Monthly Threat Report August 2025

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry events from the month of July 2025.

Executive Summary

• Hornetsecurity research highlights how computer vision techniques can outsmart modern phishing tricks like Quishing, ZeroFont, and logo spoofing, paving the way for hybrid defenses against visually deceptive attacks.
• Salt Typhoon APT maintains access to U.S. National Guard systems for nearly a year, highlighting serious gaps in perimeter detection and segmentation.
• SharePoint zero-day actively exploited in the wild, allowing unauthenticated access to internal collaboration portals.
• Secret Blizzard uses ISP-level adversary-in-the-middle attacks to target embassies, setting a chilling precedent for nation-state surveillance tactics.
• Scattered Spider targets VMware ESXi hypervisors in ransomware attacks against U.S. critical infrastructure, bypassing endpoint security entirely.
• Emerging RaaS group claims 17 global victims across healthcare, automotive, and BPO sectors, signaling increased threat actor maturity and affiliate expansion.

Threat Overview

Computer Vision in Phishing Detection: From Quishing to Hybrid Approaches

This month we’re highlighting a three-part research series from Hornetsecurity’s Security Lab that dives deep into how computer vision can be weaponized for defense rather than offense. Attackers have long used visual tricks to sneak past traditional filters. Think QR code phishing (“Quishing”), blocky HTML tables rendering fake logos, or the infamous ZeroFont technique where hidden text slips by unseen. These methods are designed to fool automated scanners, but they still “look” suspicious to human eyes. Enter computer vision: technology that allows us to analyze emails and webpages like a person would, spotting malicious visuals that content-only analysis misses.

The second part of the series explores the technical nuts and bolts of detecting duplicate and near-duplicate images in phishing and spam campaigns. Since attackers rarely send pixel-perfect copies, defenders can’t just rely on cryptographic hashes. Instead, perceptual hashing and color histograms are used to flag emails that look nearly identical to known threats, even if colors are shifted or spacing tweaked. This creates a scoring system rather than a simple yes/no verdict, allowing analysts to tune sensitivity and cut down on false positives.

Part three goes further, introducing advanced detection techniques like SIFT, ORB, and OCR. These approaches allow security systems to identify subtle logo manipulations, embedded text changes, and other “small but deadly” alterations meant to evade weaker filters. While these methods come with higher computational costs, they provide the high-accuracy detection necessary for high-stakes scenarios where a missed phishing email could mean a breached enterprise account. OCR in particular shines against image-based scams, extracting text from graphics and catching the all-too-common “survey reward” or “bank verification” cons.

The conclusion? Hybrid systems win. By combining lightweight methods (hashes, histograms) with heavyweight techniques (object recognition, OCR, hybrid scoring), this approach balances efficiency with robustness. Attackers may keep innovating with obfuscation, but multi-layered vision-based pipelines make it far harder for malicious visuals to sneak by unnoticed. Expect computer vision to become a bigger part of the defensive toolkit in the coming years, especially as phishing and spam campaigns lean even harder on visual deception.

Major Incidents and Industry Events

Salt Typhoon Breaches National Guard in Long-Dwell Espionage Campaign

In a cyber-espionage move straight out of a spy thriller, the Chinese state-sponsored group Salt Typhoon infiltrated a U.S. Army National Guard network and stayed hidden for nine months—from March through December 2024—harvesting network configuration files, administrator credentials, and even personal data on service members that could pave the way for future attacks against government networks. This wasn’t a quick smash-and-grab—it was stealth at its finest.

According to a DHS memo obtained via NBC, Salt Typhoon didn’t just steal data—they exfiltrated detailed network topology maps, inter-state network diagrams, and cross-territory traffic info spanning every other U.S. state and at least four territories. In other words, they effectively drew the blueprints for how to break into other state-level networks with surgical precision.

This attack fits Salt Typhoon’s broader playbook: deep-prep infiltration of U.S. infrastructure leading to high-impact espionage. The group has a track record of hitting telecom giants like AT&T, Verizon, and Viasat, exploiting unpatched Cisco devices and deploying custom malware such as JumblePath and GhostSpider.

Why it Matters

• Nine months of undetected access in a National Guard network is an absolute red flag—it’s not just data theft, it’s strategic pre-positioning for future disruption.
• The breadth of stolen network intelligence could enable Salt Typhoon to trigger cascading compromises across state cybersecurity agencies and fusion centers.
• This is a wake-up call that “good enough” patching and segmentation isn’t good enough anymore.

SharePoint Zero-Day (CVE-2025-53770) Actively Exploited

Microsoft SharePoint (the old on-prem version) is back in the zero-day spotlight. This time it’s CVE-2025-53770, a remote code execution vulnerability in on-prem SharePoint Server that has been under active exploitation since early July, according to reports from Microsoft and corroborated by CISA.

Attackers are leveraging the flaw to gain access to internal portals and perform unauthorized actions, all without needing valid credentials. According to The Hacker News, exploitation started at least 10 days before Microsoft issued the patch, putting hundreds of enterprise environments at risk.

