The Weekly
Brief

On 25 June, Microsoft Threat Intelligence went public with a phishing campaign that's been targeting hotels and hospitality businesses across Europe and Asia since April. The emails arrive from "Booking Manager (via Calendly)" and reference believable front-desk problems — guest complaints, room enquiries, even health inspections — to get staff to open an attached "photo" ZIP.

The clever, nasty part is how it reaches the inbox at all. By routing the message through Calendly's own verified servers, the attackers borrow Calendly's good reputation so the email sails through standard security filters — a trick Microsoft has named "authentication laundering." Open the ZIP and a hidden chain installs a Node.js implant that quietly adds itself to Microsoft Defender's exclusion list and phones home for remote control.

At its Build conference on 2 June, Microsoft unveiled Scout, the first of a new category it's calling "Autopilots" — agents that run continuously with their own digital identity, acting on your behalf across Microsoft 365 rather than waiting to be asked. Where today's Copilot answers a question, Scout is pitched to watch your email, calendar, Teams and files and get on with tasks in the background.

It's early days, and worth keeping in perspective: Scout is currently a private preview, expected to reach Microsoft 365 E5 and Business Premium customers later in 2026, with broader availability in 2027. But the direction is unmistakable — the next wave of AI doesn't just draft, it does, and it needs its own login to do so.

The National Cyber Security Centre handled 1,164 cyber incidents in the first quarter of 2026, and for the first time since 2021/22 it logged three "highly significant" incidents — serious enough to threaten essential services or organisations of national importance. Phishing and credential harvesting remained the single most-reported problem, with 437 cases.

The financial sting got sharper too: direct losses reached NZ$5.6 million for the quarter, up 76% on the previous three months — even though fewer incidents needed specialist help. The NCSC's COO Mike Jagusch was blunt about the cause, saying basics like "multi-factor authentication, managing who has full access to the network, and protection of the network edges" could have helped defend against these incidents.

Off the back of the new Cyber Security Strategy 2026–2030, the government is signalling a tougher regime. On the table: a new penalty regime under the Privacy Act to fix long-standing gaps in enforcement, and mandatory cyber-security obligations for operators in seven critical sectors — telecommunications, energy, finance, health, transport, water and defence.

The consequences are pointed. Under the proposals, company directors could face personal liability — up to NZ$100,000 for serious breaches of the standards and NZ$500,000 for critical ones — and a proposed new offence would target anyone who knowingly views or shares personal information they know was illegally obtained. It's a clear shift from guidance toward genuine accountability.