Daily Digest

Phishing isn’t what it used to be. AI now powers highly personalized attacks that slip past traditional defenses like a ghost through a wall. For managed service providers (MSPs), this means the old playbook is broken. The real danger? It’s not just about stopping the breach anymore. It’s about what happens after—data loss, downtime, and scrambling to recover. If you’re an MSP still treating security and backup as separate worlds, you’re leaving the door wide open for attackers.

**What exactly happened** On May 14, 2026, BleepingComputer and Kaseya are hosting a live webinar that pulls back the curtain on modern cyberattacks. The focus is on MSPs—the frontline defenders for countless businesses—and why their current strategies are falling short. Attackers are no longer spraying generic phishing emails. They’re using AI to craft hyper-personalized messages that mimic trusted contacts, brands, and even internal tools. Traditional email security? It’s struggling to keep up. **Who is affected and how** MSPs are ground zero. They manage IT for small and mid-sized businesses, making them a high-value target. When an MSP gets hit, it’s not just one company that suffers—it’s dozens or hundreds of clients. The attack chain often starts with a clever phishing email. From there, it escalates to business email compromise, ransomware, and full-blown data loss. The worst part? Many MSPs don’t realize the damage until it’s too late. **The real-world impact and consequences** Data loss and downtime are the obvious nightmares. But the hidden cost is reputation. Clients trust MSPs to keep them safe. A single successful attack can shatter that trust, leading to lost contracts and legal fallout. Recovery is where most MSPs stumble. They treat security and backup as separate silos. Attackers exploit this gap, moving from initial access to encryption before anyone notices. Without a unified recovery plan, the aftermath is chaos. **Technical breakdown—the “how” explained simply** Here’s how it works: Attackers use AI to scrape public data—social media, company websites, email signatures—to craft phishing emails that look like they’re from a colleague or vendor. No spelling errors, no weird links. Just a clean, convincing message. Once a user clicks, the attacker gains a foothold. They then pivot through trusted infrastructure, like SaaS platforms or cloud tools, to move laterally. Traditional defenses often miss this because the traffic looks legitimate. By the time ransomware hits, the damage is done. Without SaaS backups and a business continuity plan, recovery can take weeks—if it happens at all. **What should be done—mitigation and recommendations** The webinar lays out a clear path forward. First, MSPs need to rethink email security. AI-driven phishing requires AI-driven defenses that analyze behavior, not just content. Second, security and backup must become one strategy. SaaS backups are no longer optional—they’re a critical layer of resilience. A business continuity and disaster recovery (BCDR) plan ensures that even if an attack succeeds, recovery is fast and controlled. Finally, MSPs should adopt a “assume breach” mindset. Prevention is vital, but so is having a playbook for when things go wrong. The goal isn’t just to stop attacks—it’s to survive them. **Why this matters in the bigger cybersecurity landscape** This isn’t just another webinar. It’s a wake-up call for an entire industry. Cyberattacks are evolving faster than defenses, and MSPs are in the crosshairs. The shift from “stop everything” to “stop and recover” is a fundamental change in how we think about security. For MSPs, the winners will be those who integrate prevention, detection, and recovery into a single, seamless strategy. The clock is ticking. May 14 is the day to learn how to stay ahead.

Microsoft just confirmed that its April 2026 security updates are breaking third-party backup software. If your organization relies on tools like Macrium Reflect, Acronis, or NinjaOne Backup, you might be staring at failed backups and cryptic VSS timeout errors right now. This isn't a random glitch. It's a deliberate security hardening move that blocks a vulnerable kernel driver to prevent attackers from hijacking your systems. The trade-off? Your backup images may no longer mount or restore properly. Windows 10, Windows 11, and Windows Server users are all in the crosshairs.

