Monthly Threat Report November 2025

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry occurrences from the month of October 2025.

Executive Summary

• WSUS Exploited in the Wild – A critical Windows Server Update Services (WSUS) flaw (CVE-2025-59287) is being actively exploited, allowing remote code execution with SYSTEM privileges. CISA issued an emergency directive mandating immediate patching across federal networks.
• F5 Networks Breach – Attackers stole portions of BIG-IP source code and internal vulnerability data from F5, potentially giving adversaries deep insight into product internals and accelerating exploit development.
• Microsoft and VMware Zero-Days – October’s Patch Tuesday saw multiple actively exploited vulnerabilities across Windows and VMware products, fueling another month of “patch-or-perish” urgency.
• TLD Abuse on the Rise – Threat actors are increasingly weaponizing exotic domains like .zip, .app, and .mov to bypass filters and deliver phishing or malware payloads under the guise of legitimacy.
• AI’s Expanding Role in Cybersecurity – Artificial intelligence continues to redefine both attack and defense. While it enhances detection and automation for defenders, it’s simultaneously empowering adversaries to launch more sophisticated and convincing campaigns.

Threat Overview

How Attackers Leverage Exotic Top Level Domains (TLDs) in Attacks

Defenders are in a constant race to keep pace with attacker tactics, techniques, and procedures and lately, one of the quieter evolutions we’ve seen in the phishing and malware space is the growing abuse of “exotic” top-level domains (TLDs). In this month’s report, we wanted to shed some light on how threat actors are exploiting these less common domain endings. Typically this includes domains that end in things like: .app, .zip, .lol, .cam, and dozens more. The goal here is to bypass filters and trick end users. Many of these TLDs are newer, cheaper, or were originally intended for legitimate use in niche industries, but have become a haven for malicious campaigns thanks to weak registrar oversight and the visual trust they inherit from familiar brands.

The tactic works because modern users rarely notice domain endings, and security tools that rely on legacy reputation databases can lag behind in flagging newly created sites. Attackers will spin up thousands of lookalike domains on short-lived infrastructure, often pairing them with convincing SSL certificates to add a veneer of legitimacy. The result is a near-perfect delivery mechanism for phishing, credential harvesting, and drive-by malware. The lesson here is simple but critical: defenders need to continuously update domain intelligence feeds, enforce strict URL rewriting and scanning policies, and educate users to question what’s hiding behind that shiny new .zip link because when it comes to TLD abuse, obscurity has become the attacker’s best friend.

The Impact of AI on Cybersecurity

There’s no doubt that AI has had an impact on cybersecurity just like it has on other industries. We’ve been discussing for some time, via our various publications, how AI is changing the security industry. While the initial “hype wave” of AI has come and gone, there continue to be developments and impacts on current security team operations.

In a recent article on the Hornetsecurity blog, The Impact of AI on Cyber Security by Paul Schnackenburg, we explore how artificial intelligence is reshaping both the defensive and offensive sides of the cybersecurity landscape. On one hand, AI is becoming a force multiplier for defenders, driving smarter detection, faster triage, and better pattern recognition across vast datasets. It’s helping security teams automate incident response and reduce noise, particularly in complex cloud and email environments where traditional tools struggle to keep up.

On the flip side, the same tech is supercharging attackers. AI lowers the skill floor for phishing, deepfakes, and social-engineering campaigns while increasing the scale and believability of threats. The post cautions that as LLMs and generative tools become ubiquitous, adversaries will weaponize them just as quickly as defenders deploy them. A key takeaway: organizations must not only adopt AI securely, but also harden policies, governance, and user awareness around it. In the new threat landscape, AI isn’t just part of the defense; it’s part of the attack surface too.

Major Incidents and Industry Events

WSUS Vulnerability Actively Exploited in the Wild

October has pushed administrators to patch after news broke of a critical Windows Server Update Services (WSUS) vulnerability under active exploitation: CVE-2025-59287. The flaw allows remote code execution with SYSTEM-level privileges on WSUS servers configured as update sources, effectively giving attackers full reign of the given system. Microsoft’s patch landed in early October, but CISA followed up almost immediately with an emergency directive mandating that US federal agencies patch or disable vulnerable WSUS roles within 48 hours. Exploitation was first spotted in opportunistic attacks targeting internet-exposed WSUS endpoints.

The real danger here lies in WSUS’s role as the nerve center of enterprise Windows patching. Compromise it, and an attacker can potentially extend their reach across a network. That’s not just theoretical. This case echoes classic supply-chain abuse like what the industry saw with SolarWinds years ago. If you’re running WSUS in a hybrid environment or with open inbound ports, now’s the time to check segmentation, roll patches, and verify update signing integrity. Treat this one as a tier-one incident because once your patch management server goes rogue, the risk to your entire fleet increases.

