Monthly Threat Report October 2025
Smarter Attacks, Tougher Lessons
Introduction
The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the Q2 compared with Q3 of 2025. Industry events mentioned are from the month of September 2025.
Executive Summary
- Ransomware is back on the rise after three years of decline, driven by AI-powered automation and more complex multi-stage intrusion chains.
- Hornetsecurity’s 2025 Ransomware Impact Report shows 24% of organizations were hit this year, up from 18.6% in 2024.
- Fewer organizations are paying ransoms (13%), suggesting improved backup maturity and recovery confidence.
- Email-borne malware spiked 39.5% quarter-over-quarter, signaling a pivot toward persistence-based payloads over simple phishing.
- PDF remains the top weaponized attachment type, while ICS calendar files emerged as a new social engineering delivery vector.
- Email spoofing continues to dominate attack methods, with a 54% increase compared to Q2.
- AI-generated phishing is now cited by 77% of CISOs as a primary emerging threat vector.
- Major incidents this month included the Jaguar Land Rover ransomware attack, halting global operations, and CVE-2025-32463, a critical sudo privilege escalation flaw under active exploitation.
Threat Overview
Unwanted Emails By Category
The following table shows the distribution of unwanted emails per category for Q2 2025 compared to Q3 2025.
| Category | Change | Percentage |
|---|---|---|
| Phishing | Decreased | -46.38% |
| Scam | Decreased | -10.95% |
| Malware | Increased | 39.56% |
| Spear Phishing | Decreased | -4.42% |
While phishing volumes dropped significantly in Q3, the sharp rise in malware-based campaigns stands out. This pivot suggests that threat actors may be shifting focus from credential theft and quick-hit fraud toward persistence and control. When we see phishing attempts decline by nearly half while malware climbs almost 40%, it usually means attackers are trading quantity for quality. Rather than blasting out generic lures, they’re crafting payloads that slip past filters and achieve deeper compromise.
It’s also worth noting the mild decline in spear phishing. It’s not necessarily good news. Many advanced campaigns have evolved beyond traditional targeted emails and now blend phishing techniques with legitimate collaboration platforms and messaging tools. The apparent “drop” could simply reflect a migration away from email as the initial access vector, not a reduction in activity.
Malicious File Types Used in Email Attacks
The following table shows the top file types used in email attacks throughout the data period.
Q2 Top Malicious File Types
| File Type | Placement |
|---|---|
| 1 | |
| DOC | 2 |
| TXT | 3 |
| DOCX | 4 |
| ZIP | 5 |
Q3 Top Malicious File Types
| File Type | Placement |
|---|---|
| 1 | |
| DOCX | 2 |
| ICS | 3 |
| ZIP | 4 |
| TXT | 5 |
PDF files continue to dominate the top of the list, holding the number-one spot quarter over quarter. PDFs are the perfect Trojan horse for social engineering. They look harmless, travel well through filters, and can easily embed links or scripts that redirect to credential harvesters or payload downloaders.
The interesting development here is the rise of ICS calendar files into the third spot in Q3. Attackers have begun exploiting the trust users place in calendar invites. A malicious ICS attachment can create automatic calendar entries containing phishing links or trigger external content loads when opened. It’s subtle, effective, and often bypasses basic attachment inspection. Threat actors are always exploring new methods and low-noise delivery mechanisms that rely on business workflow trust rather than obvious file lures can be effective unfortunetly.
Email Attack Types
The email attack landscape continues to evolve in both scale and sophistication. While the core tactics remain familiar, the delivery mechanisms and supporting infrastructure behind them have grown more adaptive. Each of the listed techniques below represents an iterative refinement of social engineering and technical evasion rather than a brand-new innovation. To put it shortly: If it isn’t broken, don’t fix it.
