Microsoft enforces admin MFA, Cisco patches ISE, Illinois breaches self - Cybersecurity Headlines

Summary

Podcast Summary: Cybersecurity Headlines – Microsoft enforces admin MFA, Cisco patches ISE, Illinois breaches self
Date: January 9, 2026
Host: Steve Prentiss, CISO Series

Episode Overview

This episode delivers a concise roundup of major cybersecurity developments relevant to IT professionals and security enthusiasts. Key topics include Microsoft’s enforcement of multi-factor authentication for admins, a significant Cisco vulnerability patch, a self-breach by an Illinois state agency, ongoing threats in the AI landscape, and the latest in phishing tactics. The host, Steve Prentiss, maintains a direct and informative tone throughout, ensuring listeners are quickly informed of evolving risks and recommended mitigations.

Key Discussion Points

1. Microsoft Enforces Mandatory MFA for Admins

Summary:
Starting February 9, 2026, Microsoft will block access to the 365 Admin Center for users who haven’t enabled Multi-Factor Authentication (MFA). Previously introduced a year prior, this move raises the security baseline for administrator accounts.
Details:
- Applies to multiple admin URLs (listed in the episode’s show notes).
- Aims to protect critical IT management interfaces from unauthorized access.
- Timeline: Enforcement begins February 9, 2026.
- Quote:
  "Microsoft will block those without MFA enabled from signing in to the Microsoft 365 administrative portal." (01:05)

2. Cisco ISE Vulnerability Patched After POC Release

Summary:
Cisco responded to a Proof of Concept exploit for its Identity Services Engine (ISE) and Passive Identity Connector, patching a Medium-severity flaw (CVSS 4.9) in the licensing module.
Threat:
Allows an authenticated remote attacker with admin privileges to access sensitive environmental information.
- No workarounds exist, but no exploitation has been detected in the wild yet.
- Discovered by Bobby Gould (Trend Micro Zero Day Initiative).
- Quote:
  "There are no workarounds to address this flaw, nor are there any indications that it has been exploited in the wild." (02:08)

3. Illinois Department of Human Services Data Exposure

Summary:
Over 700,000 records containing personally identifiable and health information were inadvertently posted online by the Illinois Department of Human Services for up to four years.
Cause:
Staff using a mapping tool to guide resource allocation left PII exposed.
- Data qualifies as protected under HIPAA.
- Quote:
  "The information consisted of PII and was left on the open Web after agency officials created planning maps on a mapping website." (02:39)

4. Microsoft Exchange Online Outage Affects IMAP4 Access

Summary:
An authentication misconfiguration arising from a code conflict blocked intermittent access to Exchange Online mailboxes via IMAP4.
Status:
- Started: Wednesday evening prior to episode.
- No details yet released on the scale or regions affected.
- Quote:
  "Microsoft says the issues were caused by a code conflict that introduced an authentication misconfiguration." (03:25)

5. Persistent OpenAI Prompt Injection Threats

Summary:
Despite some fixes, prompt injection vulnerabilities continue to affect OpenAI’s ChatGPT, allowing exfiltration of user information and evolving with new techniques like “shadowleak” and “zombie agent.”
Recent Findings:
- Malicious Gmail instructions can trigger ChatGPT to transmit sensitive data.
- Newer attacks circumvent recent defenses.
- Quote:
  "The successor to Shadow Leak, dubbed Zombie Agent, has evolved to circumvent the fixes and defenses being put up." (04:17)

6. CISA Adds Actively Exploited Vulnerabilities to KEV Catalog

Summary:
The US Cybersecurity and Infrastructure Security Agency highlights two new high-profile, remotely exploitable vulnerabilities:
- HPE OneView: Code injection, CVSS 10.0.
- Microsoft PowerPoint: Legacy code injection flaw (CVSS 8.8, fixed in 2009 but still seeing attacks).
- Quote:
  "Despite having been fixed in 2009, it has been included in the KEV catalog because unpatched or unsupported systems are still being successfully targeted." (05:04)

7. Phishing-as-a-Service Uses Email Routing Exploitation

Summary:
Attackers exploit misconfigured email routing and authentication to spoof internal messages and deliver phishing lures, often themed around HR, shared documents, or password resets.
Microsoft Recommendations:
- Use strict DMARC, SPF, and DKIM settings.
- Set SPF to “hard fail.”
- Carefully configure third-party connectors.
- Quote:
  "Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations, domains and deliver phishing emails that appear superficially to have been sent internally." (05:49)

8. Veeam Patches Critical Backup RCE Flaw

Summary:
A severe remote code execution bug (CVSS 9.0) in Veeam Backup & Replication (specifically affecting “tape operator” roles) has been patched.
Attack Vector:
Crafted request can grant code execution as the postgres user.
- Discovered during internal testing, not known to be exploited.
- Quote:
  "A Veeam tape operator is a limited Veeam backup and replication user role designed to manage tape based backup operations without full administrative privileges." (06:45)

Notable Quotes & Memorable Moments

On Microsoft’s MFA Enforcement:
"This will affect a number of admin center URLs used by IT administrators to manage Microsoft 365 accounts." (01:18)
On AI Threat Evolution:
"Now security researchers at Radware say they have identified several vulnerabilities in OpenAI's ChatGPT service that allow the exfiltration of personal information." (04:00)
On Legacy Vulnerability Risks:
"Unpatched or unsupported systems are still being successfully targeted." (05:08)

Timestamps of Key Segments

00:06 – Episode Open and Microsoft MFA enforcement
01:15 – Cisco ISE vulnerability and patch
02:39 – Illinois Department of Human Services data breach
03:25 – Microsoft Exchange Online outage
04:00 – Ongoing OpenAI prompt injection issues
05:04 – CISA’s addition of new CVEs to KEV catalog
05:49 – Phishing as a Service and email routing risks
06:45 – Veeam Backup & Replication RCE vulnerability

Takeaways

This episode underscores the ongoing escalation of cyber risks: with cloud providers tightening admin security, vendors responding rapidly to publicized exploits, and attackers adapting their tactics through email and AI vectors. The need for proactive vulnerability management, strict email configuration, and vigilance against both legacy and emergent threats remains paramount for CISOs and IT teams.

