Microsoft is set to enhance security for its Entra ID platform by blocking unauthorized script injections during user logins, with the update scheduled for late 2026. This initiative, part of the company’s Secure Future Initiative, will implement a stricter Content Security Policy for sign-ins at login.microsoftonline.com, permitting scripts solely from trusted Microsoft domains. The move aims to mitigate risks associated with cross-site scripting (XSS) attacks and prevent unauthorized code from executing during the authentication process. Importantly, this update will not affect external identity sign-ins. Microsoft has advised organizations to proactively test their sign-in flows and refrain from using browser extensions that inject scripts, recommending alternatives that do not alter the Entra login experience.
In parallel, a bipartisan legislative effort known as the AI Fraud Deterrence Act has been introduced by Representatives Ted Lieu (D-Calif.) and Neal Dunn (R-Md.). This bill seeks to impose harsher criminal penalties for fraudulent activities facilitated by artificial intelligence tools, such as convincing fake audio, video, or text communications. Under the proposed legislation, the fines for mail, wire, and bank fraud, as well as for money laundering, could reach between $1 million and $2 million. Moreover, utilizing AI in fraudulent impersonations of government officials may incur a maximum fine of $1 million and a prison sentence of up to three years. The lawmakers emphasized the need for stringent measures as AI technology increasingly aids scammers.
ASUS has responded to cybersecurity threats by rolling out firmware updates that address nine vulnerabilities within its AiCloud feature, which allows routers to function as personal cloud servers. Notably, one critical vulnerability, assigned a CVSS score of 9.2, pertains to an authentication bypass that can be triggered inadvertently through Samba functionality. This discovery raises concerns about the potential for unauthorized access to sensitive functions. The company’s advisory underscores the importance of updating affected devices to mitigate security risks.
In another notable development, OpenAI has severed ties with Mixpanel following a data breach that compromised the personal information of API users, affecting approximately 35,000 individuals. Mixpanel reported the breach to OpenAI on November 25, with the exposed data including names, email addresses, locations, system details, and account IDs. While regular ChatGPT users were not impacted, OpenAI has initiated a comprehensive security review of all its vendors and is actively notifying those affected. The company has stated that there is no evidence indicating that the breach extends beyond Mixpanel’s environment, reaffirming its commitment to transparency and robust security measures.
The cybersecurity landscape remains cautious as three London councils—Royal Borough of Kensington and Chelsea, Westminster City Council, and the Borough of Hammersmith and Fulham—have been affected by an incident involving their shared IT services. Although details are still emerging, the incident has prompted these authorities to take precautionary measures by shutting down certain IT systems. It is currently premature to attribute the incident to a specific threat actor or to confirm data compromise.
Dartmouth College has also experienced a significant data breach linked to a campaign involving Oracle E-Business Suite, impacting over 35,000 individuals across multiple states. The breach reportedly occurred between August 9 and August 12, with unauthorized access resulting in the theft of sensitive information, including Social Security numbers and financial account data. College officials have commenced an investigation to assess the full extent of the breach.
Meanwhile, Microsoft is investigating a service outage affecting its Exchange Online platform, which has been blocking user access to Outlook mailboxes. Reports indicate that the outage began on Tuesday and has primarily impacted users in the Asia Pacific and North America regions attempting to connect via the classic Outlook desktop client. Microsoft has yet to disclose the number of users affected, but the disruption has caused server connection and login issues for many.
Further complicating matters for Windows users, Microsoft has issued a warning regarding recent changes to FIDO2 security keys. Following updates released since the September 2025 preview update, users may now be prompted to enter a PIN when signing in. This adjustment is in accordance with WebAuthn specifications, which dictate the handling of user verification requests for various authentication methods. Users are advised that they might need to create a PIN, even if it was not previously required during their initial device registration.
As the cybersecurity landscape evolves, organizations are reminded of the importance of staying vigilant against emerging threats and ensuring robust security protocols are in place.
Unlock AI Tools to Maximize Your Holiday Shopping Savings This Black Friday
Canada’s AI Surge: 93% Adoption Yet Only 2% Report Measurable ROI, Urging Urgent Action
Boston Herald and Eight Newspapers Sue OpenAI, Microsoft for $10B in Copyright Violations
Huawei Cloud Launches AI Pioneer Partner Ecosystem to Drive Singapore’s Industry Transformation
Anthropic Achieves $350 Billion Valuation, Driven by Key Executives and New AI Models