**What exactly happened** Microsoft's April 2026 security updates quietly added a kernel driver called psmounterex.sys to the Windows Vulnerable Driver Blocklist. This driver, used by many third-party backup applications, is now blocked from loading on patched systems. The result? Backup software that relies on it can no longer mount or manage disk images, triggering VSS timeouts and restore failures. The move wasn't arbitrary. Microsoft is closing a security gap tied to CVE-2023-43896, a high-severity buffer overflow vulnerability in the driver. Attackers could exploit it to escalate privileges or execute arbitrary code. By blocking the driver, Microsoft is prioritizing security over compatibility. **Who is affected and how** The impact spans a wide range of backup tools. Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup are all confirmed victims. Any Windows device running Windows 10, Windows 11, or Windows Server with the April updates installed is vulnerable to this issue. Users will see backup creation succeed but image-mount operations fail. Error messages like "The backup has failed because Microsoft VSS has timed out" or VSS_E_BAD_STATE are common. Event Viewer may also log Code Integrity errors with Event ID 3077, signaling that psmounterex.sys was blocked. **The real-world impact and consequences** For IT admins and backup operators, this is a nightmare scenario. You can create backups, but you can't restore from them. That defeats the entire purpose of having a backup strategy. In a disaster recovery situation, this could mean hours of downtime while you scramble for workarounds. Microsoft's advice is clear: don't uninstall the update. Doing so would leave your systems exposed to the vulnerability. Instead, they recommend updating your backup software to a version that uses a newer, non-blocked driver. But that's easier said than done, especially for legacy systems or environments with strict change control. **Technical breakdown — the "how" explained simply** The psmounterex.sys driver is a kernel-mode component used by backup apps to mount disk images as virtual drives. When Windows Code Integrity enforcement blocks it, the driver can't load. Without it, the backup software can't interact with Volume Shadow Copy Service (VSS) snapshots correctly, leading to timeouts and failures. To check if your system is affected, open Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational, and look for Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}. That's the smoking gun. **What should be done — mitigation and recommendations** First, confirm you're affected by checking Event Viewer for the 3077 error. Then, contact your backup software vendor for an updated version that uses a compliant driver. Microsoft explicitly warns against uninstalling the April updates, so don't go that route. If you're in a pinch, consider alternative backup methods that don't rely on psmounterex.sys, at least temporarily. For critical restores, you may need to spin up a test environment without the April update to mount images, but that's a security risk. Plan your migration carefully. **Why this matters in the bigger cybersecurity landscape** This incident highlights a growing tension between security and operational stability. Microsoft is increasingly aggressive about blocking known vulnerable drivers, even when it breaks third-party software. It's a pattern we've seen with BitLocker recovery mode bugs and out-of-band updates for Server 2025. For cybersecurity teams, this is a wake-up call. Your backup software is only as reliable as its kernel drivers. If your vendor isn't keeping pace with Microsoft's blocklist updates, you're one Patch Tuesday away from a restore failure. Test your backups after every update cycle, and demand driver compliance from your vendors. The era of "it worked before" is over.

Educational tech giant Instructure, the company behind the widely-used Canvas learning platform, just confirmed a data breach that exposed user information. The ShinyHunters extortion gang has claimed responsibility, alleging they stole data on 275 million individuals from nearly 9,000 schools worldwide. This isn't just another corporate leak. It puts students, teachers, and staff at thousands of schools and universities at risk. If you or your children use Canvas for classes, your name, email, and private messages may have been compromised. The stakes are high, and the response is just beginning.

