163 Microsoft patches. Two BigLaw firms extorted. Minnesota's National Guard got called in. Your MSP's tools are now weapons. Let's talk about it.
Microsoft dropped 163 patches in a single day. Jones Day got shook down for $13 million. Minnesota called in the National Guard for a county ransomware attack. And the tools your MSP uses to keep you safe? Microsoft just named them as weapons in a 24-hour kill chain. Let’s get into it.
01 // THE_PATCH_TUESDAY_YOU_CANT_POSTPONE
April 14 gave us the second-largest Patch Tuesday on record. 163 vulnerabilities patched in one day. Two of them matter way more than the rest if you’re running a small business.
First one is CVE-2026-32201, a SharePoint Server spoofing bug. CISA slapped it straight into their Known Exploited Vulnerabilities list the same day with a federal patch deadline of April 28. Attackers were already scanning for exposed SharePoint boxes between April 1 and April 11. On-prem SharePoint isn’t common in dental or medical offices, but it shows up constantly in law firms and municipal document systems. If you have it, patch it this week.
Second one is the nasty one. CVE-2026-33825, nicknamed “BlueHammer,” is a privilege escalation bug in Microsoft Defender. Yeah, Defender. The thing that’s supposed to be protecting you. Someone published working exploit code on GitHub on April 2, twelve days before Microsoft had a fix ready. It lets a regular user on a fully-patched Windows 10, 11, or Server machine jump straight to SYSTEM-level access by abusing how Defender updates its virus signatures.
// CRITICAL
The fix ships as Defender Antimalware Platform version 4.18.26050.3011 through Windows Update. Verify it got applied. Two related proof-of-concepts (“RedSun” and “UnDefend”) are still unpatched as of Friday.
Adobe also dropped an emergency fix for CVE-2026-34621, an Acrobat and Reader remote-code-execution flaw that’s been exploited in the wild since late 2025 using malicious PDFs. Push Reader to version 26.001.21411 on every endpoint this week. Legal, medical, and municipal offices live in PDFs. This is the exact attack designed for you.
Chrome closed its fourth zero-day of the year. Fortinet patched 11 vulnerabilities. The week was a patch buffet. Eat it all.
02 // YOUR_MSPS_TOOLS_ARE_NOW_WEAPONS
Microsoft formally named a threat actor called Storm-1175 this week. They deploy Medusa ransomware. Here’s the part that should make every SMB owner pay attention: they compress the entire attack from initial foothold to full encryption into as little as 24 hours.
Here’s the weapon list Microsoft published: ScreenConnect, SimpleHelp, TeamCity, CrushFTP, SmarterMail, GoAnywhere, BeyondTrust, and Microsoft Exchange. If any of those names sound familiar, it’s because those are the tools your MSP uses to manage your environment. Remote monitoring. File transfer. Email hosting. The plumbing of every small business IT stack.
Healthcare, education, professional services, and finance in the US, UK, and Australia are getting hit the hardest. The question isn’t whether your MSP is being targeted. They are. The question is whether their management tools are exposed to the open internet with an old patch level.
// THREE_QUESTIONS_FOR_YOUR_MSP
1) Which RMM and file-transfer tools do you run on our behalf? 2) What version are they on? 3) Is the management interface reachable from the public internet?
If the answer to #3 is yes without IP allow-listing or SSO with MFA, you are the 24-hour kill chain’s natural target. Full stop.
03 // BIGLAW_GOT_SHAKEN_DOWN
Jones Day has 2,400 attorneys. Orrick, Herrington & Sutcliffe does $1.5 billion in revenue. Both got leaked this week by a crew called Silent Ransom Group (also known as Luna Moth and UNC3753). Jones Day got a $13 million ransom demand. Orrick had its negotiation chat logs and file tree posted publicly after talks collapsed in February.
Silent Ransom Group doesn’t deploy malware. No ransomware binary. No exploit. No CVE. They phish a staff member or make a voice call pretending to be IT.