Q2 Top Email Attack Types
| Attack Type | Placement |
|---|---|
| Email Spoofing | 1 |
| Exotic TLD Use | 2 |
| URL Shortening | 3 |
| URL Obfuscation with non-ASCII characters | 4 |
| Attack Campaign Via Legit Hosting Platform | 5 |
Q3 Top Email Attack Types
| Attack Type | Placement |
|---|---|
| Email Spoofing | 1 |
| Attack Campaign Via Legit Hosting Platform | 2 |
| Multi-Parted Emails | 3 |
| HTML Obfuscation Technique | 4 |
| Exotic TLD Use | 5 |
Notable Changes Between Quarters in Preferred Attack Types
- Exotic Top-Level Domain (TLD) use dropped 70.7% from Q2 to Q3
- Attack Campaign Via Legit Hosting Platform Increased slightly by 0.6%
- The use of email spoofing techniques increased by 54.8%
Description of Email Attack Types
| Attack Type | Description |
|---|---|
| Email Spoofing | Attackers forge the sender’s name, domain, or address to impersonate trusted individuals or organizations, often used in phishing and business email compromise (BEC) schemes. |
| Exotic TLD Use | Malicious actors register domains using uncommon or suspicious top-level domains (e.g., .xyz, .zip, .top) to evade filters and appear less scrutinized. |
| URL Shortening | Attackers hide the real destination of a malicious link behind a shortened URL (e.g., bit.ly), making it harder for users and scanners to assess risk. |
| URL Obfuscation with non-ASCII characters | URLs are crafted with Unicode or lookalike characters (homoglyphs) to mimic legitimate domains, deceiving both users and automated scanners. |
| Attack Campaign Via Legit Hosting Platform | Threat actors use legitimate cloud or hosting services (e.g., Google Drive, Dropbox, SharePoint) to deliver phishing content or malware under the guise of trusted infrastructure. |
| Multi-Parted Emails | Attackers split the malicious payload across multiple MIME sections or attachments, making detection by email security gateways more difficult. |
| HTML Obfuscation Technique | Malicious code or links are hidden within complex, encoded, or fragmented HTML structures to bypass content inspection and deceive recipients. |
Email Attack Type Analysis
Email spoofing’s resurgence as the leading attack method isn’t surprising. As email authentication frameworks like SPF, DKIM, and DMARC become standard, attackers are adapting with smarter domain lookalikes and targeted display-name impersonation. Many of these campaigns now bypass technical checks entirely by preying on human trust rather than system logic. Remember email authentication protocols mitigate risk, they don’t eliminate it entirely.
The slow decline of exotic TLD use indicates filters have caught up to that trend, forcing threat actors to pivot. Meanwhile, the slight increase in legitimate hosting platform abuse deserves attention, and it’s something that the industry at large needs to start looking at. When a phishing page lives on Google Drive or Microsoft’s own infrastructure, for example, it inherits instant credibility. Security teams are learning that the fight has moved upstream. The new perimeter isn’t your firewall; it’s your users’ willingness to click what looks trustworthy.
Hornetsecurity 2025 Ransomware Impact Report
Ransomware is back on the rise after three years of decline, and the 2025 Hornetsecurity Ransomware Impact Report paints a clear picture of an evolving, AI-fueled threat landscape. Attackers are leveraging automation and generative AI to scale operations, target hybrid environments, and bypass traditional defenses, while organizations work to harden resilience through immutable backups and disaster recovery planning. The findings show both sides of the story: ransomware is getting smarter, but defenders are finally starting to catch up.
Hornetsecurity Ransomware Survey Key Findings
- 24% of organizations suffered a ransomware attack in 2025. This is up from 18.6% in 2024.
- Only 13% of victims paid the ransom, suggesting better recovery readiness.
- 46% of incidents still began with phishing, but compromised endpoints and credential theft are gaining ground.
- 74% of organizations conduct ransomware training, yet 42% say it’s insufficient, highlighting ongoing awareness gaps.
- 62% use immutable backups and 82% have disaster recovery plans, signaling a maturity shift toward proactive defense.
- 77% of CISOs identify AI-generated phishing as a growing concern, as attackers increasingly weaponize generative tools.
Read the full Hornetsecurity 2025 Ransomware Impact Report for detailed insights, data breakdowns, and guidance on strengthening your organization’s ransomware resilience.
Ransomware Impact Report 2025
Ransomware attacks are increasing for the first time in 3 years, reaffirming its status as one of the most persistent threats to businesses in 2025.
Find out how organizations are adapting, what emerging trends are, and where new risks lie.