**What exactly happened** Instructure, the U.S.-based company behind the Canvas learning management system, disclosed a cybersecurity incident on Friday. By Saturday, they confirmed that user personal information was stolen. The ShinyHunters extortion gang quickly claimed responsibility, posting the company on their data leak site. The breach exposed "certain identifying information" like names, email addresses, and student ID numbers. Private messages between users were also compromised. Instructure says passwords, birth dates, government IDs, and financial data were not affected—so far. **Who is affected and how** The impact is massive. ShinyHunters claims nearly 9,000 schools worldwide are affected, with data on 275 million individuals—students, teachers, and staff. They allege the stolen data includes private conversations, Salesforce instance details, and more. If you're a student or educator using Canvas, your personal information and private messages may be exposed. The threat actor shared data showing institutions across North America, Europe, and Asia-Pacific are involved. BleepingComputer has not independently confirmed these numbers, but the scale is staggering. **The real-world impact and consequences** For students, this means their names, emails, and private messages to teachers could be leaked. That's a serious privacy violation, especially for minors. For schools, it's a reputational nightmare and a potential legal liability. The stolen data could fuel phishing attacks, social engineering, or identity theft. Students and teachers might receive targeted scams pretending to be from their school. The private messages could be used for blackmail or harassment. The breach also undermines trust in digital education tools. **Technical breakdown** ShinyHunters claims they exploited a vulnerability in Instructure's systems to steal the data. Instructure has since patched that vulnerability, but the damage is done. The company has deployed patches, increased monitoring, and rotated application keys as a precaution. Customers must re-authorize access to Instructure's API for new application keys. This is a standard step to prevent unauthorized access using old credentials. However, the breach itself suggests the initial security gap was significant. **What should be done — mitigation and recommendations** If you're a student, teacher, or staff member at an affected institution, change your Canvas password immediately. Enable two-factor authentication if available. Be extra cautious about emails or messages asking for personal information—they could be phishing attempts. Schools should notify all users about the breach and provide guidance on monitoring accounts. They should also review their own security practices, especially around API access and third-party integrations. Instructure has promised to notify affected institutions if new information emerges. **Why this matters in the bigger cybersecurity landscape** This breach highlights a growing target: educational technology. Schools and universities hold vast amounts of sensitive data on minors and adults alike, yet their security often lags behind corporate or government systems. The involvement of ShinyHunters, a known extortion gang, shows that no sector is safe. As more learning moves online, the attack surface expands. This incident should be a wake-up call for educational institutions to prioritize cybersecurity—before the next breach hits closer to home.

Microsoft’s shiny new Administrator Protection feature was supposed to lock down Windows like never before. But security researcher had already found nine ways to break it before it even shipped. The root cause? A decade-old UAC weakness called UI Access that lets lower-privileged processes talk to higher-privileged windows. If you’re a Windows admin or IT pro, this matters because these bypasses could let attackers silently escalate privileges—and Microsoft only fixed them after the researcher went public.

**What exactly happened** Researcher found nine distinct bypasses in Microsoft’s new Administrator Protection feature. Five of them trace back to a single, long-ignored vulnerability: how Windows handles UI Access (UIAccess). This isn’t a new bug—it’s a design flaw that’s been lurking since Windows Vista introduced User Interface Privilege Isolation (UIPI). **Who is affected and how** Any Windows user running Administrator Protection is potentially exposed. The bypasses allow a low-integrity process (like a standard user app) to interact with high-integrity windows. Think of it as a locked door where the lock works fine, but the wall around it is made of cardboard. An attacker who already has limited access can use these UI interactions to silently elevate privileges. **The real-world impact and consequences** This isn’t just theoretical. These bypasses could be chained with other exploits to gain admin rights without triggering any alerts. For enterprises relying on Administrator Protection as a security boundary, the feature was essentially a false sense of security until these bugs were patched. **Technical breakdown (the “how” explained simply)** UIPI was supposed to stop low-integrity processes from sending messages to higher-integrity windows. But UI Access creates an exception—certain processes marked as “UI Access” can bypass this restriction. The researcher found that Administrator Protection didn’t properly enforce integrity checks on these UI Access processes. So a low-integrity app could still send keystrokes or mouse clicks to an admin-level window. Imagine a bank vault with a secure door, but the air vent is wide open. That’s essentially what UI Access became. **What should be done — mitigation and recommendations** Microsoft has already patched all nine bypasses in recent updates. But here’s the catch: the underlying UI Access architecture remains unchanged. Admins should: - Apply the latest Windows patches immediately - Monitor for processes requesting UI Access tokens - Consider disabling Administrator Protection if not actively needed - Test their environments for similar bypass patterns **Why this matters in the bigger cybersecurity landscape** This research exposes a fundamental tension in Windows security: features designed for accessibility (like UI Access) often become attack surfaces. Administrator Protection was Microsoft’s attempt to fix UAC’s broken trust model. But as this shows, security boundaries are only as strong as their weakest legacy component. The real lesson? Don’t assume new features fix old problems. Test them like an attacker would—because someone already is.

