SMB Cyber Intelligence Brief — Email disruption, fake ‘update’ lures, and supplier-account risks

Today’s look-out: Cloud email disruption + phishing and fake update scams (plus supplier identity risk)

What to look out for today

Exchange Online mail delays/failures: some organisations may see delayed or failed email delivery (sending/receiving), which can disrupt invoicing, approvals and customer comms.
Fake “update” and “click to fix” prompts on websites: large-scale campaigns are using compromised sites to push convincing on-screen instructions designed to trick users into installing malware.
Password-manager follow-on risk: Dashlane reported a brute-force attack where encrypted vaults for fewer than 20 personal-plan users were downloaded. Expect opportunistic phishing pretending to be “Dashlane security alerts”.
Supplier/developer supply-chain noise: Red Hat’s npm namespace was compromised, aimed at stealing developer credentials. This is most relevant if you build software or use third parties who do.

Why this matters to smaller businesses

SMEs rely heavily on cloud email, browser-based work and a small number of key accounts (Microsoft 365, password managers, accounting, payroll). When email is unreliable, attackers often exploit the confusion with “urgent invoice” and “reconfirm your login” scams. Meanwhile, fake-update pop-ups can turn a normal web browse into a malware incident that disrupts the whole business.

Warning signs

Staff report “email is broken”, missing messages, or unusual delays — especially around invoices, purchase orders or payroll changes.
Websites showing sudden prompts like “your browser is outdated”, “security verification required”, or “click to fix” messages that don’t look like your normal update process.
Unexpected “Dashlane account locked / 2FA failed / vault downloaded” emails, especially with links to log in.
Multiple failed sign-in notifications or MFA prompts that users didn’t initiate (any service, not just Dashlane).

How attackers may exploit the situation

Business email disruption scams: during genuine service issues, criminals send convincing messages via alternative channels (SMS/WhatsApp/personal email) claiming new bank details or “payment workaround”.
Malware via fake updates: compromised sites can show realistic “update/install” instructions to persuade users to run something they shouldn’t.
Account takeover attempts: incidents involving password managers can trigger copycat phishing that tries to harvest your master password or MFA codes.
Developer credential theft: if a supplier’s developer accounts are compromised, attackers may pivot into customer environments or software build pipelines.

What to do today

Tell staff: no one should install browser “updates” from a pop-up on a random website. Updates should only be done via approved methods (managed updates/official app stores/IT-approved process).
Strengthen payment-change controls: if email is delayed/unreliable, require bank detail changes and urgent payment requests to be verified with a known phone number (not one in the email).
Protect your key accounts: ensure MFA is enabled for Microsoft 365 and your password manager; review sign-in alerts and remove any unfamiliar devices/sessions.
Prepare for Exchange disruption: agree a simple internal workaround (e.g., calls/Teams for approvals) and avoid ad-hoc use of personal email for business data.

Ask your IT provider

Can you confirm whether our tenant is impacted by the Exchange Online mail-flow issue and what monitoring/alerts we have for it?
Do we have controls to block common “fake update” execution patterns (web filtering, application allow-listing, endpoint protection policies)?
How quickly can you isolate a device if a user clicks a fake update and malware is suspected?
Do we have conditional access / sign-in risk rules for Microsoft 365 (impossible travel, unusual locations, repeated failures)?
If we use a password manager, do we regularly review account security events and enforce MFA for all users?
If we build software: do we have visibility of third-party dependencies and controls to detect suspicious package changes in build pipelines?

Patch watch - only one short paragraph, and only if relevant

CISA has flagged active exploitation of an Oracle WebLogic Server issue (CVE-2024-21182). Many SMEs won’t run WebLogic directly, but it’s worth asking your IT provider (and any hosted app suppliers) to confirm whether any business-critical systems depend on WebLogic and that they have an active patch/mitigation plan.

One action today

Send a same-day staff note: “Do not install ‘updates’ from website pop-ups; report them to IT immediately,” and remind everyone that bank detail changes must be verified by phone using an existing contact number.

Related Actions On Cyber resource

Actions On Cyber checklist CTA: “Payment change & invoice fraud call-back process (printable approval steps)”

Sources

Microsoft Exchange Online outage causes email delays, failures (BleepingComputer)
Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks (BleepingComputer)
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded (The Hacker News)
Red Hat npm packages compromised to steal developer credentials (BleepingComputer)
CISA Adds One Known Exploited Vulnerability to Catalog (CISA Cybersecurity Advisories)
CISA flags two-year-old Oracle flaw as actively exploited in attacks (BleepingComputer)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.