Transcript
A (0:00)
From the CISO series, it's Cybersecurity Headlines.
B (0:06)
These are the cybersecurity headlines for Friday, November 28, 2025. I'm Steve Prentiss Microsoft to block unauthorized scripts in Entra ID logins with 2026 CSP update Microsoft plans to strengthen Entra ID security by blocking unauthorized script injection attacks starting in late 2026. The update, part of its Secure Future initiative, applies a stricter content security policy to browser based Sign ins@login.microsoftonline.com allowing scripts only from trusted Microsoft domains. This aims to prevent cross site scripting attacks and stop any injected or unauthorized code from running during authentication. External ID sign ins won't be affected. Microsoft urges organizations to test their sign in flows early and avoid browser extensions or tools that inject scripts, recommending they switch to alternatives that do not modify the entra sign in experience. New legislation that targets scammers that use AI to deceive this new bipartisan bill is called the AI Fraud Deterrence act, introduced by Representatives Ted Lieu from California and Neil Dunn from Maryland. It would increase the criminal penalties for committing fraud and impersonation with the assistance of AI tools such as convincing fake audio, video or texts. The total potential fines incurred for mail fraud, wire fraud, bank fraud and money laundering would all be increased to between 1 and $2 million, with new language specifying that using AI assisted tools carries a maximum prison sentence of 2030 years. Meanwhile, scammers who use AI to impersonate government officials can be fined up to $1 million and spend three years in prison. ASUS firmware patches Critical AI cloud Vulnerability ASUS has released firmware to address nine security vulnerabilities, all of which have CVE numbers, with 1A critical authentication bypass having a CVSS score of 9.2. These nine numbers are available in the show Notes to this episode. They affect routers with AI Cloud Enabled, which is a remote access feature built into many ASUS routers to allow devices to function as personal cloud servers for remote media streaming and cloud storage. According to the company's advisory, the 9.2 vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to execution of specific functions without proper authorization. OpenAI cuts off mixpanel after analytics leak exposes API users OpenAI announced that a data breach at its former analytics provider Mixpanel may have affected users of its API platform, though regular that GPT users are generally not impacted. Mixpanel discovered the breach on November 9 and shared details with OpenAI on November 25. Exposed data includes profile information such as names, email addresses, approximate locations, system details and account IDs. OpenAI has since removed Mixpanel from its systems and has begun notifying affected users and launched broader security reviews of all vendors. The company reports no evidence of impact beyond Mixpanel's environment and emphasizes its commitment to transparency and strong security standards. Huge thanks to our sponsor. KnowBe4 Cybersecurity isn't just a tech problem, it's a human one. That's why KnowBe4's human risk management platform allows you to measure, quantify and actually reduce human risk across your organization. With AI powered risk scoring, automated coaching and reporting. HRM helps you surface your highest risk users and reduce the risk of data breaches and cyber attacks. Proactively Ready to move from awareness to action? Request a demo of hrm today@knowbefore.com that is k n o w b e the number4.com cyber issue hits three London councils with shared IT services. The impacted locations are the Royal Borough of Kensington and Chelsea, Westminster City Council and the Borough of Hammersmith and Fulham, which house some of London's wealthiest districts. Some of the services used by these councils share the same IT system, which has now been taken down as a precaution. Representatives say it is too early to attribute the incident to any threat actor or to confirm whether any data has been compromised. Dartmouth College suffers breach through Oracle EBS campaign the Ivy League school located in New Hampshire has suffered a breach that has impacted 35,000 people across multiple states as a result of a campaign involving Oracle E business suite. Dartmouth officials determined that an unauthorized actor took certain files between August 9th and August 12th of this year. With the leaked data consisting of names, Social Security numbers and financial account data. Exchange Online outage blocks access to Outlook mailboxes if you have had trouble accessing your Outlook mail recently, you're not alone. Microsoft is looking into an Exchange Online service outage that is preventing customers from accessing their mailboxes using the classic Outlook Desktop client. This outage started on Tuesday and according to user reports on Down Detector, it also caused server connection and login issues. The outage affected users in the Asia Pacific and North America regions who were attempting to connect to their Exchange Online mailbox using the classic Outlook experience. Microsoft has not yet said how many users have been affected. Security keys may prompt for PIN after recent updates Also on Tuesday, Microsoft warned users that FIDO 2 security keys may prompt them to enter a PIN when signing in after installing Windows updates released since the September 2025 pre preview update end quote this is an intentional change, Microsoft says to comply with Web Authn specifications, which dictate how authentication methods such as pins, biometrics, and hardware security keys should handle user verification requests. End quote they added quote after installing the Windows update of September 29th, you might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration. End quote do you use the CISO Series Cybersecurity Headlines podcasts with your security team? Have you ever used a story that you heard on the show to inform your security decisions at work? We would love to hear from you. Shoot us an email feedbackisoseries.com and we would love to give you a shout out on the show. I'm Steve Prentiss reporting for the CISO Series.