News Sponsored by HUAWEI Pura80 series:

 Cybercriminals are sharpening their tactics and businesses are firmly in the crosshairs as 75% of phishing campaigns now originate from compromised internal or trusted business partner accounts, making them far harder to detect. 

Cisco Talos’ Q2 2025 report reveals a notable shift in attacker objectives and methods. Although phishing activity declined by 40% compared to Q1, it remained the leading initial access method for threat actors, with most campaigns focused on credential theft. Attackers increasingly relied on compromised internal or trusted business partner email accounts to deliver convincing messages that bypass security measures and gain victims’ trust.

This quarter, 75% of observed phishing attacks originated from compromised internal or trusted business partner email accounts. Many users were tricked into entering their credentials and MFA tokens on sophisticated fake login pages, enabling attackers to steal valuable information for use in further attacks or for sale on underground markets.

 “Cybercriminals are increasingly exploiting trust, whether through compromised partner accounts, misconfigured security tools, or outdated systems,” explained Fady Younes, Managing Director for Cybersecurity at Cisco Middle East, Africa, Türkiye, Romania and CIS.

‘’The latest Talos findings underscore that credentials remain a prime target, and organizations must not only enable multi-factor authentication but also continuously validate and monitor its effectiveness. Building cyber resilience requires a proactive approach where people, processes, and technologies work together to minimize risk and strengthen defences against evolving threats,” he added.

New ransomware observations

Ransomware was responsible for 50% of all incidents in Q2. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware.

In its first encounter with Qilin ransomware, Talos documented previously unseen tools and tactics. The Qilin attack began with stolen credentials, followed by lateral movement using remote access tools. Attackers employed a unique encryptor and new exfiltration techniques, including CyberDuck for data theft and Backblaze for command and control. They established persistence by creating automated processes to restart the ransomware after reboots and logins, resulting in extensive system damage and requiring a full rebuild and organization-wide password resets.

Talos’ analysis further suggests that the Qilin group may be expanding its affiliate network or accelerating its operations.

A concerning trend is the use of the outdated PowerShell v1.0 scripting language in a third of ransomware attacks, taking advantage of its lack of security features such as script logging and antivirus integration. Cisco Talos advises organizations to mandate PowerShell 5.0 or higher to mitigate these risks. 

Over 40% of the second quarter’s incidents involved MFA issues, such as misconfiguration, absence, or bypass. Cisco Talos recommends enabling and closely monitoring MFA to prevent misuse and strengthen organizational security.Perhaps the biggest surprise from the findings was that the the education sector emerged as the most targeted industry globally in Q2 2025, a significant change from the previous quarter. But they weren't the only ones to be besieged  - high levels of ransomware activity were also observed in manufacturing, construction, and public administration.