They get email and document-management access, quietly exfiltrate client files, and then threaten to leak them. The attack runs on the exact leverage that makes lawyers nervous: attorney-client confidentiality.
Halcyon tracked over 200 ransomware incidents against law firms between 2025 and early 2026. INC Ransom alone has hit 20 firms in 2026. BakerHostetler’s latest incident response report pegs law firm ransom demands between $500,000 and $21 million, with average payouts near $450,000.
For a small or mid-sized firm, the attack pattern is identical to what hit Jones Day. Phone call, phishing email, compromised account, quiet data theft, extortion. The controls that break this chain are boring and proven:
// WHAT_ACTUALLY_STOPS_THIS
Phishing-resistant MFA on Microsoft 365 (hardware key or passkey, not text message). Conditional access policies that flag impossible-travel sign-ins. DLP rules on SharePoint and OneDrive. A written protocol for when someone calls asking to change a wire transfer or reset a password.
04 // MUNICIPALITIES_HAD_A_ROUGH_WEEK
Two Minnesota jurisdictions and a Michigan school district spent the week in ransomware recovery. Spring Lake Park Schools north of Minneapolis detected an intruder early Sunday April 12, shut down every system, and cancelled classes Monday and Tuesday for 6,200 students. South Lyon Community Schools near Detroit did the same two days for 8,000 students.
The heavy one is Winona County, Minnesota. Hit for the second time in three months. Real estate records, vital statistics, the DMV, all offline. Governor Tim Walz signed only the second executive order ever authorizing the Minnesota National Guard’s Cyber Protection Team to help a local government recover. That’s how bad it got.
Foster City, California is still a cautionary tale. Three-plus weeks after their March 19 attack, most municipal systems are still down. State of emergency still active. 34,000 residents doing business with their town government on paper.
The pattern is the same every time. Recovery takes three to six weeks even without paying. Backups get tested for the first time during the crisis. Permits, billing, and property transactions stall out. Dispatch and 911 scrape by on analog fallbacks. The towns that recover fastest are the ones that tested their backups before the attack, had an incident response retainer already on paper, and had a Cyber Protection Team phone number saved in advance.
05 // HEALTHCARE_SAAS_AND_THE_OKLAHOMA_SLEEPER
Signature Healthcare in Massachusetts got hit April 6. They run Brockton Hospital (216 beds) plus 15 outpatient sites serving about 70,000 patients a year. Ambulances got diverted. Chemotherapy infusions at the Greene Cancer Center got cancelled. The Anubis group is demanding payment for 2TB of allegedly stolen patient data within seven days. The hospital is still in downtime procedures as of press time.
On the SaaS side, two big ones. McGraw Hill confirmed April 14 that attackers exploited a Salesforce misconfiguration and leaked over 100GB of data tied to 13.5 million email addresses. Vercel (the hosting platform behind a huge chunk of small business Next.js sites) confirmed a breach April 19 as attackers offered source code, deployment access, and API keys for sale.
The pattern there: misconfigured SaaS is now the soft underbelly of SMB stacks. Anyone running a website, CRM, or ticketing system on Salesforce, Zendesk, or similar platforms should audit sharing rules, community pages, and API tokens this week.
// HIGH
The quietly terrifying breach of the week: the Oklahoma Tax Commission failed to detect an 18-month intrusion into their taxpayer portal. July 2024 to December 2025. W-2 and 1099 files accessed the whole time. If you run any self-service portal without continuous monitoring, that’s a preview of what your own state AG filing could look like two years from now.
06 // IRAN_RUSSIA_NORTH_KOREA
Iran: A pro-Iran group called “Ababil of Minab” claimed responsibility this week for a March intrusion into LA Metro. They posted screenshots on Telegram to prove it. Bus and rail service weren’t affected, but station monitors and TAP card systems got disrupted. A week before, CISA issued joint advisory AA26-097A warning that Iranian-affiliated actors tied to the IRGC are actively hunting internet-exposed Rockwell PLCs in US water, energy, and government facilities. If you run any building automation, ICS, or operational technology (that includes racing venues with large-scale HVAC, lighting, scoring systems), you are in scope.
