A critical zero-day XSS vulnerability in Exchange Server’s Outlook Web Access component is under active exploitation with no patch available as of May 2026. Separately, Microsoft 365 environments are being targeted by MURKY PANDA via ORB network infrastructure to abuse trusted cloud relationships and evade IP-based detection. Both exposures require immediate defensive action independent of patching.