Major Incidents and Industry Events
Jaguar Land Rover Cyberattack
The attack on Jaguar Land Rover (JLR) in early September 2025 stands as one of the most severe corporate cyber incidents in recent UK history. The automaker was forced to halt production at multiple facilities, leaving thousands of workers sidelined and supply chains in disarray. What began as a localized IT disruption rapidly spiraled into a full-blown operational crisis, with the company unable to access critical manufacturing and logistics systems. Reports indicate that the attack was likely carried out by a financially motivated group tied to Scattered Spider or ShinyHunters, leveraging a combination of social engineering and privilege escalation techniques to infiltrate internal networks.
From a broader perspective, this incident exposes just how brittle modern industrial ecosystems have become. JLR’s digital operations are deeply intertwined with its suppliers, distribution networks, and production automation systems. Once those systems were taken offline, the downstream effects cascaded rapidly across the global automotive sector. The situation became dire enough for the UK government to intervene, issuing a £1.5 billion loan guarantee to stabilize operations. With weekly losses estimated around £50 million and no active cyber insurance policy in place, JLR’s financial exposure is staggering. There is a growing truth in enterprise security: resilience planning isn’t a “nice to have” anymore, it’s the only thing keeping modern infrastructure upright when ransomware groups decide to strike.
Sudo Privilege Escalation Vulnerability (CVE-2025-32463)
Few tools are as foundational to Unix-like systems as sudo, which is precisely what makes CVE-2025-32463 so alarming. The vulnerability, disclosed in late September and confirmed to be under active exploitation, allows a local attacker to escalate privileges to root by manipulating the -R (chroot) option. Early proof-of-concept exploits surfaced months before public disclosure, but the real concern began when CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, confirming that threat actors were actively using it in the wild. The bug impacts versions prior to 1.9.17p1, and because sudo is ubiquitous across Linux distributions, patching is an urgent global priority.
What makes this vulnerability particularly dangerous is its accessibility. Unlike remote code execution flaws that require significant setup or phishing chains, this one can be exploited once an attacker gains even minimal local access. On hardened systems—like bastion hosts, CI/CD runners, or cloud workloads—the consequences are severe. Security teams should be reminded that local privilege escalation paths remain a critical part of every threat actor attack. Security teams who rely solely on network perimeter defenses or EDR visibility can easily miss the exploitation of a misconfigured binary like sudo. In short, the lesson is simple but crucial: even the most trusted utilities can become liabilities when left unpatched.
Predictions for the Coming Months
- Expect AI-driven phishing and social engineering to intensify, with attackers refining deepfake and LLM-generated lures to target executives and privileged users.
- Ransomware-as-a-Service (RaaS) operations will continue to industrialize, leveraging automation to increase attack volume and shorten dwell time.
- The number of local privilege escalation exploits (like the sudo vulnerability) will rise as attackers look for stealthy ways to escalate privileges in hardened environments.
- ICS and calendar-based payload delivery will become more common as threat actors exploit the perceived trust in business productivity tools.
- As insurers tighten coverage, more businesses will move from reliance on cyber insurance toward self-reliant disaster recovery planning.
Monthly Recommendations
- Patch immediately against CVE-2025-32463 and validate sudo versions across all Linux and Unix systems.
- Harden email defenses by filtering and sandboxing PDF, DOCX, and ICS attachments using a next-gen email security vendor, as these remain top delivery vectors.
- Conduct phishing simulations that incorporate realistic lures and security awareness training to build user familiarity with more sophisticated attacks.
- Review and test your backup strategy. Verify that immutable backups are enabled and periodically restore from them to confirm data integrity.
- Reassess ransomware response plans. Include playbooks for data exfiltration and reputational damage, not just encryption scenarios.
- Implement strict identity governance. Enforce MFA everywhere, rotate admin credentials, and minimize persistent privileged access.
- Monitor legitimate cloud platforms (e.g., Google Drive, SharePoint) for abuse within phishing or data delivery chains.
- Educate leadership on evolving AI-driven risks and ensure executive crisis communication plans account for deepfake or misinformation scenarios.
- Download the full Hornetsecurity 2025 Ransomware Impact Report to stay ahead of evolving attack trends and reinforce your defensive posture.
About Hornetsecurity
Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.
