Monthly Threat Report January 2026

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of December 2025.

Executive Summary

• December saw a surge in low-effort, high-volume email attacks aligned with seasonal shopping and delivery activity.
• Attackers relied heavily on structural email deception techniques, including fake “From” and “To” fields and multipart MIME abuse.
• Use of empty HTML  tags increased as threat actors favored low-signal, evasive phishing techniques over content-heavy lures.
• Insider-risk concerns resurfaced following guilty pleas by former security professionals involved in BlackCat ransomware attacks.
• Zero-day exploitation remained persistent, with Chrome and Windows vulnerabilities actively abused prior to patch availability.
• Patch latency continues to expose even well-maintained environments to real-world exploitation.
• Malicious browser extensions demonstrated how trust in official marketplaces can be abused at massive scale.
• Identity, user trust, and endpoint hygiene remain central risk areas heading into early 2026.

Threat Overview

Year end is always an active time for cyber criminals. Holiday shopping often begets an increase in low-effort spray-style email attacks as threat actors know that there are more eyes on mailboxes looking for things like shipping and delivery notices. Our top threat type tracked for the month of December aligns with that. Email with fake “from” addresses were at the very top of the list, followed closely by Multi-parted emails and email attacks utilizing a fake “to” address looking to head fake both email scanners and end users alike. Paired with this we saw an increase from November to December in the amount of email-based attacks using empty HTML tags in an effort to confuse and bypass scanning engines.

Top Three Threat Techniques Used in December 2025

• #1. Fake “From” Text – This attack technique replaces the from address text. This is often done by trying to pose as a trusted and well known brand to both bypass mail filters as well as increase open rates with targeted users.
• #2. Multi-parted emails – Multi-parted (Part Misplaced) attacks exploit improperly defined MIME multipart boundaries, causing security engines to miss the payload while some mail clients still render it
• #3. Fake “To” Text – Attackers will edit to “To” field to appear as a trusted institution or authority figure and put the target victim in BCC. The goal here is to make the email look more authentic and to trick the user into interacting with it via the probable trust gained from spoofing the “To” field.

Threat Highlight – Empty HTML <a> Tag

In December, we observed an increase in phishing emails abusing empty HTML <a> tags. These are anchor elements that appear visually harmless or blank but still contain actionable links in the underlying HTML. These messages often render as minimal or near-empty emails, sometimes showing only spacing, a thin line, or benign text nearby, while the clickable area is defined entirely by invisible or zero-width anchor tags. The goal is to evade both user suspicion and content-based detection by avoiding obvious URLs, buttons, or phishing language in the rendered body.

From a detection-evasion perspective, this technique targets gaps between HTML parsing, link extraction, and visual rendering and can also be used to populate an email containing a payload with hidden links to legit domains, further confusing scanning solutions. Some security engines deprioritize or miss links embedded in empty or malformed anchor tags, especially when paired with CSS tricks. Meanwhile, some mail clients may still honor the hyperlink, allowing a single accidental click to redirect the user to credential harvesting or malware delivery infrastructure. The uptick in December suggests attackers are increasingly favoring low-signal, structurally deceptive HTML techniques over traditional, content-heavy phishing templates.

Major Incidents and Industry Events

Industry incidents and events during the month of December highlight some of the usual things we see in the cybersecurity space like zero-days, patch tuesday, and malicious browser extensions. However, we also saw a few things out of the norm, like industry security experts pleading guilty to BlackCat ransomware attacks.

Former Security Experts Plead Guilty to BlackCat Ransomware Incidents

One notable news item that stood out in December was a criminal case involving two cybersecurity incident responders turned threat-actor. In this case two cybersecurity experts used their knowledge and skills to breach multiple US companies as part of the BlackCat/ALPHV ransomware attacks in 2023. The attackers pleaded guilty and are facing 20-years in prison.

We occasionally discuss insider threats as part of this monthly report and the industry has moved to urge organizations to start putting measures into place to detect and disrupt insider threats. While this incident doesn’t directly involve the individuals in question acting as insider threats to their own organization it does further prove that businesses must truly know and understand those employed in sensitive positions and to always provide checks and balances to critical business functions. For example, one administrator should not be able to delete backup retention on their own without another admin present. Businesses who plan their threat-response model with risks like this included will further insulate themselves from similar attacks in the future.

Why it Matters

• Technical expertise alone does not equate to trustworthiness; deep system knowledge can be just as dangerous in the wrong hands.
• Insider-risk programs must account for malicious intent, not just compromised credentials or external attackers.
• Separation of duties and enforced checks and balances remain critical safeguards against abuse of privileged access.
• Security controls should assume that even highly trusted roles can become threat actors under the right conditions.

