Prevent cloud data leaks with Microsoft 365 access reviews — A new walkthrough highlights how Microsoft 365 oversharing can persist via stale guests, links, and channel files, and recommends structured access reviews to revoke outdated permissions (12-01-2026) [AMER]. For DFIR teams, this is a practical containment-and-hardening playbook: it reduces blast radius before incidents, improves audit trails for post-incident scope, and makes eDiscovery/chain-of-custody easier by enforcing clearer ownership and review cadences (Source: BleepingComputer, 12-01-2026).

Europol Arrests 34 Black Axe Members in Spain Over €5.9M Fraud and Organized Crime — Reporting on a Europol-backed action in Spain says investigators arrested 34 suspected “Black Axe” members tied to international fraud, money laundering, and organized-crime facilitation (10-01-2026) [EMEA]. For cyber investigators, the case underscores how BEC-style proceeds, mule networks, and cross-border identity abuse intersect—making financial tracing, device seizure triage, and rapid legal assistance workflows as critical as malware analysis in dismantling end-to-end fraud chains (Source: The Hacker News, 10-01-2026).

Spanish energy giant Endesa discloses data breach affecting customers — Endesa and its Energía XXI operator disclosed unauthorized access to a commercial platform, warning that customer contract data such as identity details and IBANs may have been exposed while passwords were not (12-01-2026) [EMEA]. For DFIR and IR leaders, the stated response actions—account containment, log preservation for analysis, regulator notification, and heightened monitoring—map cleanly to evidence-driven scoping and can be used as a benchmark for incident communications that balance customer risk (phishing/impersonation) with operational continuity (Source: BleepingComputer, 12-01-2026).

Russia’s APT28 Targeting Energy Research, Defense Collaboration Entities — A report summarized by SecurityWeek says APT28 is running credential-harvesting operations using spoofed OWA, Google, and VPN portals, leaning on free hosting, tunneling, and link-shortening services to capture logins and redirect victims to legitimate sites (12-01-2026) [EMEA/APAC]. For defenders, the tradecraft is actionable: hunt for lookalike auth pages, unusual webhook-style exfil endpoints, and tunneling service indicators, then prioritize MFA resilience, conditional access, and forensic collection of browser artifacts and referral chains to reconstruct initial access paths (Source: SecurityWeek, 12-01-2026).

Europol Arrests 34 Black Axe Members in Spain Over €5.9M Fraud and Organized Crime — Law enforcement action in Spain, supported by Europol per reporting, resulted in 34 arrests tied to the Black Axe network and alleged multimillion-euro fraud and laundering activity (10-01-2026) [EMEA]. For cybercrime responders, this is a reminder to preserve and surface high-quality digital evidence (devices, comms, wallet trails, mule onboarding artifacts) early, because successful prosecutions in fraud ecosystems often hinge on attribution and money movement documentation as much as on the original intrusion vector (Source: The Hacker News, 10-01-2026).

Instagram denies breach amid claims of 17 million account data leak — Meta said it fixed a bug that let outsiders trigger mass password reset emails and stated there was no Instagram system breach, as a dataset claiming ~17 million account profiles circulated on forums with disputed provenance (11-01-2026) [AMER]. For incident responders, this is a case study in separating “resurfaced data” from new compromise: validate with independent breach signals, watch for credential-stuffing and targeted phishing spikes, and capture user reports, email headers, and forum artifacts to support defensible impact assessments and user guidance (Source: BleepingComputer, 11-01-2026).