Copilot lands on your fleet today

The news: Microsoft's phased rollout of automatic Microsoft 365 Copilot installation started June 8, targeting every Windows device with three or more Microsoft 365 apps already installed outside the EEA. The staging opt-out window closed May 15; production is live now.

Why it matters: An AI assistant with access to your Microsoft 365 environment appearing on endpoints creates three immediate risks: data exfiltration through unintentional prompt disclosure, compliance exposure if regulated data flows through Copilot without visibility, and shadow-AI documentation gaps if staff use the app without IT tracking. CISOs who assumed the March pause meant they had more runway were wrong.

What to do: Open your Microsoft 365 Apps admin center or Group Policy editor today and confirm "Turn off automatic installation of Microsoft 365 Copilot" is active across your fleet, then identify which endpoints may have received the app before that block fired.

A Cl0p-affiliated threat actor has been exploiting CVE-2025-61882 (CVSS 9.8) in Oracle E-Business Suite since late 2025, and this week named 30 organizations on its extortion site: Broadcom, Humana, Bechtel, and Estée Lauder among them. The attack exfiltrates rather than encrypts, targeting financial, HR, and procurement data before demanding payment. Oracle EBS upgrade cycles in large enterprises typically run quarterly at best, and Cl0p appears to have run this operation silently for months before disclosure. If you run Oracle EBS in any capacity, including subsidiaries and recent acquisitions, confirm patch status against CVE-2025-61882 this week.

Vertice acquired Vendr on June 1, combining $75 billion in indirect spend data across 250,000 negotiated contracts — the second major procurement intelligence consolidation after Coupa acquired Rossum on May 12. The combined platform now runs 60 AI negotiation agents benchmarked against real-world pricing data that most enterprise renewal teams cannot match. Two deals in 30 days signals the information asymmetry in software procurement is accelerating structurally: the sell side now knows what peers paid, most buyers still negotiate from spreadsheets. Pull your software renewal calendar and check whether you have comparable market data before your next major negotiation.

CISA added CVE-2022-0492, a Linux kernel cgroups privilege escalation, to its KEV catalog on June 2 with active exploitation confirmed — four years after the patch shipped. The flaw enables full container escape on Docker, Kubernetes, and LXC hosts running cgroups v1, and enterprise container infrastructure typically inherits kernel versions from base images that lag security releases by quarters, not weeks. If your orchestration layer still runs cgroups v1 hosts, this is the week to verify: a patched CVE in the release notes is not the same as a patched kernel in production.

This week, DoGood network members are auditing Copilot rollout exposure and pulling Oracle EBS patch status for subsidiaries and acquired entities. If you run IT or security at a $100M+ company, that is the work already on the table in your peer group.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.