Exploitation is occurring both opportunistically and via targeted campaigns. What’s worse, many orgs running SharePoint Server haven’t patched in years. Some are running unsupported versions, making mitigation more painful.

Why it Matters

• No authentication + broad access = disaster. Once inside, threat actors can impersonate users, exfiltrate data, or pivot internally.
• SharePoint remains deeply embedded in enterprise workflows. This zero-day proves how legacy collab tools still pose major risk.
• Patching is non-trivial for many orgs still running 2016/2019 versions. Delays mean ongoing exposure.

Secret Blizzard Executes ISP-Level AitM Espionage on Moscow Embassies

In a move that reads like a stealthy rewrite of “trust no one,” Russian-linked APT Secret Blizzard hijacked ISP-level traffic to target foreign embassy staff in Moscow. When affected devices ping Microsoft’s connectivity check (think standard captive portal behavior), they’re redirected to install what looks like a “Kaspersky update”, which is actually the ApolloShadow malware. Once installed, it disables browser encryption and injects trusted root certificates, giving the attackers a line-by-line view of every web transaction. This isn’t simple malware. It’s surveillance baked into the network fabric, ongoing since at least 2024.

Why it Matters

• This attack bypasses endpoints entirely. It is rooted in telecom-level control, not phishing or email.
• SSL/TLS gets neutered, making even encrypted traffic open for grabs once ApolloShadow is installed.
• Diplomats using local ISPs in surveillance-heavy jurisdictions are now walking targets.

Scattered Spider Weaponizes VMware ESXi in U.S. Critical Infrastructure Attacks

The Scattered Spider threat group (the gift that keeps on giving out ransomware) made headlines again in July, this time with an upgraded campaign targeting VMware ESXi environments at U.S. critical infrastructure orgs.

Per Hacker News, the group has been leveraging impersonation, stolen credentials, social engineering…etc to drop ransomware directly onto hypervisors. This is a trend the industry has seen building since early 2024. Victims include organizations in transportation and retail, and the group is deploying custom payloads designed to encrypt entire virtual environments in one go.

This is high-impact extortion in that attackers are taking down VMs at scale without ever touching a user’s endpoint. And it’s all made possible by outdated access policies and weak MFA enforcement.

Why it Matters

• The campaign skips endpoints and impacts entire data centers. Virtual machine ransomware is highly effective sadly.
• ESXi attacks are hard to detect until it’s too late. No traditional AV, no EDR coverage inside the hypervisor.
• Enterprises often don’t segment vSphere consoles or enforce proper hardening, especially in OT/retail ops.

Emerging RaaS Actor “GLOBAL GROUP” Targets Diverse Sectors with AI-Powered Operability

A newly emerged ransomware-as-a-service group, GLOBAL GROUP, has quickly made headlines after claiming 17 victims across multiple regions and industries, including healthcare, automotive repair, oil-and-gas equipment fabrication, industrial engineering, and BPO services. First spotted in early June 2025, the group is believed to be a rebrand of BlackLock and Mamona, operated by the actor known as “$$$.” GLOBAL GROUP victims span Australia, Brazil, Europe, and the U.S., signaling a broad geographic footprint.

What sets GLOBAL GROUP apart is its professionalized affiliate model. Affiliates receive an 85% share of ransom revenue, making the program highly competitive compared to other RaaS crews. The platform also includes a dedicated affiliate panel with the ability to generate payloads for Windows, VMware ESXi, NAS, and BSD environments. Beyond tooling, the group is also leveraging an AI-powered chatbot to handle ransom negotiations, even supporting multiple languages to expand its effectiveness in global campaigns.

Why it Matters

• Industrialized ransomware. The combination of affiliate tooling, global reach, and AI-driven negotiations underscores how sophisticated RaaS operations have become.
• High-value targets across sectors. From healthcare to industrial engineering, GLOBAL GROUP is going after victims with both critical services and high likelihood of paying.
• Aggressive affiliate incentives. An 85% payout structure will likely attract more affiliates, accelerating the group’s growth and impact.

Predictions for the Coming Months 

• Hypervisor-targeted ransomware campaigns will increase, especially against sectors with high virtualization density and weak segmentation.
• AitM malware delivery at ISP or regional telco levels will become more common, especially in geopolitical hotspots and during diplomatic flare-ups.
• Enterprise software platforms like SharePoint and Confluence will see more pre-auth zero-days, as attackers pivot back toward business-critical legacy services.

Monthly Recommendations

• Protect common entry points like email communications – Use trusted, next-gen email security solutions, if you’re not already.
• Enforce hard separation of management planes — isolate vSphere, SharePoint, and identity services from general-purpose access; restrict exposure via VPN only.
• Re-audit critical web-facing infrastructure — including SharePoint, VPNs, and remote management interfaces, ensuring patch compliance and credential hygiene.
• Invest in behavioral anomaly detection at the network layer — especially for lateral movement, token abuse, and insider-like command execution patterns.

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.