Microsoft releases emergency OOB update to fix Outlook freezes — Microsoft issued an out-of-band Windows update to address widespread Outlook and app-freeze reports tied to January cumulative updates, with affected users reporting hangs during routine email workflows [AMER]. For DFIR teams, confirming and documenting the precise KB state helps separate true compromise indicators from patch regressions, preserves accurate timelines for ticket surges, and supports safer triage on machines where repeated force-restarts could overwrite volatile artefacts. (Source: BleepingComputer, 25-01-2026).

Microsoft investigates Windows 11 boot failures after January updates — Microsoft said some Windows 11 devices may fail to boot after January security updates, with users reporting “UNMOUNTABLE_BOOT_VOLUME” and recovery loops following installation [AMER]. This matters to responders because availability incidents can become evidence-loss events: teams should image disks before repeated repair attempts, record update/driver baselines, and coordinate rollback steps to minimize artefact destruction while keeping systems recoverable for later root-cause analysis. (Source: BleepingComputer, 25-01-2026).

South Korea police detain scam suspects repatriated from Cambodia — South Korean police detained 55 suspects from a group repatriated from Cambodia as part of a large online-fraud investigation, with authorities assessing charges and detention for additional returnees [APAC]. For investigators, the case highlights the operational importance of rapid evidence handoffs—device imaging, account attribution, and money-flow tracing—so cross-border preservation requests capture chat logs, SIM records, and exchange data before suspects can launder proceeds or wipe cloud accounts. (Source: Reuters, 26-01-2026).

South Korea repatriates suspects in $33 million online scam probe — South Korea repatriated 73 suspects from Cambodia linked to alleged scam-center operations that police say targeted hundreds of victims and included AI-enabled impersonation elements in some lures [APAC]. The DFIR and investigations value is in collection strategy: preserve synthetic-media samples, actor accounts, and call/VoIP metadata alongside financial trails, then align victimology with platform telemetry to map infrastructure reuse and improve attribution across scam “franchises.” (Source: Reuters, 23-01-2026).

ESET links Sandworm to attempted power-sector attack using DynoWiper — ESET reported that Sandworm was behind a late-2025 attempted attack on Polish power-sector targets and analyzed a wiper it named DynoWiper used in the operation [EMEA]. For incident handlers, destructive tooling changes the playbook: prioritize staging and privilege pathways, collect OT-safe artefacts without disrupting operations, and treat “failed” attacks as reconnaissance for future campaigns that may reappear with tuned payloads and improved access. (Source: ESET Research, 23-01-2026).

Nike probes potential incident after extortion group threatens data leak — Nike said it is investigating claims by the WorldLeaks group that company data was stolen, with extortion pressure reportedly centered on publishing alleged files rather than pure ransomware encryption [AMER]. For DFIR leaders, the practical takeaway is disciplined validation: preserve logs and DLP telemetry early, evaluate third-party access and token exposure, and prepare breach communications and legal workflows to handle proof-of-compromise demands without disclosing investigative details that could aid attackers. (Source: SecurityWeek, 24-01-2026).

Fortinet confirms active FortiCloud SSO-related abuse impacting FortiGate admins — Fortinet warned of active abuse tied to FortiCloud SSO behavior that can enable attacker persistence and configuration export in certain scenarios, even where admins believe systems are already “patched” [GLOBAL]. This matters because firewall configuration theft accelerates follow-on compromise: defenders should audit new admin accounts, review SSO and config-export events, rotate exposed secrets, and validate that remote management and cloud-login settings match current vendor hardening guidance. (Source: The Hacker News, 23-01-2026).

CISA adds VMware vCenter CVE-2024-37079 to KEV amid exploitation reports — CISA added VMware vCenter Server CVE-2024-37079 to the Known Exploited Vulnerabilities catalog, signaling confirmed exploitation activity and driving faster federal remediation expectations [AMER]. For defenders, vCenter is a blast-radius multiplier: prioritize patch validation, hunt for suspicious admin actions and plugin changes, and assume that a compromised management plane can pivot rapidly into hypervisors, identity services, and backups unless segmentation and privileged monitoring are in place. (Source: The Hacker News, 24-01-2026).

NHS suppliers required to prove cyber security compliance — UK health-sector reporting says NHS England and DHSC are moving to require suppliers to evidence cyber controls under the Cyber Security Supply Chain Charter as part of stronger assurance [EMEA]. For cyber and DFIR teams at vendors, this raises the bar on “audit-ready IR”: maintain current control evidence, logging/MFA baselines, incident notification workflows, and tabletop records so supply-chain scrutiny does not slow response during outages or create contractual exposure after incidents. (Source: Digital Health, 26-01-2026).

Australia’s smart-device cybersecurity rules begin 4 March 2026 — An industry briefing summarizes Australia’s Cyber Security (Security Standards for Smart Devices) Rules 2025, noting mandatory requirements such as unique passwords, support-period disclosure, and vulnerability reporting from 4 March 2026 [APAC]. This matters because compliance becomes operational: product teams should align inventories to support lifecycles, formalize disclosure and patch channels, and ensure telemetry and update pipelines can satisfy regulator expectations while giving responders reliable artefacts for post-incident analysis. (Source: Nemko, 23-01-2026).

South Korea says Coupang data-breach probe is not a trade issue — South Korea’s trade envoy told the U.S. Trade Representative that the investigation following a mass customer data breach disclosure involving Coupang is a domestic legal matter, amid scrutiny of the U.S.-listed firm [APAC]. For incident leadership, the lesson is governance under pressure: preserve defensible timelines and evidence holds, coordinate regulator-facing narratives early, and expect breach response to intersect with market, legal, and diplomatic stakeholders as public interest escalates. (Source: Reuters, 24-01-2026).

Under Armour investigates breach claims affecting customer emails — Under Armour said it is investigating breach claims involving customer email addresses and related profile data, with reporting indicating a large dataset and uncertain confirmation of broader exposure [AMER]. This matters because leaked emails supercharge phishing and credential-stuffing: defenders should raise alerting for brand-impersonation campaigns, harden account recovery paths, and monitor support channels for social-engineering attempts that exploit exposed profile attributes to bypass identity checks. (Source: AP News, 23-01-2026).

OVIC opens investigation into cyber incident at Victoria’s Department of Education — Victoria’s privacy regulator said it commenced an investigation into a Department of Education cyber incident involving unauthorized access to student details such as names, emails, school identifiers, year levels, and encrypted passwords [APAC]. For cyber teams, the key is identity containment at scale: enforce resets and token revocation, watch for reuse across education platforms, and prepare long-tail monitoring for student-targeted scams and account-takeover attempts that may emerge months after initial access. (Source: OVIC, 22-01-2026).