Monthly Threat Report December 2025

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data and industry events from the month of November 2025.

Executive Summary

• Attackers increasingly abuse legitimate cloud and SaaS infrastructure to deliver malicious content, undermining reputation-based defenses and user trust assumptions.
• Vendor overdependence emerged as a key operational risk in November, highlighted by a high-impact Cloudflare outage that caused widespread downstream disruption without any security compromise.
• Long-exploited vulnerabilities continue to pose real risk, as demonstrated by Microsoft’s late patching of CVE-2025-9491 after a long period of active abuse.
• CISA’s expanding Known Exploited Vulnerabilities (KEV) catalog reinforces the need to prioritize vulnerabilities based on exploitation status not severity scores alone.
• Patch latency remains one of the most consistent and preventable contributors to successful compromise.
• Organizations are improving recovery capabilities, but operational resilience and third-party dependency risk require increasing attention.

A Word on the Annual Hornetsecurity 2026 Cybersecurity Report

Hornetsecurity’s Cybersecurity Report 2026 provides a comprehensive, data-driven view of how the threat landscape evolved throughout 2025 and why organizations should prepare for another year of acceleration rather than stabilization. Based on analysis of more than 72 billion emails processed by the Hornetsecurity Security Lab, the report confirms that attackers are moving faster, automating more aggressively, and exploiting trust at scale. Malware-laden emails surged by over 130% year-over-year, while scams and phishing followed close behind, underscoring that email remains the most reliable and profitable entry point for attackers across industries.

One of the report’s most significant findings is the resurgence of ransomware, with 24% of organizations reporting an incident in 2025, reversing several years of decline. While immutable backups and improved recovery planning have successfully reduced ransom payments, attackers have adapted accordingly, shifting focus toward credential theft, endpoint compromise, and data integrity attacks rather than simple encryption. At the same time, the rapid and often uncontrolled adoption of AI tools across enterprises is expanding the attack surface in ways many security teams are struggling to govern. CISOs surveyed for the report overwhelmingly cite AI-driven phishing, deepfake impersonation, and identity abuse as top concerns heading into 2026.

Despite these trends, the report offers cautious optimism. Organizations are demonstrably improving their ability to recover, with widespread adoption of immutable backups, disaster recovery planning, and phishing-resistant MFA beginning to emerge as baseline expectations rather than aspirational goals. However, the central message is clear: resilience will define successful security strategies moving forward. To fully explore the data, insights, and Security Lab predictions shaping the year ahead, we strongly recommend reviewing the full 2026 Cybersecurity Report by Hornetsecurity, which provides essential context and guidance for navigating the evolving Microsoft 365 threat landscape.

Threat Overview

Abuse of Legitimate Cloud Infrastructure in Email Attacks

One attack technique highlighted in the Cybersecurity Report 2026 (and one that continues to gain traction) is the abuse of legitimate cloud and hosting infrastructure to deliver malicious email campaigns. Rather than relying on obviously malicious servers or throwaway domains, threat actors increasingly host phishing pages, payloads, and redirectors on reputable platforms such as cloud storage providers, SaaS services, and well-known hosting companies. This tactic allows malicious emails to blend in with legitimate business traffic, dramatically improving deliverability and reducing the effectiveness of reputation-based filtering. To an end user, links resolve to “trusted” domains, and to a mail gateway, they often look indistinguishable from normal cloud-generated traffic.

What makes this technique particularly effective is its durability. Legitimate infrastructure is harder to block without causing collateral damage, and takedowns often lag behind active campaigns. In practice, this means organizations may be exposed to repeated waves of phishing or credential-harvesting attempts hosted on infrastructure they already rely on for day-to-day business operations. As defenders harden against obvious indicators of compromise, attackers are responding by borrowing the trust of reputable infrastructure rather than trying to evade detection outright. The takeaway is clear: defenses must move beyond static allowlists and focus more heavily on behavioral analysis, contextual link inspection, and user awareness because when attackers operate inside the boundaries of trusted infrastructure, traditional trust assumptions begin to work against us rather than for us.

Major Incidents and Industry Events

Vendor Overdependence: Lessons from the Cloudflare Outage

In November, a significant service disruption at Cloudflare triggered widespread availability issues across the internet, affecting websites, APIs, and SaaS platforms that depend on the provider for DNS resolution, content delivery, and perimeter protection. Thankfully, the incident was not the result of a cyberattack. However, its impact was immediate and highly visible. For many organizations, Cloudflare has evolved from a performance optimization or security layer into a foundational dependency, meaning disruption at the provider level translated directly into customer-facing outages, even where internal systems remained healthy.

