The scene that stays with me from the ProPublica investigation is the authorization letter itself. FedRAMP had spent nearly five years trying to get basic documentation from Microsoft. Its own reviewers described what they couldn’t verify as “unknown unknowns.” And the decision to authorize came not because the questions were resolved, but because so many federal agencies were already using the product that rejection was politically untenable.

“Too embedded to reject” is a posture most enterprise security teams will recognize. The legacy platform that hasn’t been audited in three years because the migration is too complex. The SaaS tool with broad data access that no one revisited after initial onboarding. The vendor relationship that predates the current CISO by two leadership transitions. Authorization outlasts verification. The gap accumulates.

This week is full of that gap. Attackers aren’t breaking through new defenses. They’re stepping through the ones we stopped checking.

Federal Experts Called Microsoft’s Cloud a “Pile of Shit.” Then Approved It.

Source: https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/​

TLDR ProPublica revealed that FedRAMP authorized Microsoft’s Government Community Cloud High in December 2024, five years after beginning a review that never produced the basic security documentation reviewers requested. The program approved the product not because its questions were answered but because the technology had already spread so far through federal agencies that rejection was deemed politically untenable.

Why It Matters to Enterprises The FedRAMP label functions as a proxy for security due diligence in most enterprise cloud purchasing decisions, and for many organizations it is the only layer of vendor validation they perform. This investigation shows that proxy was broken for GCC High. FedRAMP’s own reviewers couldn’t obtain basic data flow documentation for five years; independent assessors privately admitted they couldn’t properly evaluate the product; and the authorization was ultimately driven by political and commercial pressure, not technical resolution. Every organization using Microsoft government cloud products has been operating under security assumptions that the federal government’s own experts couldn’t verify, and likely still can’t.

What to Do This Week

• Review which cloud platforms in your environment rely on FedRAMP authorization as the primary security validation
• Ask your Microsoft account team for current GCC High authorization documentation and any outstanding open findings
• Audit inherited vendor certifications to confirm they were evaluated at your organization, not just assumed valid
• Identify contracts where a certification label substitutes for direct verification of security controls
• Escalate GCC High-dependent environments to your legal and risk teams given the authorization’s acknowledged unknown risks

Voice Phishing Now 11% of Intrusions as Email Phishing Falls to 6%

Source: https://cyberscoop.com/social-engineering-surge-intrusion-vector-mandiant-m-trends/

What Happened Voice-based phishing jumped to 11% of all intrusions in 2025, per Mandiant’s M-Trends report, while email phishing fell to just 6%, down from 22% in 2022 and 14% in 2024.

Attackers are calling IT help desks under false pretenses, impersonating employees to request password resets or MFA bypass approvals. Scattered Spider and similar groups have built entire breach campaigns around this tactic, achieving full enterprise compromise through a single convincing phone call.

Why It Matters Your MFA configuration, your help desk verification procedures, and your account recovery workflows are all active attack surfaces now, not just your inbox filters. You can’t filter, quarantine, or sandbox a phone call, which is exactly why voice phishing exploits human judgment more effectively than any email campaign. Exploited vulnerabilities still lead at 32%, but voice phishing is where the most targeted campaigns are landing, specifically because organizations have over-invested in email security and under-invested in identity verification at the service desk. If your help desk can bypass MFA on a verbal request, that bypass is an attack vector.

Interlock Ransomware Enters Enterprise Networks Through Cisco Firewall Zero-Day

Source: https://fortiguard.fortinet.com/outbreak-alert/interlock-ransomware​

What Happened An active Interlock ransomware campaign is exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center enabling unauthenticated remote code execution, with Amazon threat intelligence identifying exploitation that had been underway for over a month before public disclosure.

From the compromised firewall management console, attackers deploy a multi-stage chain of fileless implants, custom malware, and remote access tooling. The campaign prioritizes stealth and extensive reconnaissance before ransomware deployment, with double extortion as the objective.

Why It Matters Firewall management platforms carry disproportionate trust inside enterprise networks. An attacker with access to Cisco FMC doesn’t just have a foothold in one host; they have visibility into your entire network security policy, the ability to modify access controls, and a trusted path through your infrastructure. This campaign repeats a pattern from several recent issues: the perimeter security platform is now the target, not just the barrier, and it typically receives less scrutiny than the assets it protects. The question isn’t only whether you’ve patched this CVE but whether your firewall management interfaces should be internet-accessible at all.

Quick Hits

North Korean Hackers Weaponizing VS Code Workspace Configs to Deploy Malware North Korean threat actors are embedding auto-executing malware in VS Code project configs, targeting developers with a stealer and RAT that fires every time the workspace is opened. Microsoft shipped a mitigation in January that disables automatic tasks by default, but only in VS Code version 1.109 or newer, so confirm your teams are running it. https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html​

Stolen Premium AI Accounts Are Now a Market Commodity Underground forums are selling stolen premium AI platform credentials in bulk, advertising lower prices and fewer content restrictions. The risk isn’t just the subscription cost; your employees’ active AI sessions may contain enterprise context, conversations, and data that outlasts the account. https://www.bleepingcomputer.com/news/security/paid-ai-accounts-are-now-a-hot-underground-commodity/​

FCC Bans New Foreign-Made Routers Over National Security Concerns The FCC added all foreign-manufactured routers to its national security banned list, halting new model sales in the U.S. No immediate impact on existing devices, but Volt, Flax, and Salt Typhoon all used foreign consumer-grade routers as enterprise entry points; if you don’t have visibility into where that hardware lives in your environment, this is a reasonable week to look. https://www.bleepingcomputer.com/news/security/fcc-bans-new-routers-made-outside-the-usa-over-security-risks/​

Wrapping it up

The reflex after a week like this is to build another checklist. Patch the vulnerability. Tighten the help desk policy. Verify the software versions. Those are all reasonable things to do. But they don’t address the structural pattern underneath: trust accumulates in organizations faster than verification does.

There’s a reason for this. Every new vendor, platform, and certification starts with a review. That review generates confidence. The confidence travels forward in time. The review doesn’t. Five years later, the original assessment is still being cited, even if the system has grown, changed, or never delivered what reviewers originally asked for. “We vetted that in 2020” is doing a lot of work in a lot of organizations right now.

The question worth carrying into next week isn’t how to fix any single control. It’s how often your organization actually verifies what it has approved. Certification is a moment in time. Security is not. Most of the risk you’re carrying right now isn’t in the things you’re worried about. It’s in the things that were signed off and never revisited.