This update ensures that only drivers verified through Microsoft’s Windows Hardware Compatibility Program (WHCP) are allowed to run automatically. By enforcing stricter validation, Microsoft is reducing the risk of attackers using malicious drivers to gain deep, kernel-level access to systems.

This enhancement is crucial for maintaining high standards of Windows kernel driver security across all devices.

Kernel drivers operate at the core of the operating system, so any weakness in how they are signed or validated can be exploited. By removing support for legacy signing methods, Microsoft is closing a long-standing security gap.

Removal of Cross-Signed Drivers and Security Impact

The older cross-signing model allowed third-party certificate authorities to approve drivers without strict validation from Microsoft. While this approach helped with compatibility in the past, it also introduced security risks.

Attackers have historically abused this model by stealing signing keys and using them to install rootkits and other advanced malware. Even though Microsoft deprecated cross-signing in 2021, older certificates were still trusted by Windows systems until now.

With this update, that trust is fully removed. Drivers must now go through a stricter approval process that includes:

• Identity verification of the vendor
• Security and compatibility testing
• Malware scanning before certification

This significantly reduces the chances of malicious drivers being loaded into the Windows kernel.

Deployment Approach and Enterprise Considerations

To avoid disruptions, Microsoft is rolling out this change in stages. Initially, the system will monitor and evaluate driver activity before enforcing the block. This allows organizations to identify compatibility issues early.

Additionally, Microsoft will maintain an allow list for widely used legacy drivers to prevent system failures. If unsupported drivers are detected, enforcement may be delayed until the system is stable.

For enterprise environments, there is still controlled flexibility. Organizations that rely on custom kernel drivers can allow them using Application Control for Business policies. These policies must be securely signed and tied to UEFI Secure Boot, ensuring only trusted internal drivers are permitted.

Overall, this update marks a significant step toward strengthening Windows security by limiting kernel-level attack vectors and enforcing modern driver validation standards.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Windows 11 Blocks Untrusted Kernel Drivers to Improve Security appeared first on First Hackers News.

The patches impact several Microsoft platforms, including Windows, Microsoft Office, SQL Server, Microsoft Edge, and the .NET framework. Organizations are strongly encouraged to install the updates quickly to protect their systems.

Microsoft March 2026 Patch Tuesday Vulnerability Breakdown

The March 2026 update includes vulnerabilities across different categories affecting enterprise infrastructure.

Out of the 79 vulnerabilities patched:

• 3 are rated Critical
• the remaining vulnerabilities are classified as Important or Low severity

Many of the issues fall into these major categories:

• 46 elevation of privilege vulnerabilities
• 18 remote code execution vulnerabilities
• multiple information disclosure, spoofing, and denial-of-service flaws

Elevation of privilege vulnerabilities allow attackers to gain higher permissions inside a system, while remote code execution vulnerabilities may allow attackers to run malicious code remotely.

Two Publicly Disclosed Zero-Day Vulnerabilities

Microsoft also fixed two zero-day vulnerabilities that were publicly disclosed before official patches were released.

Although these vulnerabilities are not currently known to be actively exploited, public disclosure increases the likelihood of attackers developing exploits.

The two notable vulnerabilities include:

• SQL Server Elevation of Privilege (CVE-2026-21262)
This vulnerability could allow an attacker with limited access to escalate privileges and gain administrative control over SQL Server.

• .NET Denial of Service Vulnerability
This flaw impacts the .NET framework and could allow attackers to disrupt applications and cause service outages.

Patched Vulnerabilities

Below is a sample list of some vulnerabilities addressed in the March 2026 update.

Microsoft also patched several vulnerabilities affecting Windows kernel components, Microsoft Edge, Azure tools, Visual Studio Code, and enterprise services.

Why Organizations Should Patch Quickly

Cyber attackers often analyze Patch Tuesday updates to identify newly fixed vulnerabilities. Systems that remain unpatched may become easy targets for exploitation.

