In partnership with

~7 MIN READ
Fact Microsoft's July 2026 Patch Tuesday fixed a record 570 vulnerabilities, including two zero-days already under active attack. The company credits its new AI-powered vulnerability discovery system with finding more bugs than any single Windows update in history. (BleepingComputer, July 2026)
The Signal
 
570 patches in one Patch Tuesday is either great news (Microsoft's AI found the bugs before attackers did) or terrifying news (there were 570 bugs to find). This week also proved AI lowers the bar for building ransomware just as fast as it lowers the bar for finding vulnerabilities, and that even professional criminals have a code of conduct they're embarrassed to break.

AI just proved it cuts both ways in the same week: it's helping Microsoft find bugs at record speed, and it's helping mediocre criminals build ransomware they couldn't code themselves. The tools got better. The skill floor didn't rise with them.

PS: Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe

In this edition
  📌 Big Cyber News
  🚨 Can't Miss
  🤖 AI in Cyber
  🕵️ Threat Intel
  🛠️ Tools & Tactics
  🧪 Strange Cyber
📌 Big Cyber News
 
PATCH TUESDAY
🩹 Microsoft's AI Found So Many Bugs It Broke Its Own Patch Record
Intro
Microsoft shipped fixes for 570 vulnerabilities this Patch Tuesday, the largest release in company history. That's either great news or terrifying, depending on what you believe found them first.
What Happened
The July 14 update patched 59 Critical flaws and three zero-days: two under active attack (Active Directory Federation Services, SharePoint Server) and one public (a BitLocker bypass). Microsoft credits a new AI-powered discovery system for the record volume.
Why It Matters
More bugs found by defenders means fewer sold to attackers first, but IT teams now triage more disclosed flaws per month on a patch window that keeps shrinking.
The Other Side
A record patch count could just as easily mean Windows had more bugs than anyone realized, and AI is only now catching up.
 
👉 Takeaway
Patch the two actively exploited zero-days first. "AI found it" doesn't mean "AI fixed it before anyone noticed."
TL;DR: Microsoft's AI bug hunter found 570 flaws in one release, three already being exploited.
Further reading: BleepingComputer
🚨 Can't Miss
 
 
BREACH
AssuranceAmerica disclosed a breach affecting nearly 7 million customers after attackers compromised employee credentials, the largest known exposure of driver's license data this year. Stolen data includes names, contact details, license numbers, and policy information, everything needed to open a fraudulent account in your name.
Held AssuranceAmerica auto insurance? Assume your license number is for sale, and freeze your credit now.
 
CYBERCRIME
Callum Dare never made the hoax calls that sent armed police to a UCLA bomb threat, a fake hostage situation in Cardiff, and a Canadian programmer's door. He ran the Doxbin channel where the calls got planned, then cut the footage into recruitment videos for the next round. A UK court gave the 26-year-old two years and three months; PayPal records traced it back to him.
Swatting now carries real prison time, even for organizers who never dial a phone.
 
BREACH
KDDI runs the email backend for five Japanese internet providers, and a third-party software bug let attackers into all of it at once. It caught and blocked the intrusion but is warning that emails and passwords across all five providers may be exposed.
Use STNet, JCOM, Chubu, NIFTY, or BIGLOBE? Rotate your password now.

See the whole platform. No guided tour.

Skip the sales call. Walk through Gladly's interface yourself — the AI suggestions, the unified customer view, the full conversation thread. 15 minutes, no installation, no commitment.

🤖 AI in Cyber
 
 
AI-ASSISTED MALWARE
Researchers uncovered Avalon, a ransomware framework that harvests credentials, disables backups, and encrypts files using Windows' own tools, delivered through fake legal-document phishing. What stood out was evidence the framework was AI-built, letting attackers skip years of Windows internals expertise that used to be a real barrier.
The skill required to build ransomware just dropped again. Budget for more attackers, not smarter ones.
 
