Jul 30, 2025
Threat Intelligence
Executive Summary - July 2025
Overview
The cybersecurity cyberthreat landscape during July 2025 marked a critical inflection point, demonstrating an unprecedented convergence of AI-powered attacks, sophisticated supply chain compromises, and targeted infrastructure exploitation. Following the trends identified in our June report, threat actors have accelerated their use of artificial intelligence while expanding attack surfaces through deepfake technology and advanced social engineering campaigns.
Global cybercrime costs continue their relentless climb, with AI-enhanced threats fundamentally transforming the attack landscape. The period witnessed a dramatic surge in voice-based social engineering attacks, with deepfake technology enabling criminals to bypass traditional authentication mechanisms. Simultaneously, ransomware operators have refined their tactics, deploying new variants like BQTLOCK and Interlock while exploiting critical vulnerabilities in enterprise systems.
Key Threat Indicators July 2025:
AI-powered voice cloning has reached commercial viability, enabling scammers to replicate voices with just 3-5 seconds of audio samples. The technology now passes both automated systems and human verification, creating unprecedented risks for financial institutions and corporate communications.
Microsoft SharePoint zero-day exploits designated as "ToolShell" have compromised over 400 organizations worldwide, including U.S. nuclear agencies, with Chinese state-sponsored groups leading coordinated campaigns.
QR code phishing (quishing) incidents surged dramatically, with Action Fraud receiving 784 reports between April 2024 and April 2025, resulting in £3.5 million in losses. The 5.3 billion projected QR code redemptions in 2025 represent equivalent opportunities for criminal exploitation.
Business Email Compromise attacks increased 30% as of March 2025, with 60% of compromises occurring within five minutes of victims clicking malicious links. AI-generated BEC emails now account for an estimated 40% of all BEC phishing communications.
Emerging Threat Analysis July 2025
AI-Powered Attack Maturation
The integration of artificial intelligence into cybercriminal operations reached a significant milestone in July 2025, with AI agents now outperforming elite human red teams by 24% in creating effective phishing campaigns. This represents a dramatic shift from 2023, when AI was 31% less effective than human attackers, demonstrating the rapid evolution of AI-powered threat capabilities.
Voice-based deepfakes have emerged as the dominant social engineering vector, with voice-based phishing now outpacing visual deepfakes in both frequency and impact. The technology's accessibility has democratized fraud, with voice cloning tools now costing less than $1 per call and requiring mere seconds to set up. Financial institutions face particular vulnerability, as AI has "fully defeated" voiceprint authentication systems according to OpenAI's CEO.
Critical Infrastructure Under Siege
July 2025 witnessed unprecedented targeting of critical infrastructure systems, with the ToolShell campaign representing the most significant SharePoint exploitation ever recorded. Chinese state-sponsored groups Linen Typhoon and Violet Typhoon coordinated attacks against over 400 organizations, demonstrating sophisticated persistence techniques and advanced reconnaissance capabilities.
The SonicWall SMA 100 series compromise revealed how end-of-life systems provide persistent attack vectors even when fully patched. The OVERSTEP rootkit deployment showcased attackers' ability to maintain long-term access while employing anti-forensic techniques to avoid detection.
Supply Chain Vulnerabilities Expand
Supply chain attacks have evolved beyond traditional software compromises to target the interconnected web of digital dependencies that define modern enterprise operations. With 79% of companies admitting limited oversight of their "nth-party" supply chain, attackers exploit these visibility gaps to achieve maximum impact through minimal effort.
Russian state-sponsored campaigns have specifically targeted Western logistics providers and IT companies supporting Ukrainian assistance efforts. These operations demonstrate how geopolitical tensions amplify supply chain risks, with attackers gaining access to transportation manifests, surveillance cameras, and border crossing systems.
Industry-Specific Risk Assessment July 2025
Financial Services Escalation
The financial sector faced intensified targeting through multimodal deepfake attacks combining voice, video, and behavioural cues to evade detection. The $25.5 million Arup engineering firm fraud exemplified how AI-generated executive impersonation attacks exploit corporate trust networks.