For more details on any headline, visit CISOseries.com.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the Cybersecurity headlines for Friday, January 9, 2026. I'm Steve Prentiss. Microsoft to enforce MFA for Microsoft 365 admin center sign ins starting in February, Microsoft will start enforcing Multi Factor Authentication for all users accessing the Microsoft 365 admin cent end quote MFA requirements actually started one year ago in February 2025, but as of February 9th of this year, Microsoft will block those without MFA enabled from signing in to the Microsoft 365 administrative portal. This will affect a number of admin center URLs used by IT administrators to manage Microsoft 365 accounts. These specific addresses are listed in the show Notes to this episode Cisco Patches ISE Security Vulnerability after POC Release this is in response to a public Proof of concept exploit in Identity Services engine ISE and the ISE Passive Identity Connector ISE pic rated as Medium Severity with a CVSS score of 4.9. This vulnerability resides in the licensing feature and could allow an authenticated remote attacker with administrative privileges to gain access to a sensitive environment information. End quote it was discovered by Bobby Gould of Trend Micro Zero Day Initiative. Cisco said there are no workarounds to address this flaw, nor are there any indications that it has been exploited in the wild Illinois State Agency Breaches Itself the Illinois Department of Human Services IDHS has revealed that it inadvertently exposed personal information belonging to more than 700,000 state residents by posting it on the open Internet, where it remained for as long as four years before being taken down last September. The information consisted of PII and was left on the open Web after agency officials created planning maps on a mapping website to help direct resource allocations. The data exposed in the breach is protected health information under the Health Insurance Portability and Accountability act, otherwise known as hipaa. Microsoft Exchange Online Outage blocks access to mailboxes. This outage, which started Wednesday evening, intermittently prevents users from accessing their mailboxes via the Internet Mailbox Access Protocol 4, otherwise known as IMAP 4. Microsoft says the issues were caused by a code conflict that introduced an authentication misconfiguration. Details on regions and how many users were impacted were not immediately released. Huge thanks to our sponsor, Hawkshunt. A small tip for CISOs if you are unsure whether your security training is actually reducing phishing risk, check out what Qualcomm achieved with Hoxhunt. They took their 1000 highest risk users from consistent underperformers to outperforming the rest of the company, driving measurable human risk reduction and earning a CSO50 award. See the Qualcomm case@hoxhunt.com Qualcomm that is H O X H U N T.com Qualcomm OpenAI prompt injection problems keep Festering we have covered a number of stories about the seemingly permanent problem of prompt injection in recent weeks. Now security researchers at Radware say they have identified several vulnerabilities in OpenAI's ChatGPT service that allow the exfiltration of personal information. These flaws were identified in a bug report filed on September 26th of last year and were reportedly fixed on December 16th. But the problem still seems to evolve. The current issue surrounds an indirect prompt injection attack called shadowleak that, in short, allows malicious instructions in a Gmail message, for example, to get ChatGPT to transmit a password without any intervention from the agent's human user. The successor to Shadow Leak, dubbed Zombie Agent, has evolved to circumvent the fixes and defenses being put up. A link to a more complete description of these attacks is available in the show Notes to this episode. CISA adds two actively exploited flaws to its Kev catalogue in adding these vulnerabilities, both of which can allow for remote code execution. CISA warns that both are now being actively abused by attackers. The first is a code injection flaw in HPE OneView, which is used to centrally manage servers, storage and networking infrastructure. It has a maximum severity CVSS score of 10.0. The other is a long patched Microsoft PowerPoint code injection flaw with a CVSS score of 8.8. Despite having been fixed in 2009, it has been included in the KEV catalog because unpatched or unsupported systems are still being successfully targeted. Phishing as a service Attackers exploit misconfigured email routing to spoof internal emails, according to a report from Microsoft. Phishing actors are exploiting complex routing scenarios and misconfigured spoof protections to effectively spoof organizations, domains and deliver phishing emails that appear superficially to have been sent internally. They are using a wide variety of phishing messages related to phishing as a service platform such as Tycoon2FA. These include messages with lures themed around voicemails, shared documents, communications from human resources departments, password resets or expirations, and others leading to credential phishing. The report suggests setting strict domain based message authentication, reporting and conformance protocols, deploying reject and SPF hard fail rather than soft fail policies, and properly configuring any third party connectors. VEEAM patches a critical RCE flaw in backup and replication this patch, one of many released by the company, addresses a vulnerability with a CVSS score of 9.0 that allows a backup or tape operator to perform remote code execution as the postgres user by sending a malicious interval or order parameter. A veeam tape operator is a limited veeam backup and replication user role designed to manage tape based backup operations without full administrative privileges. The vulnerability was discovered during internal testing. If you have some thoughts on the news from today, or about the show in general, please be sure to reach out to us@feedbacksocies.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.