This Week''s Cyber Pulse — July 13, 2026
Your weekly intelligence brief for small and mid-size businesses. Sourced, rated, and written in plain English.
Threat Roundup
🔴 CRITICAL: Microsoft SharePoint Server RCE Actively Exploited (CVE-2026-30147)
Microsoft disclosed a critical remote code execution vulnerability in on-premises SharePoint Server that is being actively exploited in the wild. The vulnerability allows an unauthenticated attacker to take full control of a SharePoint Server with a single crafted HTTP request. CISA has added it to the Known Exploited Vulnerabilities catalog with a remediation deadline.
Why this matters to SMBs: SharePoint is the document and intranet backbone for thousands of small businesses running Microsoft 365 hybrid or fully on-prem deployments. Many SMBs outsourced SharePoint administration years ago and have no current patching cadence or inventory of their SharePoint instances.
What to do immediately:
- Inventory all internet-facing SharePoint Server instances (port 443). Most SMBs don''t know how many they have.
- Apply Microsoft''s July 2026 security patch within 72 hours. This is actively being exploited.
- If you can''t patch within 72 hours, take internet-facing SharePoint offline until you can.
- Move file sharing to SharePoint Online if you operate hybrid — the SaaS version is patched automatically by Microsoft.
Severity: Critical | Affected: SMBs running on-premises SharePoint Server 2016/2019/SE | Source: CISA KEV Catalog (added July 7, 2026), Microsoft Security Response Center
🔴 HIGH: AI Phishing 2.0 — Voice Cloning + Real-Time Translation Bypass MFA Reset
The next-generation phishing attack is here. Threat actors are using AI voice cloning to call a target''s IT helpdesk, impersonating the target''s voice (cloned from a 30-second sample harvested from a social media video or conference recording), and requesting an MFA reset. Combined with real-time language translation, the attack works across geographic and language barriers.
Last week, CrowdStrike disclosed three incidents where SMB employees'' MFA was successfully reset via this technique. In one case, the attacker had cloned the CEO''s voice from a YouTube earnings call recording.
Why traditional defenses miss this: Voice cloning has reached the point where even the employee''s spouse can''t reliably distinguish the cloned voice from the real one. The attacks sound exactly like the person — and they reference real projects, real colleagues, and real context.
What to do:
- Move all MFA reset workflows to in-person or pre-registered callback verification — voice alone is no longer a credible authentication factor.
- Implement "secret phrase" verification for any helpdesk call requesting credential changes. Pre-register a unique phrase with each executive that is required for any credential reset.
- Restrict what your executives post publicly (board announcements, conference talks, earnings calls) — that''s the audio source material for cloning.
- CyberStackHub''s Security Training Builder now includes an AI phishing scenario module for verbal confirmation protocols.
Severity: High | Affected: All SMBs using MFA | Source: CrowdStrike 2026 Threat Report, IBM X-Force Q2 2026
🟡 MEDIUM: AsyncRAT Resurgence via Weaponized PDF Attachments
AsyncRAT — an open-source remote access trojan — is being distributed in a new campaign via weaponized PDF attachments posing as invoices, contracts, and shipping notices. The PDF exploits a reader-side vulnerability that drops the payload when the document is opened, bypassing most email gateway detection.
AsyncRAT gives attackers full remote access to the infected device — including the ability to pivot to other systems on the network, harvest credentials from browser password stores, and activate webcams.
What to do:
- Update PDF readers (Adobe Acrobat, Foxit Reader, browser-based viewers) to latest versions
- Where your workflow allows, move to browser-based PDF viewing (Chrome, Edge handle PDFs in sandboxed renderers)
- Disable browser-based PDF editing for documents from external senders
- Block macro-embedded PDFs and PDFs with JavaScript at the email gateway
Severity: Medium | Affected: All SMBs handling external PDFs | Source: Proofpoint Q2 2026 Threat Report, Zscaler ThreatLabz
🟢 LOW: Misconfigured Firebase / Supabase Buckets Exposing Customer Data
A continuing trend from Q2: SMB SaaS applications built on Firebase or Supabase backends are exposing customer data via misconfigured security rules. The most common mistake is "allow read, write: if request.auth != null" — which exposes data to ANY authenticated user (including users from other Firebase apps using the same auth provider) rather than restricting to the application''s own user base.
Over 1,400 SMB applications have been identified as exposing data through this misconfiguration in the past 60 days.
What to do:
- Audit your Firebase Realtime Database / Firestore / Supabase rules TODAY. The default "test mode" rules (allow read, write: true) are still being shipped to production by mistake.
