📖 4 min read

I've been tracking the Ivanti EPMM situation all week. The European Commission, the Dutch Data Protection Authority, Finland's government IT center. All breached through the MDM platform they relied on to enforce security. Meanwhile, the first malicious Outlook add-in was found in Microsoft's own store, and Apple disclosed a zero-day exploit chain discovered by Google's spyware hunters.

The thread: control planes are becoming attack planes. Your MDM, your email marketplace, your mobile OS — each one trusted by design, exploited by default.

Two critical vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8) have gone from "limited exploitation" to full-blown campaign. Shadowserver confirmed at least 92 compromised instances across 28,000+ attacking IPs. The Dutch NCSC recommends all EPMM users assume compromise. Confirmed victims include the European Commission, the Dutch Data Protection Authority, and Finland's Valtori.

It gets worse: Defused Cyber found attackers planting dormant in-memory backdoors: "sleeper" webshells sitting in server RAM waiting for a trigger. No files on disk. Standard AV won't catch them. This is initial access broker tradecraft: establish a foothold, sell access later. Source: Cybersecurity Dive / GreyNoise

🔐 CISO Take: Assume compromise. Patching alone won't clear in-memory implants. Restart application servers after patching. Run Ivanti's exploitation detection script, check DNS logs for OAST-pattern callbacks, and hunt for requests to /mifs/403.jsp.

💻 CIO Take: If your MDM is internet-facing, this is today's conversation with your CISO. Censys shows 3,700+ EPMM login interfaces exposed on the public internet. Ask: is ours one of them?

⚙️ CTO Take: Block AS200593 (PROSPERO) at the network edge. Verify your MDM management interface is segmented from production. If attackers compromise EPMM, they own device management for your entire fleet. That's a lateral movement platform.

📡 Network signal: One in three network meetings this quarter involves a security vendor, up from one in four a year ago. Multiple members are evaluating MDR as overflow capacity for vulnerability volume they can't clear internally.

The bottom line: Patch and restart. Your MDM may already have a sleeper in memory.

Researchers at Koi Security discovered the first known malicious Outlook add-in in the wild. An attacker hijacked the abandoned domain behind "AgreeTo," a defunct calendar add-in still listed in the Microsoft Office Add-in Store, and replaced its content with a phishing kit. Over 4,000 credentials stolen, plus credit card numbers and banking security answers.

The systemic flaw: Microsoft reviews add-in manifests once at submission but never re-verifies content loaded from the developer's server. App stores grant static trust. Attackers exploit dynamic infrastructure: domains lapse, hosting changes, content rotates. The add-in retained ReadWriteItem permissions. A more sophisticated attacker could have silently read and modified every victim's inbox. Source: BleepingComputer / Koi Security

🔐 CISO Take: Audit your tenant's installed Outlook add-ins this week. Use the Microsoft 365 Admin Center to enumerate everything deployed. Remove anything unmaintained and restrict sideloading to an approved list.

💻 CIO Take: You manage which apps employees install on their laptops. Why aren't you managing which add-ins load inside their email? Add add-in governance to your M365 security review.

⚙️ CTO Take: Set up domain expiration monitoring for every third-party integration. If a vendor's domain lapses, treat it as a security incident. Any add-in with ReadWriteItem scope you didn't approve is a credential theft vector.

📡 Network signal: One cybersecurity leader at an enterprise software company told us they have "generic accounts that are privileged" and need ways to vault them. It's the same identity exposure problem. Just inside the productivity stack.

The bottom line: Microsoft's add-in store grants trust once and never re-checks. Audit yours before someone else does.

Apple patched CVE-2026-20700 yesterday, a memory corruption vulnerability in dyld, the dynamic link editor that loads every application on your iPhone. Apple confirmed it was "exploited in an extremely sophisticated attack against specific targeted individuals." Google's Threat Analysis Group discovered it, which typically means commercial spyware.

This wasn't a single flaw. Apple confirmed attackers chained three bugs: a WebKit flaw for initial execution, an ANGLE rendering bug for memory access, and the dyld vulnerability for arbitrary code execution. CISA added CVE-2026-20700 to the KEV catalog yesterday. Fix: update to iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3. Source: CyberScoop / Apple Security Updates

🔐 CISO Take: "Targeted individuals" means executives, board members, anyone with access to sensitive decisions. Push the iOS/macOS update to managed devices today. For BYOD, send a direct communication. Name the CVE, explain the risk.

💻 CIO Take: Can your MDM actually enforce this update? If you're running Ivanti EPMM (see Story 1), you may have a compounding problem: the tool you'd use to push the Apple patch may itself be compromised. Verify your MDM is clean first.

📡 Network signal: Three control planes hit in one week: MDM, email marketplace, mobile OS. If your patch distribution channel is part of your threat surface, your incident response model has a dependency loop it probably doesn't account for.

The bottom line: Push iOS 26.3 today — after verifying the MDM pushing it isn't compromised.

This week's signal: security teams aren't just worried about vulnerability volume. They're changing how they buy.

One in three network meetings this quarter involves a security vendor, up from one in four a year ago. MDR evaluations, exposure management tools, and vulnerability triage platforms are all pulling forward into Q1.

"One pain point is that several of our network equipment vendors use outdated firmware, and when a zero-day is exposed in their software we often learn about it weeks later, leaving customer data routes at risk." — IT Director, Global Technology Company

That's the Ivanti story in a member's own words. Written before this week's headlines. The leaders getting ahead aren't just patching faster. They're buying capacity to handle what their teams can't.

How many Outlook add-ins are installed across your tenant? Reply. I'm betting most people don't know.

5,000+ senior IT leaders. Companies averaging $24B in revenue. Real buying-motion data. Not surveys, not analyst projections. The signal in this newsletter comes from operators sharing what they're actually purchasing, replacing, and escalating. If you're not inside this, you're reading about budget shifts after they happen. Every meeting is opt-in, pre-screened, and paid ($200-400). You control your calendar. Apply to Join →