February IT news and research roundup

A new world record in DDoS attacks. For now.

In somewhat alarming news, Cloudflare claims to have stopped a record distributed denial-of-service (DDoS) burst in Q4 2025: the Aisuru/Kimwolf botnet hit 31.4 Tbps in a campaign it nicknamed ‘The Night Before Christmas'.

Described by Cloudflare as "a new world record," over 94% of the attacks delivered between one and five billion packets of unwanted traffic per second, with 58% of those lasting between one and two minutes.

Cloudflare also reports DDoS volume rose 31% quarter over quarter and 58% year over year, with telecom and IT services hit hardest. The takeaway? Build plans for short, extreme surges and test your provider’s reaction time.

^{Read more: 'An unprecedented bombardment': Cloudflare claims a new world record for a 31.4 Tbps DDoS botnet attack it recorded late last year ↗}

Shadow AI means staff using unapproved, often free AI tools for work. A recent BlackFog survey found 86% of employees use AI at least weekly, and 58% use tools that haven’t been approved by IT. Some also share sensitive content: 33% shared research or datasets, 27% shared employee data, and 23% shared finance or sales information.

And people are accepting the risk. Sixty-three percent say using AI without approval is fine, and 60% say it’s worth it to hit deadlines. Even 57% of managers support it. If nothing else, this shows the urgent need for approved AI tools, alongside clear rules and visibility.  

^{Read more: Is 'Shadow AI' a threat to your business? Report claims workers are increasingly more willing to cut corners and take risks | TechRadar ↗}

Microsoft Office Zero-Day: Patch now, mitigate if you can’t

Microsoft has pushed out an emergency fix for a Microsoft Office security hole (CVE-2026-21509) that attackers are already using. This means a malicious Word or Excel file can potentially slip past protections and lead to things like malware, stolen credentials, or broader access into your environment.

In practice, Office 2016 and 2019 often need a manual update, while Microsoft 365 and Office 2021 users may just need to restart Office apps to pull in the patch. If you can’t patch right away, Microsoft also outlines a registry-based workaround to reduce risk in the meantime. Get on it.

^{Read more: Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files ↗}

The European Commission wants to tighten Europe’s cybersecurity rules by updating the EU Cybersecurity Act and simplifying parts of the NIS2 Directive. The plan aims to speed up and streamline cybersecurity certification, and it would also let countries “de-risk” telecom networks by excluding suppliers seen as high risk for national security.

For IT teams, this points to tougher expectations around supply chain security and proof of compliance. For leaders, it signals more scrutiny on vendor choices, especially in critical infrastructure.  

^{Read more: The EU wants to overhaul cybersecurity to shut out 'high-risk' foreign entities ↗}

This month saw a lot of coverage around Moltbook, a social network created for AI agents. Resembling Reddit, the platform is primarily a space for locally hosted AI agents to interact with each other, discuss consciousness, and even start a religion. Humans are only allowed to observe, in some discomfort.

While entertaining, Moltbook is not really about imminent AI consciousness; as many commentators have pointed out, it’s impossible to determine the level of human engagement. But Moltbook has quickly illustrated the many, many cybersecurity risks presented by AI agents, with unprecedented access to user data, being allowed to congregate online.

How to balance the convenience of automation with least privilege? That’s the question for our times.  

^{Read more: A Social Media Network Exclusively For AI Agents: Is This The Next Privacy Issue? ↗}