Deepfake fraud cases surged 1,740% in North America between 2022 and 2023, with financial losses exceeding $200 million in Q1 2025 alone. The sector's reliance on voice authentication systems creates particular vulnerability as AI voice cloning technology advances exponentially.
Healthcare Infrastructure Targets
Healthcare organizations continued facing sophisticated ransomware campaigns targeting both clinical systems and medical device networks. The sector's proliferation of Internet of Medical Things (IoMT) devices introduces new vulnerability vectors requiring comprehensive security adaptations.
Nation-state actors have intensified cyber-espionage efforts against healthcare organizations, targeting sensitive patient data and valuable intellectual property. The sector's legacy system dependencies and weak supply chain security create cascading vulnerabilities when external breaches occur.
Retail Sector Disruption
Major UK retailers including Marks & Spencer, Co-operative Group, and Harrods suffered significant cyberattacks during spring 2025. The M&S ransomware attack over Easter weekend disrupted all online orders and automated stock management systems, with estimated costs reaching £300 million in lost profits.
These attacks demonstrate how retail organizations' large organizational footprints and extensive customer databases make them attractive targets for cybercriminals seeking maximum data exposure and financial impact.
Government Sector Vulnerabilities
High-level U.S. government officials became targets of sophisticated voice deepfake campaigns using encrypted messaging platforms. The impersonation of Secretary of State Marco Rubio through AI-synthesized voice messages represents a significant evolution in social engineering tactics employed by nation-state actors.
Government defences continue struggling to keep pace with hostile states and criminals developing capabilities faster than anticipated. Legacy IT systems comprising significant portions of government infrastructure present substantial attack surfaces with high likelihood and impact risk profiles.
Attack Vector Evolution July 2025
Voice-Based Social Engineering Dominance
Voice-based attacks have emerged as the primary social engineering vector for 2025, with 37% of organizations worldwide already falling victim to voice deepfake scams. The technology's improvement at an exponential pace enables attackers to create convincing voice clones that bypass both automated systems and human verification.
Financial losses from voice-based fraud result in $25 billion annually, with Microsoft reporting widespread organizational impacts across multiple sectors. The democratization of voice cloning technology has dramatically lowered barriers to entry, making sophisticated attacks accessible to low-skill criminals.
Multi-Channel Attack Coordination
Threat actors increasingly deploy multi-channel campaigns combining email, voice, and messaging platforms to maximize success rates. The Russian OAuth phishing campaign targeting NGOs and human rights organizations exemplifies this approach, using Signal and WhatsApp communications to direct victims to legitimate Microsoft OAuth pages before stealing authentication tokens.
These response-based social engineering tactics comprise 99% of unblocked email threats, with attackers using simple emails containing phone numbers and QR codes to lure victims into less secure environments.
Zero-Day Exploitation Acceleration
The Microsoft zero-day vulnerability (CVE-2025-47981) exploited for cyber espionage demonstrates how threat actors manipulate Windows file execution search order to execute malicious code from remote servers. This technique enables attackers to avoid dropping files directly onto victim computers while evading detection.
Fortinet FortiWeb devices faced active exploitation via CVE-2025-25257, with over 85 devices infected with web shells within three days of public exploit availability. The rapid weaponization timeline highlights how quickly attackers capitalize on newly disclosed vulnerabilities.
Threat Actor Analysis July 2025
Nation-State Sophistication Advancement
Chinese state-sponsored groups demonstrated unprecedented coordination in the ToolShell SharePoint campaign, with Linen Typhoon and Violet Typhoon conducting synchronized attacks against critical infrastructure. These groups deployed custom espionage tools while maintaining persistent access through legitimate Windows components.
Russian threat actors UTA0352 and UTA0355 executed highly sophisticated OAuth phishing campaigns with personalized social engineering targeting European diplomats and Ukrainian officials. The campaigns' success rate demonstrates how nation-state actors leverage detailed reconnaissance to craft convincing impersonation attacks.