Applying updates promptly helps reduce the risk of:

• unauthorized system access
• privilege escalation attacks
• remote code execution attempts
• potential data breaches

Recommended Security Actions

Organizations should take the following steps to reduce risk:

• deploy the March 2026 security updates as soon as possible
• prioritize updates for internet-facing and critical servers
• test patches in a staging environment before full deployment
• monitor SQL Server and .NET applications for unusual activity
• review Microsoft Office configurations to prevent malicious file attacks

Keeping systems fully updated remains one of the most effective ways to protect enterprise environments from evolving cyber threats.

The post Microsoft March 2026 Patch Tuesday Fixes 79 Vulnerabilities Including Two 0-Days appeared first on First Hackers News.

In this operation, attackers pretend to be internal IT support staff and convince victims to grant remote access to their computers. Once access is obtained, they deploy a stealthy malware tool called A0Backdoor to maintain long-term control of the system.

Researchers at BlueVoyant linked the activity to a threat group known as Blitz Brigantine, also tracked as Storm-1811.

How the Microsoft Teams Attack Begins

The campaign starts with a tactic designed to overwhelm the victim.

Attackers send a large number of spam emails to the target’s inbox in a short period of time. This “email bombing” creates confusion and pressure for the employee.

Soon after, the attacker contacts the victim through Microsoft Teams, pretending to be from the company’s IT help desk and offering to fix the email problem.

The victim is then guided to open Windows Quick Assist, a legitimate remote support tool built into Windows. Once the victim approves the request, the attacker gains full remote control of the device.

Malware Installation Process

After gaining access, the attackers begin installing malicious software on the system.

They download installer packages that appear to be legitimate updates for Microsoft Teams or Windows Phone Link. To make the files look trustworthy, the attackers:

• host the installers on Microsoft cloud storage accounts
• sign the files using digital certificates
• disguise them as normal software updates

When the installer runs, it places a real Microsoft application alongside a malicious file named hostfxr.dll.

When the legitimate program starts, it accidentally loads the malicious file instead. This technique is known as DLL sideloading, which allows malware to run quietly without raising suspicion.

Advanced Evasion Techniques

The malicious loader uses several tricks to avoid detection and analysis.

• checks system firmware for signs of virtual testing environments
• creates multiple junk processing threads to disrupt debugging tools
• uses time-based conditions to unlock the main payload

The malware only activates within a specific 55-hour time window, making it harder for researchers to analyze.

Another unusual trick involves an invisible space character hidden in a command line prompt. The malware requires this hidden character to generate the correct key needed to decrypt the final payload.

These techniques make the attack extremely difficult to study or reproduce.

A0Backdoor and Data Exfiltration

Once the protection checks are completed, the malware loads A0Backdoor directly into memory.

This backdoor allows attackers to collect information and maintain persistent access to the infected system.

The malware gathers details such as:

• system device information
• username and environment details
• network configuration data

This information helps attackers identify and manage compromised machines.

Using DNS Tunneling to Stay Hidden

To communicate with attacker servers without raising alarms, the malware uses a technique called DNS tunneling.

Instead of connecting directly to a suspicious command server, the malware sends requests through trusted public DNS resolvers such as 1.1.1.1 or 8.8.8.8.

These requests are disguised as normal mail exchange queries used in everyday email routing.

The attackers hide commands and stolen data inside long subdomains within the DNS requests. The public resolver forwards the request to the attacker’s server and sends the response back to the infected machine.

Because the traffic looks like regular network activity, it blends in with normal corporate operations.

The attackers also rely on older registered domains instead of new ones, helping them bypass security filters that often block recently created domains.

How Organizations Can Reduce Risk

Security experts warn that this campaign shows how attackers are shifting from traditional ransomware to more stealthy and targeted intrusion techniques.

Organizations should take several steps to reduce risk:

• train employees to verify IT support messages received through Microsoft Teams
• monitor and restrict remote access tools like Quick Assist
• block unapproved software installers from running on company systems
• watch for unusual DNS traffic patterns

Improving employee awareness and controlling remote access tools can significantly reduce the chances of these types of attacks succeeding.

Organizations should train employees to recognize signs of a Microsoft Teams attack to prevent remote access abuse.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Hackers Use Microsoft Teams Attack Method to Gain Remote Access appeared first on First Hackers News.

