Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber

Daily SMB Cyber Intelligence Brief

SMB Cyber Brief: Microsoft 365 disruption risk, WordPress compromise wave, and supply‑chain malware targeting developers

What small and medium-sized businesses should look out for today.

High Monday 01 June 2026, 22:09 UK time
Today’s look-out: Cloud disruption + website compromise + supplier/software supply-chain risk

What to look out for today

  • Microsoft 365/Teams disruption: incidents affecting access to files in Teams/Office for the web, plus problems setting up MFA / viewing sign-in history (My Sign-Ins).
  • WordPress sites being actively compromised: a malware campaign affecting large numbers of WordPress sites, and active exploitation against a popular mapping plugin to create admin accounts.
  • Developer software supply-chain attacks: malicious npm packages posing as legitimate tools and packages (including developer tooling themes) to steal credentials/secrets and spread further.
  • Password manager account lockouts: reports of brute-force login attempts causing Dashlane users to be locked out.

Why this matters to smaller businesses

  • Business disruption: if your team can’t open files or collaborate in Teams/Office, work stops and staff may fall back to riskier channels (personal email, WhatsApp, unapproved file shares).
  • Increased scam risk during outages: attackers often piggyback on widely reported service issues with “support” calls and phishing emails.
  • Your website is a front door: WordPress compromise can lead to customer malware exposure, SEO damage, data theft, and payment diversion if forms or redirects are tampered with.
  • Suppliers and developer tooling can be a weak link: even if you’re not a software company, your IT provider, web agency, or in-house developer might be affected—leading to stolen credentials and wider compromise.

Warning signs

  • Staff report Teams/Office files won’t open, repeated sign-in prompts, or inability to complete MFA setup.
  • Sudden new WordPress admin users you don’t recognise, password reset emails you didn’t request, or unexpected plugin/theme changes.
  • Website behaviour changes: unexpected pop-ups, redirects, new pages you didn’t publish, or unusual outbound traffic flagged by hosting.
  • Developers/IT notice new npm packages added recently, odd post-install behaviours, unexpected prompts, or missing tokens/keys.
  • Users receive password manager security alerts, “new device” login attempts, or get locked out unexpectedly.

How attackers may exploit the situation

  • Outage-themed phishing: emails/texts/calls claiming to be Microsoft/your IT support asking for credentials, MFA codes, or to “re-authorise” access.
  • Account takeover via stolen secrets: supply-chain malware on developer or IT machines can harvest passwords, API keys and session tokens, then pivot into Microsoft 365, hosting, payment services, or backups.
  • Website takeover to monetise trust: attackers can create WordPress admin accounts, inject skimmers, alter bank details on invoices/pages, or redirect customers to fake “payment” pages.
  • Credential stuffing / brute-force: attackers repeatedly try passwords against services like password managers; even when blocked, lockouts cause disruption and may trigger unsafe workarounds.

What to do today

  • Send a 2-line staff note: “If you see Microsoft 365/Teams issues, don’t accept ‘support’ help via unsolicited calls/emails. Don’t share passwords or MFA codes. Report anything suspicious.”
  • Agree a safe workaround for file sharing: specify approved channels only (e.g., SharePoint/OneDrive when available; if not, an agreed temporary secure method) and forbid personal email/file-sharing.
  • WordPress quick checks: verify your admin user list, review recent admin creations, and confirm your web agency/host is monitoring for unauthorised changes.
  • Developer/agency hygiene: ask anyone who deploys your website/apps to review recently added packages and ensure secrets/tokens are rotated if suspicious activity is suspected.
  • Password manager safety: if users are locked out or see login attempts, ensure they use a unique master password and confirm MFA is enabled; log an incident with your IT provider rather than “trying random resets”.

Ask your IT provider

  • Are we seeing Microsoft 365 service advisories affecting our tenant, and what’s our approved business continuity process for collaboration and file sharing?
  • Do we have conditional access / risky sign-in monitoring in place, and are alerts being watched today given the MFA/My Sign-Ins issues?
  • For our website: who reviews new WordPress admin accounts and plugin changes, and what is our restore plan if the site is compromised?
  • Do our developers/agency follow a dependency approval process (e.g., package allow-lists, code review, build isolation) to reduce npm supply-chain risk?
  • Are we prepared for password manager lockouts (break-glass accounts, documented recovery steps) without staff storing passwords in documents?

Patch watch - only one short paragraph, and only if relevant

There are reports of active exploitation against a WordPress plugin used for maps and warnings about exploitation of a recently patched Windows Netlogon issue. If you run WordPress or manage Windows servers, treat this as a prompt to confirm your maintenance is current and that exposed systems are not left behind—focus on your real-world exposure (public-facing sites and remote access paths) rather than rushing ad-hoc changes.

One action today

Send a short internal alert today: “Microsoft/Teams issues are being reported—do not trust unsolicited ‘support’ messages or calls, and never share passwords or MFA codes; report anything unusual immediately.”

Related Actions On Cyber resource

Actions On Cyber checklist: ‘Outage & disruption cyber safety (how to keep working without creating new risk)’

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.