#CyberWeekly

Microsoft confirmed on May 14 that CVE-2026-42897 — a cross-site-scripting flaw in Outlook Web Access on on-premises Exchange Server 2016, 2019, and Subscription Edition — is under active exploitation. The US Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalogue on May 15. The Centre for Cybersecurity Belgium issued its national advisory on May 18. As of this issue there is no permanent patch — Microsoft has released automatic mitigations and interim guidance only.

• The attack: the attacker sends a specially crafted email. When a user opens it in Outlook Web Access in their browser, arbitrary JavaScript runs in the victim's authenticated session — read mailbox, change rules, exfiltrate, pivot
• Affected: on-premises Exchange Server 2016, 2019, and the new Subscription Edition. Exchange Online (the Microsoft-hosted version) is NOT affected — only your own server
• Mitigation today: if Exchange Emergency Mitigation Service is enabled, Microsoft has already pushed the automatic mitigation. If not, enable it now. Apply the May guidance update. Verify mitigation status — do not assume it is on
• SMB angle: Belgian SMBs still running on-premises Exchange (typically a 2019 box in a hybrid setup with Microsoft 365) are exactly the affected population. Fully on Exchange Online — relax

The cleanest answer remains the slow one: get off on-premises Exchange. In the meantime, the audit-readiness baseline already asks for the controls that contain the blast radius — multi-factor authentication, conditional access, alerting on suspicious Outlook Web Access sessions. See our email security guide.

Five things shipped that change how an MSP runs an engagement: a long-asked-for upload, a smarter integration data lifecycle, sharper endpoint cards, friendlier CSV imports, and a hardened Checkpoint adapter.

• Evidence file upload, end-to-end (finally): evidence-artifact modal + wiki accepts: file placeholder both accept real uploads. Files persist as artifacts, ship in the .ecpbundle.zip auditor bundle, show a download link. Asked for by a partner May 18 — shipped same week
• Integration retention: keep what matters, never touch what the auditor saw. Per (client, integration) we keep 1 snapshot per day for 7 days, 1 per week for 12 weeks, 1 per month for 12 months, and 1 per year forever. Anything already inside a .ecpbundle.zip is immune from rotation forever — the auditor keeps seeing exactly what was handed over. Sync cadence is your call: leave it on the daily auto-pull, dial it down, or switch to manual "Sync now" only
• Endpoint-protection cards get smarter: a "View devices" shortcut on each connected card opens the synced inventory; "Covers N CyberFundamentals controls" rows are clickable + tier-gated (rows for tiers you have not activated grey out)
• CSV import per-column roles: tag each column Name / ID / Data / Skip. Multiple Name columns become a composite display; multiple ID columns a composite deduplication key. Asset-tag-driven inventories (unstable names, stable serials) finally round-trip cleanly
• Checkpoint adapter rewritten against the official specification: two wrong fixes from guessing, then we read the OpenAPI specification. Result: paginated device list, both required authentication tokens on every data call, actionable error on stray-newline API-key descriptions. Live-verified end-to-end against a real Checkpoint tenant

The throughline: the audit deliverable an MSP exports today (.ecpbundle.zip) is treated as permanent — nothing rotates it away. Everything else trims itself. See audit-preparation for how this fits the engagement.

On Tuesday May 20 at Brussels Expo, Easy Cyber Protection's pitch for the Cybersec Europe 2026 "Best Cybersecurity Innovation Europe" jury award was delivered on the Mainstage. The award ceremony is on Wednesday May 21 at 12:15; depending on when you read this, the result may already be in. The shortlist itself is independent jury validation that a managed-service-provider-first compliance engine is a category worth recognising.

• Five minutes, one jury, one slide: the pitch distilled to "NIS2 audit-readiness, built the way managed service providers deliver IT" — graph-based controls (every control, entity and piece of evidence linked so auditors can ask graph questions), white-label CyberFundamentals guidance built in (so partners deliver compliance to clients under their own brand without prior expertise), and a local-first wiki + event-sourced architecture (every change digitally signed, end-to-end integrity)
• The Belgian angle: CyberFundamentals is a Belgian framework, NIS2 transposition is led nationally by the Centre for Cybersecurity Belgium, and the audit-readiness gap is felt every week by Belgian SMBs. A Belgian-made product on the European innovation shortlist for a problem first felt at home
• Whatever happens at 12:15: the pitch is delivered, the slide is out in the world. If the result lands after this issue ships, an extra edition follows. Otherwise the outcome will be in next week's issue

If you were on the show floor on May 20-21 and we did not run into each other — let's fix that. Reach out via /contact.