What Is the Issue?

MS-Agent is a lightweight framework used to build autonomous AI agents. One of its built-in features is the Shell tool, which lets the agent run command-line instructions on the operating system.

While this makes the agent powerful, it also creates risk if commands are not properly checked before execution.

Vulnerability details:

• CVE ID: CVE-2026-2256
• Type: Command Injection / Remote Code Execution (RCE)
• Affected Software: ModelScope MS-Agent
• Vulnerable Component: Shell tool (check_safe() method)

How the Attack Works

The problem comes from how MS-Agent validates input. It uses a method called check_safe() that blocks dangerous commands using a denylist.

A denylist only blocks known bad words or patterns. Attackers can bypass this using prompt injection. They hide malicious commands inside normal-looking content such as:

• Documents the AI is asked to summarize
• Code the AI is asked to analyze
• Text that appears harmless

Because denylists can be tricked with alternate spelling, encoding, or different formats, harmful commands can pass through and get executed by the Shell tool.

What Attackers Can Do

If exploited, attackers can execute operating system commands with the same permissions as the MS-Agent process.

This may allow them to:

• Modify or delete system files
• Steal sensitive information
• Install malware or backdoors
• Use the compromised system to attack others

In severe cases, this could result in full system compromise.

Mitigation Steps

There is currently no official patch available. Organizations using MS-Agent should take immediate precautions:

• Deploy MS-Agent only in controlled environments
• Avoid processing untrusted input
• Run agents inside secure sandboxes
• Apply least-privilege access controls
• Replace denylist filtering with strict allowlist validation

Until a patch is released, isolation and strong input validation are essential.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post MS-Agent Flaw Allows Remote Hijacking of AI Agents appeared first on First Hackers News.

Instead of using obvious malware files, the attackers hide their code inside regular development tools like Visual Studio Code and Node.js. Everything looks like part of normal development work, which makes the attack harder to notice.

The issue first came to light when Node.js processes were seen making repeated outbound connections to suspicious servers over port 3000. These repeated connections raised red flags.

Security experts found that this is part of a larger campaign aimed directly at developers. The attackers use job-related themes so the repositories don’t look suspicious.

By tracking system and network activity, researchers traced the problem back to several Bitbucket repositories. Many of them followed similar naming patterns and reused the same structure and files. That confirmed they were connected to the same operation.

How the Malicious Code Gets Executed

There are three main ways the malicious code gets triggered

In some cases, the attack runs automatically when a developer opens the project in Visual Studio Code. A task is configured to execute as soon as the folder is trusted, which silently launches the hidden script.

In other cases, the attack starts when the developer runs the development server using commands like npm run dev. A file that looks harmless is actually modified to download and execute remote code.

The third method activates when the server starts. The malicious endpoint is hidden in environment variables. When the application launches, it connects to the attacker’s server, sends sensitive data, and runs remote code inside the Node.js process.

The first payload collects system details and keeps checking in with the attacker’s server using a unique ID. It can also download and run extra JavaScript directly in memory.

In the next stage, it becomes a long-running controller that connects to command-and-control servers and executes tasks using Node.js. It includes retry logic, error handling, and file upload endpoints to steal selected data while keeping the session active.

Mitigations

• Treat developer environments as a high-risk attack surface. Apply strict controls when working with unknown or untrusted repositories.
• Keep Visual Studio Code Workspace Trust and Restricted Mode enabled by default. Review files like .vscode/tasks.json and next.config.js before trusting a project.
• On Windows systems, enable Attack Surface Reduction rules in Defender for Endpoint. Turn on cloud-delivered protection and SmartScreen to block suspicious downloads.
• Monitor for unusual Node.js activity, especially repeated outbound connections to suspicious domains or C2 paths. Watch for risky code patterns such as eval or new Function in project files.
• Use Microsoft Sentinel to build hunting queries and detection rules to identify abuse of Next.js projects and developer tools early.

The post Microsoft Detects Malicious Next.js Repos Used in Live Attack Campaigns appeared first on First Hackers News.

Because of this flaw, protected email data may be processed by Copilot and surfaced inside AI chat responses, creating a risk of unintended exposure.

