08 May 2026

Daily Int Brief: Daily Int Brief: Treat HR, conduct and compliance emails as high-risk phishing lures

Relevance rating: Act Now

Executive Summary

Executive Summary: The strongest current topic for UK small organisations is phishing that looks like normal internal business admin: HR, conduct, compliance, policy or document-review messages. Microsoft reported a recent campaign that used polished code-of-conduct themed emails and multi-step sign-in flows to steal access tokens, meaning ordinary multi-factor authentication may not always be enough if users are tricked into signing in through a fake journey. This matters because the UK Cyber Security Breaches Survey 2025/2026 says phishing remains the most common and most disruptive attack type for businesses and charities. Small organisations should act now by tightening email and account controls, giving staff a simple rule for urgent HR/compliance emails, and asking IT providers to review Microsoft 365 or Google Workspace sign-in protections.

Situation

Attackers are increasingly using believable, business-like messages rather than obvious scams. Recent reporting from Microsoft describes phishing emails that pretended to be internal conduct or compliance notifications, used professional-looking templates, created urgency, and led users through staged pages before asking them to sign in. For a small business, charity, club or community organisation, the risk is not just one stolen password. A compromised mailbox can be used to read sensitive messages, reset passwords, send invoice fraud emails, impersonate trustees or directors, and target suppliers, members or donors. The UK government's latest breaches survey reinforces why this deserves attention: phishing is still the most common breach or attack type reported by businesses and charities, and is most often named as the most disruptive.

Who should care

  • Owners, trustees, directors and committee members who approve payments or handle sensitive information.
  • Any organisation using Microsoft 365, Google Workspace, webmail, online banking, accounting platforms, CRM systems or cloud file storage.
  • Charities, clubs and community groups where volunteers or part-time staff use personal devices or shared mailboxes.
  • Organisations without a dedicated cyber security team that rely on an external IT provider or a technically confident volunteer.
  • Anyone who receives HR, compliance, disciplinary, policy, document-signing or urgent internal-review emails.

Why it matters

Modern phishing is designed to feel routine, urgent and legitimate. The email may appear to come from a business process rather than a stranger. If an attacker takes over one account, they may use it to send believable messages from a real mailbox, change payment details, access shared files, or monitor conversations before committing fraud. The practical lesson is simple: do not rely only on staff spotting bad spelling or strange-looking emails. Combine staff awareness with technical controls such as stronger MFA, sign-in risk alerts, blocking legacy authentication, email security settings, and fast reporting of suspicious messages.

Top 5 Known Exploited Vulnerabilities

These are the latest known exploited vulnerabilities from the CISA KEV catalogue at the time this brief was generated. Small organisations do not need the technical exploit detail. The practical action is to ask whether affected products are used and whether vendor mitigations or updates have been applied.

CVE Vendor Product Plain-English risk Question to ask IT provider
CVE-2026-42208 BerriAI LiteLLM If your organisation or supplier uses LiteLLM as an AI gateway, a flaw in the software could allow attackers to access or change data handled by that service, including sensitive configuration or keys. Do we run BerriAI LiteLLM anywhere, including in test AI projects, developer systems or supplier-managed services, and has it been updated or otherwise mitigated in line with the vendor guidance?
CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) Ivanti EPMM is used to manage mobile devices. If exposed and vulnerable, compromise could affect the systems used to control business phones and tablets. Do we use Ivanti Endpoint Manager Mobile, is it internet-facing, and have all vendor mitigations or updates for CVE-2026-6973 been applied and checked?
CVE-2026-0300 Palo Alto Networks PAN-OS PAN-OS runs Palo Alto firewalls. A vulnerable firewall service can create serious risk because it sits at the edge of the network and may protect many other systems. Do we use Palo Alto Networks PAN-OS, is the User-ID Authentication Portal enabled or reachable from untrusted networks, and have access restrictions or the vendor workaround been applied until a full fix is installed?
CVE-2026-31431 Linux Kernel Linux is used in many servers, websites, appliances and cloud systems. A kernel vulnerability may allow a successful attacker to increase their access or affect system reliability. Which of our servers, hosting platforms, appliances or cloud services run Linux, and have kernel updates or vendor mitigations for CVE-2026-31431 been applied?
CVE-2026-41940 WebPros cPanel & WHM and WP2 (WordPress Squared) cPanel and WHM are commonly used to manage websites and hosting. A missing-authentication issue could put hosted websites, email or administration functions at risk if the affected service is exposed. Do our website, hosting, email or WordPress management services use cPanel, WHM or WP2, and has the provider confirmed this vulnerability is patched or mitigated?

Actions On

  1. Today: Tell staff and volunteers to treat unexpected HR, conduct, compliance, policy, invoice-change and document-signing emails as high-risk, especially if they create urgency or ask for a sign-in.
  2. Today: Agree a second-channel check for sensitive requests. For example, if an email asks someone to review a disciplinary, HR, payment or account-change document, verify it using a known phone number or a separate trusted channel.
  3. Today: Forward suspicious emails to report@phishing.gov.uk and report suspicious texts to 7726. If someone clicked or signed in, tell your IT provider immediately rather than waiting to see what happens.
  4. This week: Ask your IT provider to review Microsoft 365 or Google Workspace sign-in logs for unusual locations, new inbox rules, unexpected forwarding, new MFA methods, or unfamiliar devices.
  5. This week: Move important accounts away from weaker MFA where possible. Ask about passkeys, security keys, number matching, conditional access, device compliance and disabling legacy authentication.
  6. This week: Make sure shared mailboxes, finance accounts, trustee/director accounts and website admin accounts have strong unique passwords, MFA and named owners.
  7. This month: Run a short phishing drill or tabletop discussion using a realistic HR or document-review scenario. Focus on what people should do, not on blaming anyone who clicks.
  8. Ongoing: Keep a simple list of critical suppliers and systems, including email, website hosting, accounting, payroll, CRM, payment systems, managed IT and cloud storage, so vulnerability alerts can be checked quickly.

Question to ask your IT provider

Can you confirm whether our email and cloud accounts are protected against modern phishing, including token theft, with strong MFA, conditional access or equivalent controls, alerting for suspicious sign-ins, blocked legacy authentication, and monitoring for mailbox forwarding rules or new MFA methods?

After-action review

  • If a suspicious email arrived, who received it first and how quickly was it reported?
  • Did anyone click, open an attachment, approve an MFA prompt, scan a QR code or enter a password?
  • Was there a clear, non-blaming route for staff and volunteers to report the message?
  • Did the organisation verify the request through a known phone number or trusted channel before acting?
  • Were any inbox rules, forwarding settings, payment details, password resets or MFA settings changed?
  • Did the IT provider check sign-in logs and revoke active sessions where appropriate?
  • What one control would have reduced the risk most: stronger MFA, staff guidance, email filtering, payment verification, or faster reporting?

Sources