If you have been following the cybersecurity news this week, you may have seen a story that on the surface looks like an unusually personal corporate dispute. An anonymous researcher who claims Microsoft “left me homeless with nothing” has now released his third wave of Windows zero-day exploits in six weeks, each timed deliberately to drop right after Microsoft’s monthly Patch Tuesday. The latest release includes a BitLocker encryption bypass and a Windows privilege escalation flaw, both with public proof-of-concept code that other attackers can pick up and use immediately.

It looks like a story about one giant tech company and one angry insider. It is not. It is one of the clearest, most public examples in recent memory of a category of risk every small business owner needs to understand: the insider threat. And the same dynamics that are playing out between this researcher and Microsoft can – and do – play out at much smaller scales in businesses across the Research Triangle every single day.

What’s Happening, in Plain English

A security researcher operating under the aliases “Chaotic Eclipse” and “Nightmare-Eclipse” has been publicly releasing technical exploit code for previously unknown Microsoft Windows vulnerabilities. The Register and other outlets have reported that the researcher is rumored to be a former Microsoft employee, and his own statements make clear there was a previous relationship that ended badly. In his own words, posted on his blog: “I never wanted to reopen a blog and a new GitHub account to drop code, but someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”

Whatever the underlying dispute, the consequences for everyone running Windows are concrete and immediate.

• Wave 1 (April 2, 2026): The researcher released two Defender exploits codenamed “RedSun” and “UnDefend.” Both were unpatched at the time of release. According to security firm Huntress, the proof-of-concept code was picked up and used in real-world attacks within days. RedSun appears to have been silently patched by Microsoft, but no advisory was ever published.
• Wave 2 (April 15, 2026): A second Defender exploit called “BlueHammer” (CVE-2026-33825) was released. Microsoft patched it in April’s Patch Tuesday, but only after the public exploit had circulated.
• Wave 3 (May 13, 2026, just yesterday): Two new zero-days dropped, “YellowKey” and “GreenPlasma.” YellowKey is the headline-grabber: a BitLocker encryption bypass that lets an attacker with physical access to a Windows 11 or Windows Server 2022/2025 machine completely unlock the encrypted drive using a specially crafted USB drive. The researcher claims the underlying flaw looks like an intentional backdoor. Independent researchers including Will Dormann (on Mastodon) and Kevin Beaumont have confirmed the exploit works. GreenPlasma is a separate privilege escalation flaw that lets a regular user gain SYSTEM-level access on a Windows machine.
• And a fourth wave is promised. The researcher has publicly stated there will be a “big surprise” timed to next month’s June 2026 Patch Tuesday.

This is being reported across The Register, The Hacker News, Cybernews, BleepingComputer, SecurityWeek, Tom’s Hardware, and most other major cybersecurity outlets, with confirmation from independent researchers and verified proof-of-concept code on GitHub.

The Insider Threat That Most Small Businesses Never Think About

When small business owners think about cybersecurity, they almost always picture an external threat. A Russian hacker. A phishing email. A ransomware group. A foreign criminal organization. Someone they have never met, who lives somewhere far away, who has somehow stumbled onto the business’s systems.

What they rarely picture, but what should be on every owner’s radar, is the person who used to work for them, used to contract with them, used to manage their IT, or used to have administrator access to a system – and who is no longer happy with how the relationship ended.

The Chaotic Eclipse situation is the giant, public version of this exact scenario. Someone with deep knowledge of how Microsoft’s products work, who claims their relationship with the company ended unfairly, is now using that knowledge to cause damage on a global scale. The damage is real. Real Microsoft customers are being affected by real exploits already being used by other attackers in real-world attacks.

Scale that down to a 20-person business in Cary, a 30-person practice in Raleigh, or a small manufacturer in Smithfield. The mechanics are the same, even if the surface area is smaller.