Ransomware Evolution Patterns
Ransomware operators have refined their deployment mechanisms, with new variants like BQTLOCK implementing multi-layered encryption approaches combining AES-256 and RSA-4096 cryptography. The Interlock ransomware group's specialized approach eschewing the prevalent ransomware-as-a-service model makes them more formidable to defend against.
SafePay ransomware organization's attack on Ingram Micro resulted in key systems offline for nearly a week, demonstrating how targeted attacks against critical supply chain partners create cascading operational impacts.
Criminal Innovation Acceleration
Cybercriminals increasingly leverage legitimate services and developer tools to bypass traditional security measures. The 200% increase in misuse of eSignature platforms and developer tools highlights how attackers exploit trusted services to deliver malicious content.
AI-powered phishing-as-a-service kits exist but remain less widely adopted than anticipated, with only 0.7-4.7% of phishing emails bypassing filters being AI-generated in 2024. However, the 4,151% increase in total phishing volume since ChatGPT's advent demonstrates AI's role in scaling attack operations.
Defensive Recommendations July 2025
Immediate Priority Actions
Organizations must implement comprehensive voice verification protocols beyond simple audio authentication. Multi-channel verification requiring family code words or unique personal knowledge becomes essential as voice cloning technology advances.
Advanced email authentication protocols including SPF, DKIM, and DMARC require immediate deployment, as major email providers now mandate these for reliable delivery. Zero-trust architecture implementation helps minimize the impact of successful initial compromises across all organizational systems.
Strategic Security Evolution
Adaptive deepfake detection systems require continuous retraining on the latest manipulation techniques, similar to how antivirus software evolves to catch new malware strains. Organizations cannot rely on static models when facing rapidly evolving AI-powered threats.
Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. The interconnected nature of modern business ecosystems means each vendor introduces potential entry points for cyber threats.
Technology Integration Priorities
AI-powered threat protection solutions with behavioural analytics capabilities become essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and real-time threat monitoring provide critical defensive layers.
Zero-trust network architecture combined with microsegmentation prevents lateral movement during successful compromises. Multi-factor authentication must extend beyond traditional methods to address voice cloning vulnerabilities.
Industry-Specific Defensive Measures
Financial Services Hardening
Financial institutions must implement enhanced wire transfer verification procedures requiring multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.
Real-time transaction monitoring with AI-powered anomaly detection becomes crucial as attackers leverage sophisticated social engineering to bypass traditional fraud prevention measures.
Healthcare Security Adaptation
Healthcare organizations must prioritize IoMT device security through network segmentation and continuous monitoring of medical device communications. Legacy system upgrade programmes require acceleration to address fundamental security vulnerabilities.
Third-party risk management becomes critical as healthcare supply chains face increasing targeting by nation-state actors seeking sensitive patient data and intellectual property.
Government Infrastructure Protection
Government agencies require enhanced authentication protocols for high-privilege communications, particularly when using encrypted messaging platforms that nation-state actors increasingly target. Personnel security training must address deepfake recognition and social engineering awareness.
Legacy system remediation programmes need immediate prioritization given the substantial gaps in understanding estate resilience to advanced persistent threats.
Conclusion July 2025
July 2025 represents a watershed moment in the evolution of cyber threats, with artificial intelligence fundamentally transforming both attack capabilities and defensive requirements. The convergence of AI-powered voice cloning, sophisticated supply chain targeting, and critical infrastructure exploitation creates an unprecedented threat environment requiring immediate strategic adaptation.
The democratization of deepfake technology has eliminated traditional indicators of fraudulent communications, forcing organizations to completely rethink authentication and verification processes. Voice-based attacks now represent the dominant social engineering vector, with financial losses exceeding billions annually and success rates surpassing traditional phishing campaigns.
Supply chain vulnerabilities have evolved beyond simple software compromises to encompass the entire digital ecosystem supporting modern business operations. With 79% of organizations lacking visibility into their extended supply chains, attackers exploit these blind spots to achieve maximum impact through coordinated campaigns targeting critical infrastructure and essential services.
The gap between cyber threat capabilities and organizational defences continues widening at an alarming rate. Nation-state actors develop sophisticated tools and techniques faster than government and private sector defences can adapt, creating capability gaps that criminals increasingly exploit for financial gain.