The issue is tracked by Microsoft under reference CW1226324 and was first identified on February 4, 2026. It affects the Copilot “Work Tab” Chat feature.

Vulnerability Details

Technical Cause and Security Impact

Microsoft’s investigation found that a defect in how Copilot processes certain mail folders is responsible for the issue.

Due to this error, emails stored in Sent Items and Drafts can be accessed by Copilot even if confidentiality sensitivity labels are applied.

Normally, sensitivity labels combined with DLP rules should block AI tools from reading or summarizing restricted emails. However, the defect prevents those protections from being properly enforced for the affected folders.

As a result, confidential information may appear in Copilot-generated summaries.

This is especially concerning for sectors such as healthcare, financial services, and government agencies, where strict email protection is tied to regulatory compliance.

The NHS has internally logged the matter as INC46740412, confirming operational impact within public sector environments.

Allowing an AI system to process labeled content despite DLP rules represents a serious breakdown in data governance controls.

Remediation Status

Microsoft began deploying a fix on February 11, 2026, and is contacting certain affected customers to confirm the resolution.

The update is still rolling out, and not all tenants may have received the fix yet.

Organizations using Microsoft 365 Copilot with email sensitivity labels enabled could be impacted until remediation is fully completed.

Recommended Actions

Administrators should monitor the Microsoft 365 Admin Center for updates related to reference CW1226324.

It is also recommended to review Copilot audit logs for unexpected access to labeled email content.

Until Microsoft confirms full deployment of the fix, organizations handling highly sensitive communications may consider temporarily limiting Copilot access to reduce exposure risk.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Microsoft 365 Copilot AI Summary Flaw Exposes Emails appeared first on First Hackers News.

Admins report being unable to sign in, facing repeated authentication failures, or encountering error pages and long loading times when trying to access the admin portal. In many cases, sessions time out before any meaningful action can be completed.

These problems are preventing teams from performing routine but critical tasks such as creating and managing user accounts, adjusting security policies, assigning licenses, and reviewing compliance settings.

Widespread Access Problems for Admins

The disruption appears to be tied to backend systems that handle identity verification and API requests for the admin portal. In simple terms, the services that confirm who an admin is and process their management actions are not responding consistently. This leads to failed logins, broken dashboard views, and incomplete administrative operations.

Because the Microsoft 365 admin center is the central control point for multiple services, the impact extends beyond just one interface.

Administrators responsible for Exchange Online, SharePoint, Microsoft Teams, and Intune are also feeling the effects. Tasks such as mailbox configuration, policy updates, device management changes, and bulk license assignments are being delayed or blocked entirely.

For many organizations, especially those with strict regulatory requirements, these delays can create additional pressure. Inability to quickly adjust access rights, apply security configurations, or complete compliance-related actions may increase risk exposure or complicate audit timelines.

Impact on Operations and Microsoft’s Response

While some experienced administrators are turning to alternatives like Microsoft Graph API calls or legacy admin portals to complete urgent work, these methods require advanced knowledge and are not practical for every team.

Smaller businesses and organizations that rely solely on the standard admin interface are finding it particularly difficult to maintain normal operations.

Microsoft has stated that its engineering teams are reviewing system telemetry and diagnostic data to determine the root cause.

Although no definitive explanation has been shared yet, early indicators suggest the issue may involve backend capacity constraints or problems within identity service integrations that support the admin experience.

In the meantime, administrators are encouraged to closely monitor official service health updates and enable alert notifications where possible. Collecting diagnostic information and documenting the impact on business operations can also help organizations track risk and prepare for any follow-up actions once full service is restored.

The post Microsoft 365 Admin Center Disruption Affects North American Users appeared first on First Hackers News.

The feature is expected to roll out in March 2026 after being delayed more than once, and it will apply only to Teams desktop apps on Windows and Mac.

How it changes daily work visibility

When an employee connects to office Wi-Fi, Teams will mark them as working from that location. If they are not connected to organizational networks, their status will reflect remote work.

Microsoft says location data won’t update after work hours and will reset at the end of the day, but the visibility this creates is what’s driving concern.