What Insider Risk Actually Looks Like for a Small Business

Across small business engagements we have walked into over the years, the pattern is depressingly consistent. Here are the kinds of situations that create insider risk without anyone realizing it:

• The IT contractor who managed your network for five years, then had a falling-out about an invoice. Did anyone change the administrator passwords after he left? Was his remote access actually revoked? Are his email addresses still authorized for password resets on your business accounts? In most small businesses we walk into, the answer to all of those is “we never thought about it.”
• The bookkeeper or accountant who used your accounting software for years and had full admin rights. When the relationship ended, did anyone audit which third-party tools she still had authorized? Did anyone change the passwords or remove her access from QuickBooks Online, the payroll system, the bank reconciliation tool?
• The employee who left on bad terms two years ago. Is his Microsoft 365 account fully deactivated, or just marked “inactive”? Are his app passwords gone? Can he still log into the shared HR drive because nobody removed him from the access list? Did anyone check?
• The former business partner who has the master password to your e-commerce platform, your hosting account, or your domain registrar. Are those credentials still the same as they were two years ago? Most owners we ask cannot remember the last time they changed them.
• The “free” web developer who set up your website for a friend years ago and is still listed as the technical contact. What can he see? What can he change? Does he still have access to your hosting control panel, your DNS records, your email routing?
• The employee who is still currently there but is unhappy. This is the hardest category, because they have legitimate access. But access combined with motivation can become a problem – quietly downloading customer lists, copying financial data, or laying groundwork before they leave.

None of these scenarios require a sophisticated attacker. None of them require nation-state capabilities. None of them involve exotic malware. They simply require someone who was once trusted, and whose access was never properly revoked when the trust ended.

Why This Is So Often Missed

Three reasons insider risk is the cybersecurity problem most small businesses are quietly worst at.

First, the people we trust are the people we trust. When you hire an IT contractor, give an employee administrator access, or onboard a new bookkeeper, you give them what they need to do their job. That includes access to systems, credentials, contact information, and often direct relationships with your vendors. None of that gets unwound automatically. When the relationship ends – especially if it ends in a way that makes everyone uncomfortable – the conversation about access tends to be the last thing anyone wants to bring up.

Second, the offboarding process is almost never written down. When a person leaves, what should happen? Most small businesses do not have a checklist. They handle it ad hoc. They remember to deactivate the email account. They forget about the third-party SaaS tools that authenticate through that email. They forget about the cloud backup admin account. They forget about the remote desktop credentials. They forget about the shared passwords for the vendor portals. Six months later, the former contractor still has access to half of what they used to have access to – and nobody is the wiser.

Third, there is no monitoring to catch it. Even if a former insider does eventually use their lingering access to do something inappropriate, most small businesses have no way of knowing. There is no audit trail being reviewed. There is no alert on unusual logins. The accounting software does not flag “this user has not logged in for six months and just logged in from a new IP.” The cloud backup does not warn that “your former IT contractor’s account just downloaded a year’s worth of data.”

The Chaotic Eclipse situation is, in part, what an insider threat looks like with the volume turned up. Microsoft has insider threat programs, security operations centers, and a giant army of people specifically tasked with monitoring for this kind of risk – and even with all of that, the public disclosure of unpatched exploits has been damaging. For a small business with none of that infrastructure, the risk per dollar of insider knowledge is dramatically higher.

What Small Businesses Should Actually Do

The good news is that insider risk is one of the most addressable categories of cybersecurity risk a small business has. None of these steps require enterprise budgets. All of them require somebody whose job it is to actually do them.

