Threat Brief | Two Threats Every Small Business Should Know About This Week
Story 1: BitLocker just got bypassed with a USB drive and a reboot.
Microsoft disclosed CVE-2026-45585 — dubbed YellowKey — a zero-day that lets an attacker with physical access bypass BitLocker full-disk encryption entirely, without the encryption key, in a matter of minutes. The attack places specially crafted files on a USB drive, reboots the device into Windows Recovery Environment, and spawns a shell with unrestricted access to the protected volume. No patch is available yet. Windows 11 and Windows Server 2025 are both affected. Cyber Security News + 2
"We have BitLocker" is no longer a complete answer. The vulnerable setup is TPM-only mode — which is what most organizations deploy because it's the default. A stolen laptop from a car, an unattended machine at a trade show, a device left at the front desk: all of them are now open books until Microsoft ships a fix.
What to do now: Require a BitLocker PIN at startup on any device that leaves the office. It's a five-minute policy change that closes the gap until a patch arrives.
Story 2: One compromised login. Everything connected to it — gone.
ShinyHunters breached Instructure's Canvas platform twice in ten days in May 2026, exfiltrating approximately 3.6 terabytes of data belonging to an estimated 275 million users across nearly 9,000 institutions. Instructure paid a $10 million ransom and received confirmation the data was destroyed. Four days later, every Canvas login page displayed a ransom note. UvcyberHive Security
The method matters more than the victim count. The pattern across ShinyHunters-linked incidents is consistent: compromise an account, establish persistence through MFA changes, pivot across SSO-connected applications, and steal data. They get in through a phone call — someone impersonating IT support — and then they own everything that account touches. Obsidian Security
For small businesses, that's Microsoft 365, QuickBooks, your CRM, your file storage. One call to the wrong employee on a Friday afternoon is all it takes.
What to do now: Enable phishing-resistant MFA (hardware keys or passkeys) on your most critical accounts. Train your team to verify any IT support call through a known number before changing credentials or approving MFA prompts.
netMethods helps Southern California businesses lock down endpoints, harden cloud accounts, and build security habits that hold. See our cybersecurity services →