F5 Breach Exposes BIG-IP Source Code and Vulnerability Data

In late October, F5 Networks confirmed a security breach that allowed attackers to steal portions of BIG-IP source code, internal vulnerability research, and threat-intel documentation. The company traced the intrusion to a compromised developer account tied to an exposed GitLab instance. This reads like textbook example of why privileged code repositories need MFA and tight access controls. While F5 stated that no customer data or production systems were affected, the exposed materials could give advanced threat actors valuable insight into undisclosed flaws and product internals, effectively shortening the window between vulnerability discovery and weaponization.

For enterprises that rely on BIG-IP for load balancing and perimeter security, the implications are serious. Source code theft means attackers can hunt for exploitable weaknesses with perfect visibility into how those systems handle requests, memory, and authentication flows. Even if no immediate exploit emerges, it’s reasonable to expect a spike in scanning and fuzzing activity against F5 appliances over the coming months. Organizations should ensure they’re running the latest firmware, monitoring for anomalous traffic to management interfaces, and revisiting segmentation strategies. Remember, when your network edge vendor’s blueprints leak, your own attack surface gets a little bigger.

Other Major Zero-Day Exploits & the Patch Rush

October’s Patch Tuesday was a bit busier and more urgent than most. Microsoft shipped fixes for a massive batch of issues including multiple zero-days that were already being abused in the wild (notably CVE-2025-24990 and CVE-2025-59230). When zero-days show up in telemetry before most organizations have even digested the advisory, the result is a frantic sprint: emergency patching, emergency testing, and emergency rollbacks when something inevitably breaks. The practical reality for defenders is unpleasant but simple. If a patch closes an actively exploited vulnerability, you move it up the priority list, even if it means calling in weekend ops.

Complicating the month was a VMware-related zero-day (CVE-2025-41244) tied to Aria/VMware Tools and observed in the hands of a sophisticated actor, increasing the stakes for cloud and virtualization teams. The combined lesson: accelerate patch deployment for public-facing and management plane products, but don’t be reckless. Organizations must pair rapid rollouts with compensating controls or risk creating more issues. If you can’t patch immediately, apply virtual patches (WAF rules, IPS signatures, .etc), tighten access to management interfaces (VPN + ZTNA + MFA), boost EDR/XDR telemetry for post-exploit detection, and watch for abnormal authentications or lateral movement. In short, patch fast, but patch smart, because attackers are already treating unpatched networks as low-effort targets.

Predictions for the Coming Months

• TLD Abuse Will Escalate – Expect continued growth in phishing and malware campaigns leveraging exotic TLDs such as .zip, .app, and .mov. As browser-level protections improve, attackers will diversify domain registrations to stay one step ahead of filters.
• AI-Driven Phishing Evolves Faster – Generative AI tools will continue lowering the barrier to entry for threat actors, enabling scalable, multilingual, and highly personalized phishing campaigns that evade traditional detection methods.
• Patch Infrastructure Becomes a Target Class – Following WSUS exploitation, expect increased attention on patch orchestration systems, update servers, and configuration management tools as lateral movement vectors.
• Source Code Leaks Spur Vulnerability Gold Rushes – The F5 breach highlights an emerging trend: source code exposure leading to rapid exploit development. Expect to see similar incidents in other vendors as attackers pivot from ransomware to research theft.

Monthly Recommendations

• Prioritize Critical Patch Cycles – Patch WSUS immediately and verify segmentation between management and production networks. Apply October’s Microsoft, VMware, and F5 advisories without delay.
• Lock Down Update Infrastructure – Limit inbound access to WSUS and other patch management systems. Use TLS, signed updates, and auditing to ensure no unauthorized content injection.
• Monitor for F5 Scanning Activity – Run the latest firmware, restrict management interfaces, and monitor network logs for fingerprinting or enumeration behavior targeting BIG-IP endpoints.
• Review Domain Intelligence Feeds – Add threat feeds that include new and emerging TLDs. Apply Hornetsecurity’s URL rewriting and sandboxing to strip away the novelty advantage of exotic domains.
• Enhance Phishing Awareness Training – Use real-world examples of exotic TLD abuse and AI-written phishing content to educate end users on modern social engineering tactics.
• Adopt Virtual Patching and Compensating Controls – When immediate patching isn’t feasible, leverage WAF rules, intrusion signatures, and microsegmentation to buy time without exposing critical systems.
• Expand Threat Hunting for Supply-Chain Risks – Proactively monitor update distribution systems, artifact repositories, and CI/CD pipelines for anomalies that could signal tampering or credential misuse.

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.