All issues
Tech & Security Intelligence Issue 007 · 6 Jul 2026

The Weekly
Brief

Tax-refund scams spike as refund season peaks, a SharePoint hole worth patching today, and the reason multi-factor authentication is no longer the finish line.

Paul, Director of Node-Red
Curated by Paul
Editor · Node-Red

4 stories · 6 min read

In this issue

01 Scam Alert

Tax-refund scams jump 44% — the IRD impersonation wave hits its peak

Netsafe is warning New Zealanders to stay alert after reports of tax-refund scams rose 44% in May over April, as scammers exploit the May–July window when many people are expecting a refund. The lures arrive by email, text or phone call, claiming you're owed a refund and just need to "confirm your banking details" to receive it — or, in a nastier variant, that you owe money and must pay immediately to avoid Police action.

"Scammers may contact you by email, text message or phone call claiming you're entitled to a tax refund and need to provide your banking details to receive it," said Netsafe's Alex Yi. The trap is that a fake refund often isn't noticed until the real one never turns up — by which point the details have already been misused.

02 Patch Now

Patch now: a SharePoint Server flaw is being actively exploited

On 1 July, the US cyber agency CISA added a Microsoft SharePoint Server flaw — CVE-2026-45659, a high-severity (CVSS 8.8) remote-code-execution bug — to its Known Exploited Vulnerabilities catalogue, citing evidence it's being exploited in the wild. It affects the on-premises editions: SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016. Microsoft shipped a fix in late May.

The uncomfortable detail is how low the bar is: an attacker needs only "Site Member" permissions — a fairly ordinary level of access — to run arbitrary code on the server. CISA ordered US federal agencies to patch within days; the advice for everyone else is the same, just apply Microsoft's update as soon as you can. Note this is on-prem SharePoint only — SharePoint Online in Microsoft 365 is not affected.

03 Business IT

Microsoft 365 just changed — more built-in email security, and a higher bill

From 1 July, Microsoft has folded extra security into its business plans. The enhanced email protection of Defender for Office 365 Plan 1 — better detection of phishing, malware and malicious links — is now built into Office 365 E3 and Microsoft 365 E3. And URL checks, which warn users before they open a known-bad website from an email or Office app, are being added to Business Basic, Business Standard and Office 365 E1.

The catch: it comes with a global price rise on Microsoft 365 subscriptions, also effective 1 July (with local-market adjustments). So most businesses get genuinely useful protection they used to pay extra for — bundled into a slightly dearer subscription.

04 Cyber Threat

Why "we've got MFA" isn't the safety net it used to be

Security researchers at Malwarebytes report that infostealer malware has become the go-to payload for attackers — quietly overtaking old-style credential phishing as the main way into accounts. Instead of tricking someone into typing a password, an infostealer silently harvests saved passwords, browser data and session cookies straight off an infected device.

Those stolen session cookies are the sting in the tail: they let an attacker reuse an already-authenticated session, so they can walk past multi-factor authentication without ever needing the password or a code. It's a domestic problem too — in December 2025 New Zealand's NCSC contacted around 26,000 New Zealanders whose devices were infected with one such stealer, Lumma. A single home-laptop infection can hand over a staffer's work logins.

Tip of the week

Stop letting your browser save passwords — use a real password manager

As story 04 shows, the passwords your browser "helpfully" remembers are exactly what infostealer malware scoops up first. Turn off the browser's built-in password saving, and move your logins into a dedicated password manager instead — the good ones encrypt everything behind one master password, generate strong unique passwords for every site, and don't leave credentials sitting in a browser profile that malware can lift in seconds. It takes an afternoon to set up and instantly shrinks how much an attacker gains from one infected device. If you'd like a hand rolling a password manager out across your team, that's exactly the kind of thing we set up for clients.

Node-Red

Want all of this handled for you?

We keep an eye on the threats, the updates and the fine print so you don't have to. Book a free, no-obligation IT checkup.

Book your free IT checkup