It’s uncommon for Microsoft to deviate from its well-managed Patch Tuesday schedule, but January 2026 is already looking different. So far, three out-of-band updates have emerged from Redmond, disrupting the usual rhythm — and with good reason.
The standout concern is CVE-2026-21509, a Microsoft Office vulnerability already being actively exploited. When Microsoft steps outside its established routine, it’s clear the situation is pressing. Out-of-band patches indicate urgency: attackers are working faster than the standard patch cycle, and Microsoft simply cannot afford to wait for the next scheduled release. For anyone responsible for managing Office deployments, swift action is essential — this is not the time for delays.
In responding to this wave of updates, prioritise rapid, but cautious action. Accelerate testing and deployment, ensuring critical systems receive the patch promptly, but do not overlook proper validation. End users should be notified, as unexpected updates can disrupt work and prompt questions. It’s also sensible to review where Office macros are still enabled across the environment; reconsider whether those permissions remain necessary.
Organisations managing sensitive data or operating in high-profile sectors should treat these updates with particular gravity. Attackers commonly capitalise on the delay between an out-of-band patch becoming available and organisations rolling it out — every hour genuinely counts.
These unscheduled releases highlight how quickly the threat landscape is evolving, with Microsoft adapting in step. Stay vigilant, maintain your patching routines, and remember to be cautious with anything received by email — even if it appears to come from within the IT team.
Original Story: https://blog.talosintelligence.com/microsoft-oob-update-january-2026/