What was clearly eye-opening as part of this incident was how quickly an upstream failure propagated across more-or-less unrelated organizations. Reliance on a single external service for multiple critical functions like routing, filtering, TLS termination, and traffic acceleration creates cascading failure conditions that are difficult to mitigate in real time. In effect, architectural “convenience” has quietly replaced architectural diversity. This consolidation simplifies operations and improves performance under normal conditions, but it also reduces an organization’s ability to degrade gracefully when a provider experiences issues. Availability, in these cases, becomes a shared risk rather than an internal team-managed and (hopefully) controlled outcome.

Why it Matters

• Third-party availability failures can have business impact equivalent to security incidents, even in the absence of compromise.
• Concentration risk increases when multiple critical functions are delegated to a single vendor.
• Business continuity planning should explicitly account for upstream provider outages, not just internal failures.
• True resilience depends on understanding where external dependencies have become single points of failure.

Microsoft Patches Long-Exploited Windows Shortcut Vulnerability (CVE-2025-9491)

In November, Microsoft quietly issued a patch for CVE-2025-9491, a remote code execution vulnerability taking advantage of Windows shortcut (.LNK) file handling behaviors. Security researchers noted that the flaw had been actively exploited for years, with evidence linking it to both financially motivated threat actors and state-aligned groups.

The vulnerability allowed attackers to trigger malicious code execution when victims interacted with specially crafted shortcut files that attackers would often delivered via removable media, phishing attachments, or compressed archives. While exploitation typically required user interaction, the technique proved reliable enough to persist in attacker toolkits for an extended period.

What makes this patch particularly notable is not the technical complexity of the bug, but its longevity. Despite repeated observations of abuse in the wild, the vulnerability remained exploitable for years, becoming a quietly dependable attack avenue.

Why it Matters

• Older vulnerabilities can remain operationally useful long after discovery.
• Shortcut-based execution continues to bypass user suspicion more effectively than traditional executables.
• Patch latency remains a systemic issue for many Windows environments.

CISA Expands Known Exploited Vulnerabilities Catalog

Midway through November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another entry to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of the affected software in real-world attacks.

Placement on the KEV list carries a higher operational weight than a typical vulnerability disclosure. It signals that exploitation is not theoretical, proof-of-concept, or theoretical but that attackers are already using it, often at scale. While federal agencies are legally bound to remediate KEV-listed vulnerabilities within mandated timelines, many private organizations continue to lag in tracking and responding to these updates.

Why it Matters

• KEV listings represent confirmed, operational attack paths—not hypothetical risk.
• Organizations that do not track KEV updates risk reacting weeks or months too late.
• Vulnerability management programs must prioritize exploitation status, not just CVSS scores.

Predictions for the Coming Months

• Abuse of trusted infrastructure will continue to accelerate. As defenders improve detection of obviously malicious domains and infrastructure, attackers will increasingly rely on legitimate platforms to deliver phishing and credential-harvesting campaigns.
• Patch latency will remain a dominant risk factor. The continued exploitation of long-known vulnerabilities, such as CVE-2025-9491, really hits home the reality that attackers do not need zero-days to succeed.
• Operational resilience will receive increased scrutiny. High-visibility outages, like the Cloudflare disruption, will prompt more organizations to reassess third-party dependency risk—not just from a security standpoint, but from an availability perspective.

Monthly Recommendations

• Review dependency and concentration risk across critical vendors. Identify where single providers deliver multiple foundational services (DNS, CDN, security, identity) and assess whether adequate failover or contingency planning exist.
• Harden defenses against trusted-link abuse. Move beyond static allowlists and domain reputation alone. Implement behavioral analysis, time-of-click inspection, and user training focused specifically on phishing attempts that leverage legitimate infrastructure.
• Align patching priorities with real-world exploitation. Incorporate CISA’s Known Exploited Vulnerabilities catalog into vulnerability management workflows to ensure actively abused flaws are prioritized for remediation.
• Reinforce identity protection controls. Prioritize phishing-resistant MFA, tighten OAuth consent policies, and monitor for anomalous sign-in behavior that indicates token misuse or session replay attacks.
• Test resilience, not just prevention. Validate backup integrity, rehearse recovery workflows, and ensure disaster recovery plans account for both security incidents and upstream service disruptions.

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.