KarbonIT, Canberra (2026)

05/06/2026

If a website ever tells you to press Windows Key + R, close the tab immediately. That’s the biggest red flag of the growing “ClickFix” scam behind a surge of infostealer malware attacks this year.

Infostealers are designed to grab saved passwords, browser cookies, session tokens, and even stored credit card details. The scam usually starts with a Google result leading to a hacked site. A fake CAPTCHA appears, telling you to press Win + R, Ctrl + V, then Enter to “verify” you’re human.

The moment you press Enter, you run malware yourself. Because no file is downloaded, many antivirus tools never detect it. To Windows, it simply looks like a user manually entered a command.

What you can do right now:
• Train staff to close any website asking them to open the Run box or paste commands.
• Restrict PowerShell access for non-IT users with AppLocker or Windows Defender Application Control.
• Use endpoint protection with behavioral monitoring, not just signature scanning. Modern EDR tools like Microsoft Defender for Endpoint can detect this attack chain.

Fake CAPTCHAs are designed to look convincing, so anyone can fall for them. But once people know the Win+R trick, the scam loses its power.

25/05/2026

If you run a business, an employee can easily email your client list to their personal account, whether by accident or on purpose.

Most companies just trust their staff not to do this.

But you need a technical rule that stops sensitive data from leaving your network in the first place.

If you use Microsoft 365, you can use a tool called Microsoft Purview to set up Data Loss Prevention rules.

When you turn this on, the system scans every outgoing email, Teams messages, SharePoint/OneDrive files, endpoint devices, browser activity, and Microsoft 365 Copilot prompts before processing.

If it detects sensitive information like Social Security numbers, credit card details, or specific internal company tags, it physically blocks the email.

You do not have to monitor employees manually.

20/05/2026

Software companies are changing their terms of service to train their AI on your internal company data.

If you use tools like HubSpot, Salesforce, QuickBooks, or Asana, you need to run a privacy audit this week.

The idea that your data will be leaked to the public is a bit overstated. Most of these platforms anonymize the information…

However, they are still feeding your real business data into their external AI models.

Getting them to stop is not always a simple toggle switch in your account settings.

Many of these platforms force you to submit a formal support ticket or email request to opt out.

And even when you do, it does not retroactively remove the historical data they already grabbed.

To protect your information, prioritize enterprise software plans that include a strict "Do Not Train" clause in the contract.

You can also use automated privacy tools to enforce these rules across your entire software stack instead of doing it manually.

15/05/2026

If you or your employees use large or multiple monitors, you are probably wasting time organizing your screen.

Every day, people spend an annoying amount of time dragging, resizing, and overlapping windows just to get their email, web browser, and company chat visible at the same time.

The default Windows snapping feature is okay, but it only splits your screen into basic halves or quarters.

There is a much better way to handle this.

You can download a free, official Microsoft app called PowerToys.

Inside PowerToys, there is a specific tool called FancyZones.

It lets you draw a custom, invisible grid on your monitors. You can make the zones any exact size or shape you want.

Once your grid is set up, you just hold the Shift key and drag a program into one of your zones. It instantly snaps to the exact position you created.

You can build a layout with your calendar tucked in a small corner, your main work software dead center, and your chat app on the far right.

Give it a try if you need an extra boost in productivity 😉

10/05/2026

Subdomains can be a cybersecurity risk.

If you use subdomains, you might be accidentally giving hackers permission to use your exact website address.

Think about the temporary marketing campaigns, event pages, or third-party software portals you set up in the past.

Usually, companies create a custom web link for these projects, like promo.yourcompany.com

To make it work, that custom link is connected to an external hosting service.

When the project ends, you probably cancel the external hosting subscription to save money.

But the connection rule in your website settings is almost never deleted.
This creates a massive blind spot.

Attackers constantly scan the internet for these abandoned connections.

When they find one, they go to that exact hosting company and register the account name you used to have.

Because your website is still pointing there, the attacker instantly takes control of your official custom link.

They can now send phishing emails to your clients or host scam pages that look completely real.

Your clients will trust the link because it literally uses your actual company name.

If you haven’t done this yet, you need to audit your website DNS records as soon as possible.

Delete any custom links pointing to software or services your business no longer uses.

05/05/2026

Don’t treat Microsoft OneDrive or Google Drive as a guaranteed backup.

Many people assume that if their network gets hit by ransomware, they can just log into their cloud account and restore an older version of their files.

The problem is that modern ransomware can sync encrypted files to your cloud account, overwriting clean versions and potentially targeting version history or recycle bin contents before you even realize you have been attacked.

When malicious software reaches a synced laptop, the damage does not stay on that single device.

Because your cloud drive is designed to sync changes instantly, the system automatically uploads those locked, encrypted files straight into your company cloud.

It directly overwrites your clean data.

Cloud storage connects your data, without isolating it.

To have a higher level of security, you need a separate backup system that is completely offline or locked down.

You need an isolated copy of your files that a compromised network account cannot reach, alter, or delete.

25/04/2026

You waste time receiving, configuring, and shipping laptops to remote employees.

When hiring remote staff, the traditional IT process requires shipping new hardware to a central office, manually installing software, configuring security settings, and shipping the device a second time to the employee.

These delays onboarding and doubles shipping costs.

Microsoft 365 Business Premium includes Windows Autopilot.

You purchase hardware from a vendor and instruct them to ship it directly to the new employee.

When the employee powers on the device, connects to Wi-Fi, and enters their company email address, Autopilot automatically connects to your Microsoft tenant.

It applies your specific security policies, installs required applications, and configures the desktop environment automatically.

The device is fully configured for business use without an IT administrator ever physically touching the hardware.

If you need help doing this for your business, comment below with “configure”.

20/04/2026

Granting AI agents access to your data comes with severe risks.

You should ONLY connect these automated systems to your live data if you have strict security boundaries.

Here are just a few of the permission controls you MUST implement:

✅ Restrict all AI agents to "read-only" access within your network.
✅ Deny the automated system any permission to authorize payments or move funds.
✅ Block the AI's ability to delete or permanently alter original files.
✅ Audit the API permissions of any third-party AI tool before connecting it.

That’s just the bare minimum.

You must define limitations and rules for every single process that AI touches.

If you want a full AI Acceptable Use Policy template to implement in your business, comment below with “AI” and we’ll send it to you.

15/04/2026

You can open questionable files and test unverified software without risking your local operating system.

Employees occasionally need to open unverified email attachments or unfamiliar software tools. Executing these directly on a workstation risks malware infection.

Windows 11 Professional includes a built-in feature called Windows Sandbox. It generates a temporary, isolated desktop environment.

You can open files and install software within this isolated environment. If a file contains malware, it cannot access your primary hard drive or the broader company network.

Closing the Windows Sandbox window permanently deletes the temporary operating system and all associated files.

Search for "Turn Windows features on or off" in your taskbar to enable Windows Sandbox.

10/04/2026

Text messages are not the most secure method for two-factor authentication.

Using SMS relies on telecommunications security, not IT security. Attackers can call a mobile carrier, impersonate a user, and transfer the phone number to a new SIM card.

They then trigger a password reset and intercept the SMS code, bypassing the password entirely.

Transition your accounts to better secured alternatives. Use an Authenticator App or a physical hardware security key.

Have you audited how your employees receive their authentication codes?

KarbonIT

05/06/2026

25/05/2026

20/05/2026

15/05/2026

10/05/2026

05/05/2026

25/04/2026

20/04/2026

15/04/2026

10/04/2026

Address

Website

Alerts

Contact The Business

Shortcuts

Share

Category