Microsoft wants 16% more. Hacktivists are hitting water systems with default passwords. And ransomware gangs figured out your EDR doesn't see the hypervisor. Happy Friday.

Microsoft announced price increases across its commercial Microsoft 365 and Office 365 suites, effective July 1, 2026. E3 goes from $36 to $39 per user per month. E5 jumps from $57 to $60. Small business tiers get hit hardest — Business Basic rises 33% from $6 to $8.

To justify the hike, Microsoft is bundling Copilot Chat across Office apps, adding Defender for Office P1 to E3, and including Intune features in E3 and E5. The question isn't whether you'll pay more — it's whether the bundled features actually reduce your spend elsewhere. Source: Microsoft Blog

🔐 CISO Take: The Defender for Office P1 addition to E3 is real value if you're currently paying for it separately. Pull your current email security spend and calculate the net impact before your next renewal conversation.

💻 CIO Take: You have seven months to model this. If your EA renewal falls before July, lock in current rates. If it falls after, run the math on whether the bundled Intune features let you cut other tools.

⚙️ CTO Take: Copilot Chat is now included, but full Copilot still costs $30/user/month extra. Don't let "free AI features" distract from whether your teams would actually use them. Audit current Copilot adoption before assuming value.

📡 Network signal: 17% of accepted meetings this quarter were triggered by replacement or renewal concerns. Microsoft just gave that number room to grow.

A 26-agency coalition led by CISA, FBI, and NSA issued a joint advisory on December 9. Four pro-Russia hacktivist groups are actively targeting US water, energy, and food/agriculture systems. The groups — Cyber Army of Russia Reborn, NoName057(16), Z-Pentest, and Sector16 — are exploiting unsecured VNC connections to access OT and ICS systems.

These aren't sophisticated attacks. They're using default passwords and internet-exposed management interfaces. But "unsophisticated" doesn't mean harmless — the advisory notes they've caused "physical damage" to systems. The DOJ also indicted a Ukrainian national linked to the campaigns. Source: CISA Advisory AA25-343A

🔐 CISO Take: If you have any OT environment, this is a "check it today" situation. Run a scan for internet-exposed VNC, RDP, and HMI interfaces. If you find any, assume they've already been probed.

💻 CIO Take: This is a governance gap, not just a security gap. Many OT systems sit outside normal IT oversight. Confirm who owns your OT asset inventory and whether it's actually current.

⚙️ CTO Take: Network segmentation between IT and OT is the control that matters here. If an attacker can pivot from a compromised endpoint to your HMI, you have an architecture problem. Validate your segmentation this week.

📡 Network signal: One network member this week: "Our AD environments are not well secured/managed, and are a potential attack vector." Default passwords aren't just a CISA warning — they're in your environment too.

Security firm Huntress reported that ransomware attacks targeting hypervisors jumped from 3% of incidents in H1 2025 to 25% in H2 — a 700% increase. The Akira ransomware group is the primary driver, but the tactic is spreading. Attackers are bypassing endpoint detection entirely by hitting VMware ESXi and Hyper-V directly.

The playbook is familiar: compromise credentials, pivot to the hypervisor management interface, encrypt every VM at once. In some cases, attackers are using built-in tools like OpenSSL to encrypt VM volumes without deploying custom malware. Your EDR doesn't see it because it's not running on the hypervisor. Source: Huntress

🔐 CISO Take: Hypervisors are now high-value targets that need dedicated controls. Enable MFA on all ESXi and vCenter access. Stop using domain admin accounts for hypervisor management — create dedicated local accounts instead.

💻 CIO Take: Your backup strategy just got tested. If attackers encrypt the hypervisor, can you recover? Verify your backups are immutable and isolated from Active Directory. Test a full VM restore this quarter.

⚙️ CTO Take: Enable execInstalledOnly on ESXi hosts to block unsigned code execution. Disable SSH when not in use. If your hypervisor management interface is on the same VLAN as production, fix that immediately.

📡 Network signal: VMware/Broadcom pricing is pushing leaders to evaluate alternatives. Meanwhile, that same hypervisor infrastructure just became a 700% bigger target. Cost pressure meets security exposure.

This week's theme: budget pressure meets security debt.

Nearly 1 in 5 accepted meetings this quarter (17%) were triggered by replacement or renewal concerns — VMware/Broadcom, Microsoft licensing, tool consolidation. But while leaders are modeling costs, the infrastructure they're trying to budget for is under attack.

That's the tension. The same credentials that unlock your hypervisor console are sitting in environments leaders admit aren't "well secured."

Got a hot take? Reply with your reaction to any of this week's stories. Best response gets featured next issue.

The quotes and stats above come from DoGood's network of 5,000+ IT leaders who share what they're working on, what's broken, and what they're buying.

Members get compensated for taking meetings with vetted vendors who match their actual priorities — not cold outreach, not spam. Real conversations with solutions you're already evaluating.

Learn more about joining →