Cisco Talos’ Q2 2025 report reveals a notable shift in attacker objectives and methods. Although phishing activity declined by 40 per cent compared to Q1, it remained the leading initial access method for threat actors, with most campaigns focused on credential theft. Attackers increasingly relied on compromised internal or trusted business partner email accounts to deliver convincing messages that bypass security measures and gain victims’ trust.
This quarter, 75 per cent of observed phishing attacks originated from compromised internal or trusted business partner email accounts. Many users were tricked into entering their credentials and MFA tokens on sophisticated fake login pages, enabling attackers to steal valuable information for use in further attacks or for sale on underground markets.
New ransomware observations
Ransomware was responsible for 50 per cent of all incidents in Q2. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware.
In its first encounter with Qilin ransomware, Talos documented previously unseen tools and tactics. The Qilin attack began with stolen credentials, followed by lateral movement using remote access tools. Attackers employed a unique encryptor and new exfiltration techniques, including CyberDuck for data theft and Backblaze for command and control. They established persistence by creating automated processes to restart the ransomware after reboots and logins, resulting in extensive system damage and requiring a full rebuild and organisation-wide password resets.
Talos’ analysis further suggests that the Qilin group may be expanding its affiliate network or accelerating its operations.
Attacks using old scripting language
A concerning trend is the use of the outdated PowerShell v1.0 scripting language in a third of ransomware attacks, taking advantage of its lack of security features such as script logging and antivirus integration. Cisco Talos advises organisations to mandate PowerShell 5.0 or higher to mitigate these risks.
Education sector most targeted
The education sector emerged as the most targeted industry globally in Q2 2025, a significant change from the previous quarter. High levels of ransomware activity were also observed in manufacturing, construction, and public administration.
Multi-factor authentication: enable and monitor
Over 40 per cent of the second quarter’s incidents involved MFA issues, such as misconfiguration, absence, or bypass. Cisco Talos recommends enabling and closely monitoring MFA to prevent misuse and strengthen organisational security.
Fady Younes, Managing Director for Cybersecurity at Cisco Middle East, Africa, Türkiye, Romania and CIS, stated, “Cybercriminals are increasingly exploiting trust, whether through compromised partner accounts, misconfigured security tools, or outdated systems. The latest Talos findings underscore that credentials remain a prime target, and organisations must not only enable multi-factor authentication but also continuously validate and monitor its effectiveness. Building cyber resilience requires a proactive approach where people, processes, and technologies work together to minimise risk and strengthen defences against evolving threats.”
Discussion about this post