• Build a real offboarding checklist. Every system the person had access to should be on it. Email account. Workstation login. Microsoft 365 or Google Workspace. Any SaaS tools (accounting, CRM, project management, payroll). Remote access tools. Cloud backup. Hosting and domain accounts. Bank and credit card portals. Mobile device management. Physical key cards and keys. Each one gets a checkbox. Each checkbox gets done within 24 hours of the relationship ending.
• Inventory who has admin access to everything. Most small businesses have never made this list. Make it. Be ruthless. Every administrator account on every system, every “owner” or “primary contact” on every vendor portal, every person listed as a billing contact, every shared password. Then ask: does this person still need this access?
• Audit and rotate shared credentials. Anywhere your business uses a shared password for a service (and most small businesses do this for at least some services), that password gets changed periodically and especially when anyone with access leaves. A password manager makes this dramatically easier.
• Enable monitoring and alerting. Microsoft 365 and Google Workspace both have built-in alerts for unusual login activity, mass downloads, suspicious file sharing, and admin actions taken from new locations. Most small businesses have these disabled or have never configured them. Turning them on is free.
• Review third-party app authorizations. Every cloud service has a list of “connected apps” or “OAuth tokens” that have been granted permission to access your data. These do not get revoked automatically when an employee leaves. Audit them regularly.
• Use separate accounts for admin work. The owner’s everyday email account should not have global admin rights to the Microsoft 365 tenant. A separate, named admin account that is used only when admin work is needed, and that has stricter security on it, dramatically limits the damage if any single account gets compromised.
• Document what each former employee or contractor had access to. If you have ever fired anyone, parted ways with a contractor, or had a vendor relationship end – even years ago – take an hour to write down what they had access to at the time. Then verify each of those accesses is now gone. You will be surprised by what is still active.

The Monitoring Piece Is the One Most Owners Underestimate

Of everything in that list, the one that most owners undervalue is active monitoring. The reasoning is simple: even if you do the offboarding perfectly, even if you rotate every password, even if you audit every system – you might still miss something. People are imperfect. Checklists get rushed. Systems get forgotten. The whole point of monitoring is that it catches what you missed.

Active monitoring of accounts, logins, file access, admin actions, and outbound data movement is what would let you notice that your former bookkeeper’s account just logged in for the first time in eight months, or that a service account is suddenly downloading customer records at 2 a.m. on a Sunday. Without monitoring, those events happen invisibly. With monitoring, they trigger an alert, and you have a chance to respond.

This is one of the most cost-effective things a small business can put in place, and one of the most-overlooked.

How Pendergrass Consulting Helps

Insider risk – whether from a current employee, a former employee, a former contractor, or any other previously-trusted relationship – is exactly the kind of problem that does not get solved by buying another security product. It gets solved by having someone whose job it is to think about who has access to what, and then to put real controls and real monitoring around it.

Our managed cybersecurity service for small businesses across the Research Triangle covers exactly this gap:

• Account and access audits – we identify every account, in every system, that exists in your business environment. Active users, dormant users, former employees, former contractors, service accounts. We map out who has access to what.
• Offboarding playbook development – we build the actual checklist your business needs and help you implement it consistently when someone leaves.
• Active monitoring and alerting – on logins, admin actions, file access, data movement, and the unusual activity patterns that indicate an account is being misused.
• Third-party app and integration audit – we review the connected apps and OAuth tokens that have been granted access to your business data and clean up what should not be there.
• Privileged access management – making sure administrator privileges are limited to people and accounts that genuinely need them, and that admin work happens through dedicated, well-protected accounts.
• Comprehensive environment review and configuration review – the full top-to-bottom look at what is running in your business and how it is set up, including the insider risk dimension we have been talking about throughout this post.
• Security awareness training for employees – because the same training that helps people recognize phishing also helps them recognize when something feels off about a former colleague suddenly asking for access.

If you have ever ended a relationship with an employee, a contractor, or a vendor and not done a formal access review afterward, that conversation is overdue. If you cannot tell us right now who has administrator access to your Microsoft 365 tenant, your accounting software, and your domain registrar – that conversation is overdue. If nobody is watching your business systems for unusual activity, that conversation is overdue.

The Chaotic Eclipse story is a reminder that insider threats are not rare, are not theoretical, and are not just a problem for giant tech companies. They are a category of risk every business has, and the lower the level of monitoring and controls, the worse the exposure. We can fix that.

Pendergrass Consulting
Phone: 252-432-3325
Email: Sales@PendergrassConsulting.com
110 S. Massey St., Suite 201, Selma, NC 27576

Pendergrass Consulting is a full-service IT firm based in Selma, NC, serving small businesses across the Research Triangle, Raleigh, Cary, Wake County, Johnston County, and nationally for web, hosting, email, cloud backup, cybersecurity, and digital marketing services.