Researchers flagged on May 19 an active campaign abusing Microsoft 365 / Entra ID self-service password reset and administrative tooling to take over mailboxes without ever phishing the user. Where the Outlook Web Access bug requires a victim to open an email, this one requires only a tenant where self-service password reset is loose.

• The technique: the attacker hits the public password-reset endpoint, satisfies whatever authenticators the tenant accepts (security questions, single text-message code, weak fallback), and resets the target's password. Then logs in. If there is no conditional-access policy enforcing multi-factor authentication on every sign-in, the session is theirs
• Why it works: self-service password reset is a productivity feature most tenants enabled in 2020-2022 and never tightened. The default authentication mix is more permissive than IT remembers. Text-message fallback alone is enough to lose an account
• What to check this week: in Entra ID admin centre → Password Reset → Authentication methods, drop text messages and security questions as a sole factor. Require two strong methods. Add a conditional-access policy requiring phishing-resistant multi-factor authentication on every sign-in (not just on risky ones). Audit the password-reset log for resets you do not recognise

Tenant security is the unsexy back-office work auditors and underwriters now both ask about — see our multi-factor authentication basics and password guides for the user-facing version of the same control set.

Between May 18 and May 20 the Centre for Cybersecurity Belgium published seven critical advisories on enterprise software that a lot of Belgian SMBs and their managed service providers sit downstream of. The cluster is unusual; the headline is: patch fast, then schedule the rest.

• May 18 wave: Microsoft Exchange Server Outlook Web Access cross-site scripting (covered above), nginx multiple vulnerabilities → remote code execution + rate-limit bypass (active exploitation observed), Palo Alto PAN-OS authentication bypass / remote code execution / denial of service, Cisco Catalyst SD-WAN authentication bypass granting administrative access
• May 20 wave: Portainer critical → full host takeover (the container-management plane many managed service providers run for clients), multi-version PostgreSQL fixes and PostgreSQL 14 end-of-life announcement, PgBouncer integer overflow
• Parallel reports (same week, not from the Centre for Cybersecurity Belgium): SonicWall Generation 6 SSL virtual-private-network multi-factor-authentication bypass via credential brute-forcing followed by ransomware-tool deployment — anyone with a Generation 6 SonicWall edge box should patch and rotate now

Nothing here is a one-off. Patch management is the discipline that turns this rhythm into a calendar instead of a fire drill — see our patch-management guide.

On Sunday May 18, the Centre for Cybersecurity Belgium published "First Aid in the event of a cyber incident" (EN / NL / FR / DE). It is a concise operational checklist of what an organisation must have ready before an incident, what to do in the first 24 hours, what to do by 72 hours, and what the one-month follow-up looks like. It maps almost one-to-one onto the NIS2 notification obligations and what an auditor expects to see.

• Before the call: 24/7 monitoring (in-house or external), endpoint protection everywhere, centralised logging retained at least 90 days, multi-factor authentication for everyone (admins and remote workers first), network segmentation, immutable backups with tested restores, an alternative communication channel independent of corporate email, break-glass admin accounts, and an offline paper-based playbook with contacts and procedures
• First 24 hours: activate the incident-response plan, switch to the alternative comms channel (Signal / Threema / SMS — assume corporate mail is compromised), preserve evidence, contain (do not power off — disconnect), notify the Centre for Cybersecurity Belgium and where applicable the Data Protection Authority within the NIS2 24-hour early-warning window, start the incident log
• By 72 hours: NIS2 incident notification with severity + scope + initial assessment, customer / partner / supplier comms, vendor coordination, evidence preservation continued
• One month later: final report to the Centre for Cybersecurity Belgium with root cause + actions taken, lessons-learned session, controls hardened
• MSP angle: two items get assembled-during-crisis most often and should be set up today for every ESSENTIAL-tier client — a confirmed alternative communication channel, and a written Centre for Cybersecurity Belgium notification contact. We are folding both into the Incident Response procedure template this week

The brochure aligns explicitly with the CyberFundamentals framework and Safeonweb@work — the same controls audit-readiness already asks for, now repackaged as a one-shot operational doc you can hand to a client. See audit preparation for how it folds into the engagement.