Although Microsoft describes the feature as optional, the real control lies with administrators. Once enabled at the organization level, employees may have limited ability to opt out, which shifts the feature from a convenience tool to a form of passive monitoring.

What makes this update controversial isn’t the technology itself — it’s the implication. A tool designed for collaboration can easily become a way to enforce attendance rules, monitor hybrid work, and track presence rather than productivity.

For organizations, this raises bigger questions about trust, transparency, and boundaries in modern workplaces. Without clear policies on how this data is used, who can see it, and why it exists, features like this risk damaging employee confidence instead of improving coordination.

This isn’t just a Teams update — it’s a glimpse into how workplace tech is slowly redefining the line between collaboration and surveillance.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Microsoft Teams Is Adding Wi-Fi Location Tracking — and It’s Raising Big Questions appeared first on First Hackers News.

Microsoft is investigating serious problems linked to its January 2026 security update for Windows 11 after reports of systems failing to start correctly. The update, which was meant to strengthen security, has instead left some users unable to boot their devices.

The issue is tied to update KB5074109, released for Windows 11 versions 25H2 and 24H2. Shortly after installation, affected systems began showing critical startup errors, including boot loops and black screens. In some cases, devices display an UNMOUNTABLE_BOOT_VOLUME error and never reach the login screen.

Microsoft has acknowledged the problem and confirmed receiving a limited number of reports where devices cannot complete startup. So far, the issue appears to affect physical machines only, with virtual environments remaining unaffected. For impacted users, access to the operating system is often lost entirely, requiring recovery tools to remove the update.

Even on systems that manage to boot, the update has caused widespread stability concerns. Users report random freezes, display issues, and conflicts with graphics drivers, particularly during GPU-intensive tasks. Some applications become unresponsive without triggering a crash or error message, leaving systems stuck until a forced restart.

The update has also disrupted productivity and enterprise services. Microsoft confirmed that credential prompts for certain cloud and remote desktop services were broken, temporarily preventing users from connecting. Outlook Classic users have also reported freezes and sync problems after startup.

What users should do now

• Uninstall the latest update using the Windows Recovery Environment if the system won’t boot
• Roll back KB5074109 or pause updates on unstable systems
• Delay installing the update until Microsoft releases a permanent fix

Microsoft continues to investigate the root cause of these failures. Until a comprehensive resolution is available, users and administrators are advised to approach the January update with caution, especially on production systems.

The post Windows 11 January Update Triggers Serious Boot Issues appeared first on First Hackers News.

While the issue does not enable full system takeover, it weakens safeguards designed to protect users from untrusted content, making it particularly relevant in post-compromise or insider attack scenarios.

How the Vulnerability Works

The flaw lies in how Windows Remote Assistance handles specially crafted files used to start or manage assistance sessions. In some cases, these files are processed in a way that skips normal security checks, allowing them to appear more trusted than they actually are.

As a result, protections tied to Mark of the Web (MOTW)—such as warning prompts, SmartScreen checks, and certain script or macro restrictions—may not be enforced.

This means content that originated from the internet could be opened locally without the usual defenses, increasing the risk of stealthy data access or follow-on attacks.

Exploitation requires user interaction, typically by convincing a victim to open a malicious file delivered through email, messaging platforms, or a web download.

Impact, Affected Systems, and Mitigation

• Impact: Enables attackers to bypass Mark of the Web protections, potentially allowing sensitive data access or stealthy follow-on attacks without triggering expected security warnings.
• Affected Systems: Supported versions of Windows 10, Windows 11, and Windows Server, including both client and enterprise deployments.
• Mitigation: Microsoft has addressed the issue in the January 2026 Patch Tuesday updates. Organizations should apply the updates as soon as possible. Until patching is complete, administrators are advised to restrict Windows Remote Assistance usage, enhance email and web filtering controls, and remind users to avoid opening unsolicited assistance files or attachments.

Applying the latest security updates restores proper protection checks and significantly reduces the risk of this bypass technique being exploited.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Security Bypass Issue Found in Windows Remote Assistance appeared first on First Hackers News.