- Require every authenticated user to be verified against your application''s specific user collection:
allow read, write: if request.auth.uid in /users/$(document.id) - Run a one-time audit using Firebase Security Rules simulator and Supabase''s
pg_dumpof RLS policies
Severity: Low | Affected: All SMBs using Firebase/Supabase backends | Source: Cloud Security Alliance Q2 2026
Compliance Tie-In: SEC Cyber Disclosure Rule — Now in Effect
The SEC''s Cybersecurity Disclosure Rule (8-K Item 1.05) is now actively enforced. Material cybersecurity incidents must be disclosed via 8-K within four business days of determining materiality. Public companies — and private companies preparing for IPO — face significant new disclosure pressure.
What changed on July 1, 2026:
- Smaller reporting companies (SRC) lost their extended compliance grace period. Both large filers and SRCs now operate on the same 4-business-day disclosure timeline.
- The SEC has issued its first enforcement actions for delayed disclosure under the rule. Penalties include fines to both the company and individual executives.
- Companies must also disclose their cybersecurity risk management, strategy, and governance in their annual 10-K filings.
What this means for non-public SMBs:
- If you''re a vendor to a public company, expect renewed scrutiny of YOUR security posture — public companies now have fiduciary reason to verify.
- If you''re preparing for IPO in 2026-2027, build SOC 2 Type II evidence collection now.
- If you breach a public-company customer''s data, you can expect to be named in their 8-K disclosure.
Action: Use CyberStackHub''s Compliance Gap Tool to identify which controls your enterprise customers will request documentation for under the SEC rule''s "supply chain" implications.
Insurance Market Update
The Q2 2026 cyber insurance market remains hard, with these trends:
- BEC losses now exceed ransomware losses at the largest SMB carriers — Coalition reported a 41% YoY increase in BEC claims frequency.
- Social engineering sublimits are being cut at standard-tier policies. Several major carriers have reduced social engineering coverage from $500K to $100K without explicit rider selection.
- Backup immutability verification is now a renewal requirement at most major carriers. They''ll ask for proof that tested, immutable backups exist.
- Application whitelisting on critical systems is being added to underwriting questionnaires — expect this to become a hard requirement by Q4 2026.
What to do before your next renewal:
- Document backup testing (with screenshots or test reports)
- Implement a verbal confirmation policy for any wire request (with documentation that all staff are trained)
- Work with your broker to ensure your social engineering sublimit matches your actual exposure
Tool Spotlight: AI Phishing Resistance Training
Given this week''s threats — voice cloning for MFA reset bypass and AI-generated phishing emails — this week''s spotlight is on CyberStackHub''s Security Training Builder.
The new module covers:
- AI-generated phishing email recognition (with real examples from recent attacks)
- Verbal confirmation protocols for financial transactions and MFA resets
- Voice cloning awareness and "secret phrase" verification setup
- Updated reporting procedures for suspicious communications
Built for 15-minute quarterly training sessions — most SMBs ship it across their team in under a week.
→ Generate your security training module free
Run The Cyber Pulse Stack — Free
A personalized security brief for your business — threats relevant to your industry, compliance deadlines you actually face, and your insurance readiness score. Emailed, texted, or downloaded as PDF.
→ Run The Cyber Pulse Stack free
Frequently Asked Questions
How do I tell if a phone call is a voice-cloning attack?
You almost can''t — the cloning is good enough that even the target''s family can''t tell the difference. That''s why the defense isn''t recognition; it''s process. Require a pre-registered secret phrase for any helpdesk call requesting credential reset, financial action, or sensitive information disclosure. The cloning can''t know the phrase.
What is the SEC cybersecurity disclosure rule and who does it apply to?
SEC rule 17 CFR 229.106 and Item 1.05 of Form 8-K require publicly traded companies to disclose material cybersecurity incidents within four business days of determining materiality, and to describe their cybersecurity risk management and governance in annual reports. As of July 2026, smaller reporting companies are also subject to the four-business-day timeline. While the rule applies to public issuers, the downstream supply chain effects impact any SMB that handles data for public-company customers.
Is my on-premises SharePoint Server at risk if I run a hybrid Microsoft 365 setup?
Yes. The SharePoint RCE (CVE-2026-30147) affects on-premises SharePoint Server specifically — SharePoint Online (the cloud component of Microsoft 365) is patched automatically by Microsoft and is not affected. If you run hybrid, audit your on-premises SharePoint Server immediately.
Does AI voice cloning work in multiple languages?
Yes. Modern voice cloning with real-time translation works across language pairs in a single call. The attacker can call your English-speaking helpdesk in fluent English, your Spanish-speaking office in Spanish, or your Mandarin-speaking subsidiary in Mandarin — all in the same cloned voice. This makes geographic fraud detection ineffective.
Previous edition: This Week''s Cyber Pulse Archive
⚡ Run The Cyber Pulse Stack
Get a personalized security brief covering your specific threats, compliance gaps, and insurance readiness — emailed, texted, or as a PDF.