CPU Squad

The one Outlook rule you need to set to save yourself from awkward conversations.

It's called "delay delivery." You set it once in classic Outlook, and from that point on every email you send sits in your Outbox for a specific time (that you set) before it leaves.

If you spot a typo, realize you sent the wrong attachment, or wrote something in frustration you wish you hadn't, you have can a standard 2-minute delay to give you enough time to stop it.

Just delete the email from your Outbox before the timer runs out.

To set it up in classic Outlook:

1. Go to File > Manage Rules & Alerts

2. Click "New Rule" and pick "Apply rule on messages I send"

3. Skip past the conditions so it applies to every email

4. Check "defer delivery by a number of minutes" and set it to 2

5. Save the rule

This is better than Outlook's built-in "Recall" feature, because it works every single time.

Pay attention to this fake “Microsoft” scam.

If an email asks you to enter a verification code on Microsoft's login page, don't enter the code.

That request is the giveaway for a phishing technique called device code phishing, which has hit over 340 organizations across the US, Canada, and Europe since February.

What makes this attack dangerous is that it bypasses Multi-Factor Authentication entirely, even strong MFA.

The attacker is tricking you into authorizing their device into your Microsoft 365 tenant.

You get an email about a shared SharePoint document, a payroll bonus PDF, or a meeting invitation from someone who looks legitimate.

The link sends you to login.microsoftonline.com, which is the real Microsoft login page.

The page asks you to type in a short verification code that was included in the email. You enter it and move on with your day.

But what you did was approve the attacker's device into your Microsoft 365 environment.

They now have a valid access token tied to your account.

They can read your email, download your files, and set up mailbox forwarding rules without ever needing your password again.

A turnkey phishing kit called EvilTokens started selling on Telegram in February 2026, which means even low-skill attackers can run these campaigns at scale.

To shut this attack down inside your business:

▶️ Block device code authentication flow in Entra ID for users who don't need it.

This protocol was designed for devices with limited input, which most office staff don't use. Open Conditional Access and create a policy that blocks device code flow by default.

▶️ Train your team. Microsoft will never email you a verification code to enter on its login page.

If a user gets an email instructing them to enter a code into login.microsoftonline.com, the email is phishing, no matter how legitimate the sender looks.

▶️ Use phishing-resistant MFA where possible, like FIDO2 hardware keys or Windows Hello for Business.

Authenticator app prompts are better than nothing, but they don't protect against this specific technique.

If you don't know how to do these things, let us know and we’ll help you out.

If a website ever tells you to press Windows Key + R, close the tab.

That single instruction is the giveaway for a fast-growing scam called ClickFix, which has been behind a wave of infostealer infections all year.

An infostealer is malware that scrapes every saved password, browser cookie, session token, and stored credit card...

You click a Google result that takes you to a hacked website.

A fake CAPTCHA pops up and tells you to press Windows Key + R, then Ctrl + V, then Enter to verify you're human.

The second you hit Enter, you've installed malware on your own machine.

This attack slips past most security tools because you run the command yourself.

No file was downloaded, so antivirus has nothing to scan.

The browser shows no warning.

From the operating system's perspective, you typed a command into a Windows utility, the same as any admin doing real work.

A few things you can do this week:

▶️ Tell your team that if any website prompts the user to press Win+R or paste something into the Run box, they should close the tab and report it.

▶️ Restrict PowerShell for non-IT staff using AppLocker or Windows Defender Application Control. Most office employees have no work reason to run PowerShell scripts.

▶️ Make sure your endpoint protection is doing behavioral monitoring and not just signature scanning. Microsoft Defender for Endpoint and most modern EDR tools have detection rules specifically for this attack chain.

There's no shame in falling for a fake CAPTCHA. They're designed to look real. But once your team knows the keystroke trick, this scam stops working on them.

If your “backup” is OneDrive or Google Drive… you don’t have a backup.

You have your primary storage. And that’s the problem 💀.

Quick reality check:
🗄️ OneDrive / Google Drive = where your team works
🗃️ Backup = a separate, protected copy somewhere else

Same place = not a backup.

