Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

During our research into Microsoft 365 security, we discovered a flaw in Outlook on the web (OWA) that exposed information about users and their mailboxes. By manipulating certain request headers against the “/owa/service.svc” endpoint, an attacker could not only confirm whether a user account existed, but also determine if that account had a mailbox associated with it.

A newly disclosed vulnerability in Ivanti Endpoint Manager (EPM) tracked as CVE-2025-10573 allows unauthenticated attackers to inject persistent JavaScript into the EPM administrative dashboard. Assigned a CVSS score of 9.6, this vulnerability presents a critical security risk because it enables attackers to hijack administrator sessions and gain full control over managed endpoints.

Sensitive information disclosure ranks on the OWASP Top 10 for LLM Applications, and for good reason. When AI-powered applications inadvertently expose private data like personally identifiable information (PII), financial records, health information, API keys, or proprietary business intelligence, the consequences cascade quickly: regulatory violations, competitive disadvantage, and shattered user trust.

The data security landscape is reaching an inflection point. In 2026, the question won't be whether your security stack can detect risks; it will be whether it can predict, prevent, and adapt to them in real time.

Let’s look at something many teams quietly struggle with. Detecting PII inside unstructured text. It feels like it should be simple. After all, we’ve used regular expressions for years to find emails, phone numbers, and ID formats. Yet when we deploy regex in real environments. ticket systems, chat logs, CRM notes, uploaded documents, support transcripts. something becomes clear very quickly. Regex isn’t enough.

BlueVoyant’s Threat Fusion Cell (TFC) observed a Bookingcom references relate solely to adversary brand impersonation.

Why You Shouldn’t Ignore OS Updates Even for “Small” Bugs In cybersecurity, people often focus on the big, headline-grabbing incidents: ransomware outbreaks, nation-state intrusions, or massive supply chain compromises. But the reality is far simpler: Most breaches begin with something small: a patch that wasn’t applied, a “low-priority” update that got postponed, or a seemingly harmless system bug that attackers quietly weaponized.

In our recent analysis of AI browser exfiltration risks, we exposed how OpenAI's Atlas and Perplexity's Comet create permanent backdoors to sensitive data through persistent memory, autonomous agents, and cross-platform sync. The challenges with AI native browsers strongly resonated with CISO’s and security leaders we speak with on a daily basis. But the threat extends far beyond Atlas and Comet.

On December 3, 2025, immediately following the public disclosure of the critical, maximum-severity React2Shell vulnerability (CVE-2025-55182), the Cloudforce One Threat Intelligence team began monitoring for early signs of exploitation. Within hours, we observed scanning and active exploitation attempts, including traffic originating from infrastructure associated with Asian-nexus threat groups.

I first met Tines co-founders Eoin Hinchy and Thomas Kinsella more than a decade ago at eBay. Even then, we shared the same frustration: too much important work was slowed down by brittle processes, manual handoffs, and disconnected tools. We all believed technology should help people focus on meaningful work, not slow them down in muckwork. That idea has shaped my career ever since. I started out in security operations, using automation to make my own job easier.