LinkedIn Carousel - #CyberWeekly Week 21

Open Mail

An Outlook Web Access zero-day turns an opened email into a hijacked mailbox. Mitigations only — no permanent patch yet.

Outlook Web Access zero-day: read becomes run

Platform: evidence uploads + smarter integrations

ECP on the Cybersec Europe main stage

Microsoft 365 password-reset turned into a back door

Belgian patch week: nginx, Cisco, Palo Alto, Portainer

CCB ships a 'First Aid' incident playbook

Easy Cyber Protection

1/6

Open mail, open inbox: Outlook Web Access zero-day actively exploited (CVE-2026-42897)

Microsoft confirmed on May 14 that CVE-2026-42897 — a cross-site-scripting flaw in Outlook Web Access on on-premises Exchange Server 2016, 2019, and…

The attack: the attacker sends a specially crafted email. When a user opens it in Outlook Web Access in their browser, arbitrary JavaScript runs in the victim's authenticated session — read mailbox, change rules, exfiltrate, pivot
Affected: on-premises Exchange Server 2016, 2019, and the new Subscription Edition. Exchange Online (the Microsoft-hosted version) is NOT affected — only your own server
Mitigation today: if Exchange Emergency Mitigation Service is enabled, Microsoft has already pushed the automatic mitigation. If not, enable it now. Apply the May guidance update. Verify mitigation status — do not assume it is on

Centre for Cybersecurity Belgium advisory → https://ccb.belgium.be/advisories/warning-cross-site-scripting-microsoft-exchange-server-can-be-exploited-perform-spoofing

2/6

Platform Spotlight: evidence uploads ship end-to-end, integrations get bounded and tier-aware

Five things shipped that change how an MSP runs an engagement: a long-asked-for upload, a smarter integration data lifecycle, sharper endpoint cards,…

Evidence file upload, end-to-end (finally): evidence-artifact modal + wiki accepts: file placeholder both accept real uploads. Files persist as artifacts, ship in the .ecpbundle.zip auditor bundle, show a download link. Asked for by a partner May 18 — shipped same week
Integration retention: keep what matters, never touch what the auditor saw. Per (client, integration) we keep 1 snapshot per day for 7 days, 1 per week for 12 weeks, 1 per month for 12 months, and 1 per year forever. Anything already inside a .ecpbundle.zip is immune from rotation forever — the auditor keeps seeing exactly what was handed over. Sync cadence is your call: leave it on the daily auto-pull, dial it down, or switch to manual "Sync now" only
Endpoint-protection cards get smarter: a "View devices" shortcut on each connected card opens the synced inventory; "Covers N CyberFundamentals controls" rows are clickable + tier-gated (rows for tiers you have not activated grey out)

Try the live demo → https://easycyberprotection.com/demo

3/6

Easy Cyber Protection on the Cybersec Europe 2026 main stage — pitched, jury deliberating

On Tuesday May 20 at Brussels Expo, Easy Cyber Protection's pitch for the Cybersec Europe 2026 "Best Cybersecurity Innovation Europe" jury award was delivered…

Five minutes, one jury, one slide: the pitch distilled to "NIS2 audit-readiness, built the way managed service providers deliver IT" — graph-based controls (every control, entity and piece of evidence linked so auditors can ask graph questions), white-label CyberFundamentals guidance built in (so partners deliver compliance to clients under their own brand without prior expertise), and a local-first wiki + event-sourced architecture (every change digitally signed, end-to-end integrity)
The Belgian angle: CyberFundamentals is a Belgian framework, NIS2 transposition is led nationally by the Centre for Cybersecurity Belgium, and the audit-readiness gap is felt every week by Belgian SMBs. A Belgian-made product on the European innovation shortlist for a problem first felt at home
Whatever happens at 12:15: the pitch is delivered, the slide is out in the world. If the result lands after this issue ships, an extra edition follows. Otherwise the outcome will be in next week's issue

Cybersec Europe 2026 → https://www.cyberseceurope.com/

4/6

The Microsoft 365 self-service-password-reset campaign — the back door is the front door

Researchers flagged on May 19 an active campaign abusing Microsoft 365 / Entra ID self-service password reset and administrative tooling to take over mailboxes without ever phishing the user. Where the Outlook Web…

The technique: the attacker hits the public password-reset endpoint, satisfies whatever authenticators the tenant accepts (security questions, single text-message code, weak fallback), and resets the target's password. Then logs in. If there is no conditional-access policy enforcing multi-factor authentication on every sign-in, the session is theirs
Why it works: self-service password reset is a productivity feature most tenants enabled in 2020-2022 and never tightened. The default authentication mix is more permissive than IT remembers. Text-message fallback alone is enough to lose an account
What to check this week: in Entra ID admin centre → Password Reset → Authentication methods, drop text messages and security questions as a sole factor. Require two strong methods. Add a conditional-access policy requiring phishing-resistant multi-factor authentication on every sign-in (not just on risky ones). Audit the password-reset log for resets you do not recognise

Entra ID admin centre → https://entra.microsoft.com/

5/6

Belgian patch week: a critical advisory every working day

Between May 18 and May 20 the Centre for Cybersecurity Belgium published seven critical advisories on enterprise software that a lot of Belgian SMBs and their managed service providers sit downstream of. The cluster is…

May 18 wave: Microsoft Exchange Server Outlook Web Access cross-site scripting (covered above), nginx multiple vulnerabilities → remote code execution + rate-limit bypass (active exploitation observed), Palo Alto PAN-OS authentication bypass / remote code execution / denial of service, Cisco Catalyst SD-WAN authentication bypass granting administrative access
May 20 wave: Portainer critical → full host takeover (the container-management plane many managed service providers run for clients), multi-version PostgreSQL fixes and PostgreSQL 14 end-of-life announcement, PgBouncer integer overflow
Parallel reports (same week, not from the Centre for Cybersecurity Belgium): SonicWall Generation 6 SSL virtual-private-network multi-factor-authentication bypass via credential brute-forcing followed by ransomware-tool deployment — anyone with a Generation 6 SonicWall edge box should patch and rotate now

Centre for Cybersecurity Belgium advisories → https://ccb.belgium.be/advisories

6/6

CCB ships a 'First Aid' incident playbook — what every NIS2-scope org needs in place before the call

On Sunday May 18, the Centre for Cybersecurity Belgium published "First Aid in the event of a cyber incident" (EN / NL / FR / DE). It is a concise operational checklist of what an organisation must have ready before an…

Before the call: 24/7 monitoring (in-house or external), endpoint protection everywhere, centralised logging retained at least 90 days, multi-factor authentication for everyone (admins and remote workers first), network segmentation, immutable backups with tested restores, an alternative communication channel independent of corporate email, break-glass admin accounts, and an offline paper-based playbook with contacts and procedures
First 24 hours: activate the incident-response plan, switch to the alternative comms channel (Signal / Threema / SMS — assume corporate mail is compromised), preserve evidence, contain (do not power off — disconnect), notify the Centre for Cybersecurity Belgium and where applicable the Data Protection Authority within the NIS2 24-hour early-warning window, start the incident log
By 72 hours: NIS2 incident notification with severity + scope + initial assessment, customer / partner / supplier comms, vendor coordination, evidence preservation continued
One month later: final report to the Centre for Cybersecurity Belgium with root cause + actions taken, lessons-learned session, controls hardened

CCB First Aid brochure → https://ccb.belgium.be/news/first-aid-event-cyber-incident