. Cyber Issue Affects Three London Councils’ Shared IT Services

6. Dartmouth College Data Breach via Oracle EBS Campaign

7. Exchange Online Outage Disrupts Outlook Classic Users

8. Security Keys Now Require a PIN Following Microsoft Update

Notable Quotes & Memorable Moments

Key Segment Timestamps

Conclusion