Office Zero-Day Actively Exploited — Patch Now, MFA Enforced, NTLM Sunset Begins

🔥 TL;DR

An actively exploited Office zero-day (CVE-2026-21509) requires immediate patching across Office 2016 through M365 Apps. MFA is now fully enforced for all M365 admin center sign-ins — no exceptions, no grace period. Microsoft published its NTLM deprecation timeline, starting the clock for legacy environments. And Copilot is simultaneously expanding everywhere AND being scaled back in Windows apps — Microsoft is recalibrating where AI belongs.

🔴 What You Need to Know

Four critical items that require your attention right now.

1. Office Zero-Day Under Active Exploitation (CVE-2026-21509)

Microsoft pushed emergency out-of-band patches for a high-severity vulnerability affecting Office 2016, 2019, LTSC 2021/2024, and M365 Apps for Enterprise. Attackers are bypassing OLE mitigations via crafted Office files. CISA added this to the Known Exploited Vulnerabilities catalog on January 26.

Who's affected: Every org running Microsoft Office desktop apps.
What to do: Service-side updates are deployed for Office 2021+. Restart all Office applications immediately to apply. For Office 2016/2019, deploy the out-of-band patch via your update management tool today. Don't wait for Patch Tuesday.

🔗 BleepingComputer

2. MFA Enforcement Is Live — No More Grace Period

As of February 2026, MFA is fully mandatory for all Microsoft 365 admin center sign-ins. The gradual rollout phase is over. Any admin account without MFA configured will be blocked.

Who's affected: Every M365 admin. Break-glass accounts without MFA are now locked out.
What to do: Audit all admin accounts immediately. Confirm MFA is enrolled. Verify your emergency access accounts have MFA configured or are explicitly excluded via Conditional Access (and documented).

🔗 r/sysadmin Summary

3. NTLM Deprecation Timeline Is Official

Microsoft published a structured timeline (January 29) for disabling NTLM authentication across Windows. If your network falls back to NTLM when Kerberos fails, you need to start planning now. This is a long-term breaking change for legacy environments.

Who's affected: Any org with legacy apps, printers, file shares, or services that rely on NTLM.
What to do: Enable NTLM audit logging now. Identify all NTLM-dependent services. Begin planning migration to Kerberos or certificate-based auth. This isn't urgent today — but it will be, and the orgs that start now will have a smooth transition.

🔗 NTLM Roadmap Details

4. Entra ID: "Revoke MFA Sessions" Is Being Replaced

Microsoft is removing the granular "Revoke multifactor authentication sessions" option in Entra ID this month. It's being replaced with "Revoke sessions," which invalidates all active user sessions regardless of MFA method.

Who's affected: Security teams and helpdesk staff who use the granular MFA session revocation.
What to do: Update your incident response runbooks and helpdesk documentation. The new behavior is broader — revoking sessions will now sign users out of everything, not just MFA-specific sessions.

🟡 New & Rolling Out

Major features and changes hitting tenants now or in the coming weeks.

Teams Gets 5 Major AI Upgrades

February is a big month for Teams. Rolling out now:

Intelligent Recap — AI meeting summaries with speaker attribution, key decisions, and auto-generated action items
Real-time translation across 40 languages (95%+ accuracy)
AI Workflow Templates in the Workflows app (Copilot-powered, rolling out through mid-Feb)
Interactive Meeting Agents and smarter SharePoint sharing
External contacts reachable by email — even without Teams accounts

Who gets it: M365 E3/E5 tenants. Some features require Copilot licenses.
When: Rolling out now through mid-February.

🔗 TechRepublic

Copilot: Expanding AND Pulling Back (Simultaneously)

The contradiction is the story:

Expanding: Windows 11 26H2 Dev Channel preview dropped with Copilot integrated into File Explorer (side pane), Taskbar Search, Notification Center, and a redesigned Run dialog. All optional. Coming later in 2026.
Pulling back: Internal pushback is real. Microsoft may remove Copilot branding from Notepad and Paint. Recall may be renamed or reworked. Windows president Pavan Davuluri: "You will see us focus on addressing pain points."
By the numbers: Copilot active users up 10X YoY, daily conversations per user doubled, consumer daily users up 3X.

The read: Microsoft is betting big on Copilot where it adds value (Teams, File Explorer, enterprise workflows) and retreating where it feels forced (Notepad, Paint). Smart recalibration.

🔗 PCMag | WindowsLatest

February M365 Admin Changes — The Full Rundown

4 retirements, 12 new features, 5 enhancements, 6 functionality changes:

Planner: Legacy comments, Whiteboard tab, Loop components, Viva Goals integration, and iCal feed — all retiring
Designer bot + banners retiring from Teams (Feb 27)
New Graph APIs for Copilot agent/app management
Teams External Collaboration simplified to 3 modes: Open, Controlled, Custom
Loop workspaces expanding to E1/E3/E5/F1/F3 licenses
SharePoint Content Security Policy now in report-only mode
UTCM Preview — Unified Tenant Configuration Management (think DSC for M365)
Purview DLP absorbing endpoint-sensitive data alerting from Defender portal

🔗 r/sysadmin Summary

Cross-Device Resume Expanding

Windows 11 February patch adds Cross-Device Resume for Word, Excel, PowerPoint, Spotify, and browser sessions. Works with Samsung, Vivo, Xiaomi, Honor, and Oppo phones via the Copilot app.

🔗 ZDNet

🟢 Quick Hits

🔒

Authenticator Security Hardening

Microsoft Authenticator is getting jailbreak (iOS) and root (Android) detection for Entra credentials — a security hardening play for device trust.

📚

Office 365 for IT Pros — February Update

The February eBook update (#128) covers Copilot deployment/maintenance and the UTCM preview. Essential reading for admins managing Copilot at scale.

🤝

Microsoft Partner Program Updates

New Copilot licenses, security benefits, and AI marketing resources are being added to the Microsoft Partner Program for the February cycle.

📈

Investor Signal: Thiel Moves to MSFT

Peter Thiel sold NVIDIA shares and moved into MSFT, citing Azure AI and Copilot monetization as the investment thesis. Smart money is watching the enterprise AI bet.

💡 Admin Action Items

Your checklist for this week:

TODAY: Restart all Office apps across your org to apply CVE-2026-21509 patches. For Office 2016/2019, push the out-of-band update immediately. TODAY: Audit every admin account for MFA enrollment. Verify break-glass accounts are compliant or properly excluded. THIS WEEK: Update incident response docs to reflect the new "Revoke sessions" behavior in Entra ID. THIS WEEK: Review the February retirement list — especially Planner legacy features and the Designer bot in Teams (Feb 27 deadline). THIS WEEK: Test Teams External Collaboration changes (Open/Controlled/Custom) and confirm your tenant's desired mode. THIS MONTH: Enable NTLM audit logging and begin identifying NTLM-dependent services. THIS MONTH: Evaluate UTCM Preview if you're managing multiple M365 tenants or want config-as-code.

That's the Pulse for this week. An actively exploited zero-day, mandatory MFA, and the beginning of the NTLM sunset — February isn't messing around.

If this was useful, forward it to your team. The best security posture is a well-informed one.

Stay sharp. 🔥

— Fireside Cloud Solutions