Russia: Good news for once. The DOJ, FBI, and NSA took down an APT28/Fancy Bear botnet that had hijacked 18,000 SOHO routers across 120 countries. They’re publicly asking every small business to do four things: reboot your router, install current firmware, replace any router past end-of-support, and disable remote management. This is the most universally actionable thing in this entire issue. Every business has a router. A lot of them are EOL or still running the default manufacturer password.
North Korea: The Ethereum Foundation published identities of 100 suspected DPRK IT worker operatives embedded across 53 Web3 projects. Same playbook that’s been hitting US businesses since 2024. Fake identities, fake LinkedIn profiles, remote engineering jobs. Sanctions-evading revenue for the regime, option to pivot to sabotage or theft later. If you’re hiring remote technical contractors through Upwork, Toptal, or Fiverr, live video interviews and hardware shipment address verification are not optional anymore.
07 // THE_QUIET_NIST_PROBLEM
On April 17, NIST quietly announced they’ll stop enriching most CVEs in the National Vulnerability Database. Why? Vulnerability submissions jumped 263% and they can’t keep up. CVEs that don’t meet their new criteria will still get listed, but they won’t have severity scores, affected-product mappings, or the metadata that basically every vulnerability scanner depends on.
If you’re a small practice or municipality whose managed scanner pulls its priority list from NVD, coverage gaps start now.
Workaround: make CISA’s Known Exploited Vulnerabilities catalog your new primary list. It’s maintained independently, it only contains flaws confirmed exploited in the wild, and it’s the single best patch-priority list available right now. The April 13 and April 16 additions are the best use of 15 minutes you’ll spend this month.
▶ DO_THIS_BY_MONDAY
Confirm Windows April 2026 Patch Tuesday deployed everywhere and verify Microsoft Defender is at version 4.18.26050.3011 or higher. That alone closes BlueHammer.
Push Adobe Reader to 26.001.21411 and Chrome to 146.0.7680.177 or higher on every endpoint.
Call your MSP. Ask if their ScreenConnect, SimpleHelp, or BeyondTrust is internet-exposed, what version they’re on, and whether phishing-resistant MFA is enforced on admin accounts.
Reboot every router and firewall. Update firmware. Disable remote management. Identify anything past end-of-support and plan to replace it before summer.
Audit Salesforce, Zendesk, and any SaaS portal sharing rules. The McGraw Hill leak was a misconfiguration most SMBs have never reviewed since initial setup.
// BY_THE_NUMBERS
// THE_BOTTOM_LINE
The thread running through all seven stories is the same: attackers are using your vendors’ access to reach you. Microsoft. Adobe. Your MSP. Your SaaS platforms. Your open-source supply chain. Your router manufacturer. The defenders who look competent six months from now are the ones who treated every third-party relationship this week as a live attack surface that needs active verification, not a contract clause requiring blind trust.
Most of the towns in this issue will recover without paying the ransom. But recovery still means three to six weeks of degraded services, cancelled school, and manual paperwork. The organizations that shaved that timeline to days had three things in place before the attack: tested backups, an incident response retainer already signed, and a Cyber Protection Team number saved in a phone. Those three items cost less than a single unplanned downtime week.
The checklist above isn’t a reaction to this week’s news. It’s the same checklist that would’ve shortened Foster City’s three-week outage, kept Jones Day’s $13 million demand from being credible, and kept Oklahoma’s portal from bleeding W-2 data for 18 months. Do the work now or do it later under duress. Those are the two options.
Stay fortified.
Austin Eatman
Co-Founder // CyberFortify Solutions
FORTIFIED_WEEKLY
This briefing was Issue #004.
Get the next one delivered before it goes public.
← BACK TO ALL BRIEFINGS