Zero-Day Activity: Chrome and Windows Under the Microscope

In December, major platform vendors once again moved quickly to patch multiple zero-day vulnerabilities actively exploited in the wild. It’s a pattern we’ve seen again and again regarding how persistent and opportunistic attackers have become. To start, Google released an emergency update addressing its eighth Chrome zero-day of 2025, a high-severity flaw that was being abused before a fix was available. The patch rollout spanned multiple platforms including Windows, macOS, and Linux showing the prevalence of Chrome in enterprise environments and the broad attack surface exposed when a widely used browser is compromised.

On the same cadence, Microsoft’s December 2025 Patch Tuesday delivered fixes for 57 vulnerabilities, including three zero-day flaws. It’s worth noting that one of said flaws was already being exploited prior to patch availability. Among them was a Windows Cloud Files Mini Filter Driver elevation-of-privilege issue, along with two other zero-days with public disclosures. The breadth of the update, spanning remote code execution, information disclosure, and privilege escalation bugs is a bit staggering and it goes without saying that even well-maintained Windows estates remain at risk if updates lag or testing cycles delay deployment.

We’ve listed the relevant Zero-Day CVEs from both Chrome and Microsoft Below:

• CVE-2025-14174 – Google
• CVE-2025-62221 – Microsoft
• CVE-2025-64671 – Microsoft
• CVE-2025-54100 – Microsoft

Why it Matters

• Zero-day vulnerabilities represent conditions where attackers have the advantage, exploiting flaws before defenders can patch them.
• Frequent zero-day fixes in widely deployed software (browsers and operating systems) highlight that attackers prioritize the most pervasive targets.
• The combination of emergency vendor updates and routine Patch Tuesday patches means defenders must balance urgency with operational risk in patch management.

ShadyPanda Extension Installations Hit 4.3 Million

In December, researchers uncovered a widespread campaign involving a family of malicious browser extensions dubbed ShadyPanda that collectively amassed over 4.3 million installs from official extension stores. These extensions appeared as legitimate utilities like PDF converters, video downloaders, and coupon helpers. However, in reality, they acted as covert ad injectors and credential theft tools. Once installed, the extensions ran malicious activities ranging from unwanted ad displays to redirecting users to phishing pages and capturing sensitive data. The sheer scale of installations (again 4.3 million) suggests that the threat actors behind this campaign invested significantly in social engineering and distribution tactics to bypass store review safeguards.

What makes ShadyPanda particularly concerning isn’t just its install count but it’s trust-based vectors and persistence mechanisms that it leverages. By mimicking familiar utility functions and leveraging official extension marketplaces, these malicious add-ons slipped past many users’ suspicions and traditional URL or file-based defenses. The extensions also employed obfuscation and code injection techniques that made detection by automated security systems more challenging. Even when extensions were removed from marketplaces, millions of unsuspecting users remained vulnerable.

Why it Matters

• Browser extensions enjoy elevated access within users’ browsing sessions, making them potent vectors for data interception and session abuse.
• Official extension stores are not immune to malicious actors; trust in curated marketplaces must be tempered with verification.
• High installation counts amplify exposure, meaning widespread user populations may be silently impacted before detection and takedown.
• Defenders should monitor for unauthorized or suspicious extensions as part of endpoint hygiene and identity risk management.

Predictions for the Coming Months

• Email attack techniques will continue shifting toward structural deception. Expect further abuse of header manipulation, multipart MIME tricks, and malformed HTML as attackers prioritize methods that evade both scanners and user awareness with minimal visible content.
• Browser-based attack surfaces will remain a high-value target. As more business activity moves into browsers, threat actors will continue exploiting extensions, session access, and client-side trust boundaries rather than relying solely on traditional malware.
• Zero-day exploitation will remain routine rather than exceptional. Widely deployed platforms such as browsers and operating systems will continue to be targeted, with attackers exploiting vulnerabilities quickly and at scale before patches are broadly applied.
• Insider-risk awareness will expand beyond traditional definitions. Organizations will increasingly be forced to account for malicious intent originating from individuals with deep technical expertise, even when no direct insider access exists.
• Detection will favor behavior over content. As attackers reduce obvious indicators in emails and browser-based attacks, security teams will need to rely more heavily on behavioral analysis, anomaly detection, and identity-based controls.

Monthly Recommendations

• Harden defenses against structurally deceptive email attacks. Leverage a next-generation email scanning solution and ensure security controls can detect header spoofing, multipart MIME abuse, and malformed HTML rather than relying solely on content analysis.
• Prioritize patching based on exploitation status. Actively exploited vulnerabilities—especially zero-days—should be fast-tracked even if testing cycles need to be compressed.
• Strengthen browser and extension governance. Inventory installed extensions, restrict unapproved add-ons, and monitor for abnormal browser behavior across endpoints.
• Reinforce separation of duties for privileged roles. Implement technical and procedural controls that prevent single administrators from making high-impact changes without oversight.
• Treat identity and session security as core defenses. Monitor for anomalous sign-in behavior, token misuse, and browser-based credential theft as primary indicators of compromise.
• Prepare for evasion-first attack models. Assume attackers will continue minimizing visible signals and design detection and response strategies accordingly.

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.