Microsoft just rolled out a shiny new security feature for Windows 11 called Administrator Protection—and a researcher found nine ways to break it before it even fully launched. One of those bugs could silently hand attackers full admin rights without triggering any warnings. This matters because Administrator Protection was supposed to replace the notoriously weak User Account Control (UAC) system we’ve all been clicking through for years. If you’re running Windows 11 25H2 or planning to, your admin privileges might not be as locked down as Microsoft promised.

**What Exactly Happened** A security researcher dug into Windows 11’s brand-new Administrator Protection feature while it was still in insider preview builds. They discovered nine separate vulnerabilities that could bypass the system entirely. One of the most critical flaws allowed silent elevation to full administrator privileges—no pop-ups, no consent, no clues. Microsoft has since patched all nine issues, either before the feature’s official release or through subsequent security bulletins. But here’s the kicker: as of December 1, 2025, Microsoft disabled Administrator Protection entirely due to an unrelated application compatibility issue. So the feature is currently inactive for many users. **Who Is Affected and How** Anyone running Windows 11 version 25H2 with Administrator Protection enabled is potentially affected—or was, before the feature got pulled. The vulnerability targets local users who have administrator access but rely on the new system to gate those privileges. Attackers could exploit this without any user interaction beyond running a malicious program. That means even cautious users who never click suspicious links could be compromised if they simply execute a piece of malware. **The Real-World Impact** This isn’t just a theoretical bug. Full administrator privileges give attackers complete control over a machine. They can install persistent malware, disable security tools, steal credentials, and pivot to other systems on the network. The fact that this bypass is silent makes it especially dangerous. Traditional UAC at least throws up a prompt that might alert a vigilant user. Administrator Protection was supposed to be stronger—yet these vulnerabilities made it even easier to bypass than the system it replaced. **Technical Breakdown: How the Bypass Works** The researcher didn’t reveal every detail, but the core issue involves how Administrator Protection handles token assignments and privilege escalation. The new feature uses a separate, isolated administrator token that’s supposed to be tightly controlled. The vulnerability exploited a flaw in how this token is requested and validated. By manipulating certain system calls or abusing the interaction between protected processes, an attacker could trick Windows into granting full admin rights without going through the proper elevation flow. Think of it as convincing a bouncer you’re on the VIP list by showing them a fake ID they’re programmed to accept. **What Should Be Done — Mitigation and Recommendations** Since Microsoft has disabled Administrator Protection for now, the immediate risk is lower. But when the feature returns, users should apply all available Windows updates immediately. The patches for these nine vulnerabilities are already included in recent updates. For now, stick with the old advice: never run your daily account as a full administrator. Use a standard user account for everyday tasks and only elevate when absolutely necessary. And keep UAC enabled—it’s not perfect, but it’s better than nothing. **Why This Matters in the Bigger Picture** This discovery highlights a recurring problem in cybersecurity: new features often introduce new attack surfaces. Microsoft designed Administrator Protection to solve UAC’s weaknesses, but rushed deployment and insufficient testing left gaping holes. The bigger lesson is that no security feature is a silver bullet. Even well-intentioned protections need rigorous vetting, especially when they control core system privileges. For defenders, this means staying skeptical of new features and always layering multiple security controls rather than relying on any single solution.