AI-ASSISTED MALWARE
An intruder deployed a PowerShell script to map a company's Active Directory, and Huntress researchers who caught it found an unedited AI placeholder hostname still baked in: Server1.HR.local. The script was clearly prompted into existence, not hand-coded: over-engineered, oddly formatted, titled "100% Working AD Information Gathering Script, FULLY FIXED." It still worked well enough to harvest the data and exit within 30 minutes.
AI is closing the attacker skill gap faster than most detection rules have adjusted.
🕵️ Threat Intel
 
 
NATION-STATE
A cluster tied to Iran's Ministry of Intelligence, tracked as Cavern Manticore, is using a new C2 framework called Cavern to breach Israeli IT providers and government agencies. It compiles into three different formats, forcing researchers to use three separate toolsets just to read the same malware. Attackers get in through trusted update channels like SysAid, then use compromised IT providers as a stepping stone to their real targets.
IT providers with access to multiple client networks are the target now, not just the path in.
 
THREAT ACTOR
A group called Helix skips malware entirely: they call employees pretending to be a manager, talk them into approving a new authenticator app, then walk into SharePoint and download everything worth stealing. Researchers see technical overlap with defunct extortion crews ShinyHunters and BlackFile, though no confirmed link. Once in, it's pay up or watch your files get published.
Turn off device code authentication if you don't need it. "IT needs you to approve this" is a red flag now.
🛠️ Tools & Tactics
 
 
Practical play
CISA, the NSA, and the FBI issued a joint advisory warning that Russia's FSB Center 16 is scanning for poorly configured routers, the kind most organizations forgot about the day they were installed. It flags three fixable gaps: SNMP v1/v2 instead of encrypted v3, reused or default device passwords, and exposed Cisco Smart Install services. None of it requires budget, just someone checking. This week: audit edge devices for default credentials and legacy SNMP, and disable Smart Install if unused.
Audit edge devices for default credentials and legacy SNMP this week. It's free, and it's what Russia's FSB is actively scanning for.

Dictate code. Wispr tags the files.

Speak your PR description, bug reproduction, or Cursor prompt. Wispr Flow auto-tags file names, preserves variable names, and formats everything for immediate paste into GitHub, Jira, or your editor.

No re-typing. No context gaps. No mangled syntax. Works natively inside Cursor, Warp, and every IDE at the system level.

4x faster than typing. 89% of messages sent with zero edits. Used by engineering teams at OpenAI, Vercel, and Clay.

🧪 Strange Cyber
 
Strange but real
⚽ Egyptian Hacktivists Broke Into Argentina's Football Federation Over a World Cup Loss
Intro
A World Cup elimination is rough. For some fans, apparently it's rough enough to justify breaking into a national football federation's entire IT stack.
What Happened
A group calling itself All Egyptian Cyber Warriors compromised the Argentine Football Association after Egypt was eliminated by Argentina in a contested Round of 16 match. The attackers got "profound administrative control": database panels, training HQ portals, media systems, competition management tools, all of it, then blasted mass emails from AFA's own domains accusing Argentina of stealing the win.
Why It Matters
Security firm Hudson Rock traced the access back to an infostealer infection on a developer's device from September 2025, ten months before the match. Whoever had those credentials either sat on them for months or went looking the moment Egypt lost.
The Other Side
A grudge match over VAR calls is a strange motive, but the mechanism is depressingly ordinary: one infected laptop, one set of stale credentials, one organization that never rotated them.
 
👉 Takeaway
An infostealer infection doesn't expire when nobody's watching. Rotate credentials after any known compromise, not just after the threat feels current.
TL;DR: Egyptian hacktivists broke into Argentina's football federation to protest a World Cup loss, using year-old stolen credentials nobody had rotated.
Further reading: The Register

David Joerg, Chess.com's AI/ML product manager, ran 30+ projects through Viktor in six weeks, from an AI phone-agent system to logistics and research, then onboarded six family members. Get Started for Free.

Keep Reading