Think of it like this:
You don’t keep the spare key on the same keychain as the one you use everyday, If both are in the same place… they’re both gone.

What actually happens in ransomware:

1. Device gets infected
2. Files get encrypted
3. Sync kicks in ☁️
4. Clean files get overwritten

Now everything is compromised 😱.

Why this happens:
Cloud drives are built to sync fast ⚡ not to protect your data.
They’re doing their job… just not the job you think.

👀 What a real backup looks like:
👉 Separate location.
👉 Locked down 🔒.
👉 Not accessible from a compromised account.
👉 A clean restore point when things go sideways.

Most businesses don’t realize this until it’s too late.
Don’t learn it that way.

Granting AI agents access to your data comes with severe risks.

You should ONLY connect these automated systems to your live data if you have strict security boundaries.

Here are just a few of the permission controls you MUST implement:

✅ Restrict all AI agents to "read-only" access within your network.
✅ Deny the automated system any permission to authorize payments or move funds.
✅ Block the AI's ability to delete or permanently alter original files.
✅ Audit the API permissions of any third-party AI tool before connecting it.

That’s just the bare minimum.

You must define limitations and rules for every single process that AI touches.

If you want a full AI Acceptable Use Policy template to implement in your business, comment below with “AI” and we’ll send it to you.

Text messages 𝗔𝗥𝗘 𝗡𝗢𝗧 the most secure method for two-factor authentication.

Using SMS relies on telecommunications security, not IT security. Attackers can call a mobile carrier, impersonate a user, and transfer the phone number to a new SIM card.

They then trigger a password reset and intercept the SMS code, bypassing the password entirely.

Transition your accounts to better secured alternatives. Use an Authenticator App or a physical hardware security key.

Have you audited how your employees receive their authentication codes?

Your phone broadcasts the names of your saved Wi-Fi networks wherever you travel.

Mobile devices and laptops constantly search for previously connected networks.

Attackers deploy portable hardware that mimics common network names, such as generic hotel or coffee shop Wi-Fi.

If your device is configured to automatically connect to known network names, it will join the malicious network without requiring your approval. The attacker then intercepts the data transmitted from your device.

Disable the "Auto-Join" or "Auto-Connect" feature for all networks on your company devices. Require your employees to manually select networks when working remotely.

We have all been in a webinar or Zoom call where the presenter shows a slide with a great quote or a long URL.

You scramble to write it down or take a screenshot before they change the slide and usually miss half of it.

If you use Microsoft PowerToys, you don't have to type anything.

Use the "Text Extractor" tool to draw a quick box around the text on the shared screen. It reads the pixels, converts them into real text, and copies it to your clipboard.

You can paste the notes directly into your own document without missing a beat of the presentation. It's one of those tiny tools that feels like magic every time you use it.

Bigger AI models are not always better.

Almost everyone talks about Claude Opus 4.5, Gemini 3, ChatGPT-5. However, "Large Language Models" (LLMs) are often slow, expensive, and trained on the public internet.

More businesses are moving toward 𝗦𝗺𝗮𝗹𝗹 𝗟𝗮𝗻𝗴𝘂𝗮𝗴𝗲 𝗠𝗼𝗱𝗲𝗹𝘀 (𝗦𝗟𝗠𝘀).

SLMs are designed to run locally on your own hardware or private cloud. They are trained specifically on your industry data.

Your data remains on your infrastructure.

They run locally without server latency.

They are not trained on the entire internet, so they are less likely to generate irrelevant information.

There are still people in 2026 who save their passwords in a browser.

It's super convenient (one click), but it's also a very bad idea from a cybersecurity perspective.

If you leave your laptop unlocked to grab a coffee, anyone walking past can open your browser settings and view your saved passwords in plain text.

If they get into your email, they can reset the passwords for every other account you own.

If a malicious script infects your computer, it can instantly scan your browser files and extract every username and password stored there.

It's just not worth the risk when you can use a dedicated Password Manager for a few bucks a month.

You'll get an extra step in your login process, but your credentials will be much safer behind a master key or biometrics, even when your computer is unlocked.