Monthly Threat Report June 2025

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry events from the month of May 2025. 

Note that this month’s report focuses primarily on industry events and breaches. May was a very busy month for threat actors and there are many lessons to be learned. Our team is also hard at work on additional research to publish in this monthly report, which we hope to share with you in the July edition. 

Executive Summary

• Retail ransomware attacks hit Marks & Spencer, Co‑op, and Dior, disrupting operations and exposing customer data via DragonForce and Scattered Spider. 
• Coinbase uncovers insider bribery attempt, offers $20M bounty to unmask threat actors behind the failed access scheme. 
• Microsoft patches five actively exploited zero-days, including critical flaws in DWM, OLE, and Windows Kernel components. 
• Google Chrome zero-day (CVE-2025-5419) patched after active exploitation, with emergency updates pushed to all platforms. 
• PowerSchool breach leads to extortion threats against US school districts, exposing the downstream risks of compromised SaaS platforms. 

Threat Overview

Retail Ransomware Blitz: Marks & Spencer, Co‑op, and Dior Targeted

May wasn’t kind to the retail sector. UK-based retailer Marks & Spencer (M&S) confirmed disruptions tied to a ransomware incident reported in late April and attributed to the Scattered Spider (Octo Tempest) threat group. While M&S has not released full details, reports from BleepingComputer suggest attackers were in the environment as early as February 2025, with lateral movement leading to deployment of the DragonForce encryptor on ESXi hypervisors.

The M&S breach is part of a larger trend: UK grocer Co‑op also experienced ransomware-related operational issues, and luxury retailer Dior confirmed a data breach, though the company claims no financial data was involved as reported by The Times. Clearly, retail (like many industries), continues to be vulnerable to credential-based attacks, particularly those leveraging legacy infrastructure and weak endpoint defenses.

Insider Threats and Bribery: Coinbase’s Bounty

Insider threats escalated to drama-filled cyberpunk territory in May when Coinbase disclosed a security incident involving alleged bribery attempts targeting employees. According to Coinbase CEO Brian Armstrong, attackers offered large sums in exchange for customer data. While no breach of customer financial assets occurred, Coinbase didn’t sit idle—they announced a $20 million bounty for information leading to the identification of the group behind the campaign. Lest you think that damage was minimized due to financial assets not being compromised, think again. When we’re talking about large sums of cryptocurrency assets, personal details can paint a target on the backs of asset holders. Now it’s easier for threat-actors to target those individuals, and at worst attackers now have physical addresses of account holders for more direct persuasion attempts, unfortunately.

This kind of insider play isn’t new, but the scale and boldness of the bribery offers are concerning. Financial platforms remain a juicy target and remember, even world-class security stacks can’t fully compensate for human vulnerability. If you’re not regularly training your staff and auditing access, you’re leaving the front door wide open.

Microsoft Patch Tuesday – Several Actively Exploited Zero-Days

Microsoft’s May 2025 Patch Tuesday came with an extra helping of urgency. The company released patches for 78 vulnerabilities, including five zero-days actively being exploited in the wild. Information can be found via the Microsoft Security Update Guide. Relevant entries include include:

• CVE-2025-30397 – A critical Microsoft Scripting Engine type-confusion flaw enabling remote code execution.
• CVE-2025-30400 – A vulnerability in Windows DWM Core Library allowing for privilege escalation.
• CVE-2025-32701, 32706, and 32709 – Multiple Local privilege escalation issues.

Each of these was confirmed to be under active exploitation at the time of disclosure. If you haven’t already deployed these patches across your fleet, it is recommended that you do so ASAP.

Chrome’s Zero-Day in the Wild – CVE-2025-5419

On May 27–28, Google issued an emergency update for its Chrome browser, fixing a high-severity zero-day vulnerability (CVE-2025-5419) in the V8 JavaScript engine. The flaw, discovered by a member of Google’s Threat Analysis Group (TAG), was reportedly being exploited in targeted attacks, though Google—true to form—declined to share technical details until a majority of users had installed the patch. More info located at the Google Chrome Release Blog.

This marks yet another vulnerability being exploited in the wild, following a long standing pattern of Chrome being a popular vector of attack for threat actors. If you’re running Chrome in your environment and haven’t pushed this update, consider this your official reminder. In fact, depending on the tolerances of your environment, you may want to consider automating browser updates. Speed of patching is more important than ever with attack dwell time’s becoming shorter.

Education Under Siege: PowerSchool and the School District Extortion Wave

PowerSchool, a widely used K–12 education software vendor, confirmed that it paid a ransom following a cyberattack that compromised customer data near the end of last year. More details have been released from court filings in May. Shortly after the breach, multiple U.S. school districts received extortion threats referencing the stolen data, igniting concern across the education sector.

The attackers reportedly used data from PowerSchool’s hosted systems to threaten districts into paying individual ransoms. This attack highlights a disturbing evolution in the ransomware playbook: breach one SaaS vendor, then extort their customers individually. It’s efficient, effective, and grossly unethical—but sadly becoming more common. If you’re in the education sector and relying on SaaS providers, now is the time to review vendor risk management policies and incident response contingencies.

Predictions for the Coming Months 

• More ESXi-targeted Ransomware – Threat groups will continue to bypass traditional file encryption and go straight for the hypervisor layer. ESXi remains a favored target.
• Increased Downstream Extortion via SaaS Supply Chain – The PowerSchool model—breach one vendor, extort the entire customer base—will be replicated. Expect more secondary victims from primary SaaS compromises.
• OAuth and Browser-based Persistence Will Expand – The push for persistent access via OAuth token abuse and browser-based zero-days will grow, especially among APTs and phishing-centric crime groups.

Monthly Recommendations

• Patch Things Immediately – Prioritize the deployment of May’s Microsoft and Chrome updates across your fleet. All highlighted vulnerabilities were actively exploited.
• Audit ESXi and Virtual Infrastructure – Given the ransomware activity against hypervisors, ensure your VMware environments are up to date, access-restricted, and backed up immutably.
• Review Insider Threat Monitoring Protocols – Use the Coinbase incident as a reminder: insider risks are real. Review DLP policies, access controls, and bribery response playbooks.
• Strengthen SaaS Vendor Due Diligence – Incidents like what has happened with PowerSchool demonstrate the ripple effect of SaaS provider breaches. Reevaluate SLAs, breach notification requirements, and token use in all third-party platforms.
• Automate Browser Patch Enforcement if you Haven’t Already – Given it’s market share, Chrome zero-days are always a favorite among threat actors. Implement GPOs or endpoint management policies to enforce timely browser updates.

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.