Success in this environment requires fundamental shifts in cybersecurity strategy, moving beyond traditional perimeter defence to embrace adaptive, AI-powered protection mechanisms. Organizations must combine advanced technical controls with comprehensive security awareness programmes tailored to address AI-powered social engineering and deepfake threats.
The cost of inaction has never been higher, with individual incidents now capable of causing hundreds of millions in damages while undermining customer trust and operational continuity. Organizations that fail to adapt their security postures to address these evolving threats face existential risks as the threat landscape continues its rapid evolution.
Immediate action remains essential, as the technological capabilities enabling these advanced attacks become more accessible and affordable. The window for proactive defence implementation continues narrowing as threat actors refine their techniques and expand their targeting scope across all industry sectors.
This analysis reflects cyberthreat intelligence gathered throughout July 2025 and represents current understanding of the rapidly evolving cybersecurity landscape. Organizations should implement appropriate security measures based on their specific risk profiles, regulatory requirements, and threat exposure assessments.
Executive Summary - July 2025
Overview
The cybersecurity cyberthreat landscape during July 2025 marked a critical inflection point, demonstrating an unprecedented convergence of AI-powered attacks, sophisticated supply chain compromises, and targeted infrastructure exploitation. Following the trends identified in our June report, threat actors have accelerated their use of artificial intelligence while expanding attack surfaces through deepfake technology and advanced social engineering campaigns.
Global cybercrime costs continue their relentless climb, with AI-enhanced threats fundamentally transforming the attack landscape. The period witnessed a dramatic surge in voice-based social engineering attacks, with deepfake technology enabling criminals to bypass traditional authentication mechanisms. Simultaneously, ransomware operators have refined their tactics, deploying new variants like BQTLOCK and Interlock while exploiting critical vulnerabilities in enterprise systems.
Key Threat Indicators July 2025:
AI-powered voice cloning has reached commercial viability, enabling scammers to replicate voices with just 3-5 seconds of audio samples. The technology now passes both automated systems and human verification, creating unprecedented risks for financial institutions and corporate communications.
Microsoft SharePoint zero-day exploits designated as "ToolShell" have compromised over 400 organizations worldwide, including U.S. nuclear agencies, with Chinese state-sponsored groups leading coordinated campaigns.
QR code phishing (quishing) incidents surged dramatically, with Action Fraud receiving 784 reports between April 2024 and April 2025, resulting in £3.5 million in losses. The 5.3 billion projected QR code redemptions in 2025 represent equivalent opportunities for criminal exploitation.
Business Email Compromise attacks increased 30% as of March 2025, with 60% of compromises occurring within five minutes of victims clicking malicious links. AI-generated BEC emails now account for an estimated 40% of all BEC phishing communications.
Emerging Threat Analysis July 2025
AI-Powered Attack Maturation
The integration of artificial intelligence into cybercriminal operations reached a significant milestone in July 2025, with AI agents now outperforming elite human red teams by 24% in creating effective phishing campaigns. This represents a dramatic shift from 2023, when AI was 31% less effective than human attackers, demonstrating the rapid evolution of AI-powered threat capabilities.
Voice-based deepfakes have emerged as the dominant social engineering vector, with voice-based phishing now outpacing visual deepfakes in both frequency and impact. The technology's accessibility has democratized fraud, with voice cloning tools now costing less than $1 per call and requiring mere seconds to set up. Financial institutions face particular vulnerability, as AI has "fully defeated" voiceprint authentication systems according to OpenAI's CEO.
Critical Infrastructure Under Siege
July 2025 witnessed unprecedented targeting of critical infrastructure systems, with the ToolShell campaign representing the most significant SharePoint exploitation ever recorded. Chinese state-sponsored groups Linen Typhoon and Violet Typhoon coordinated attacks against over 400 organizations, demonstrating sophisticated persistence techniques and advanced reconnaissance capabilities.
The SonicWall SMA 100 series compromise revealed how end-of-life systems provide persistent attack vectors even when fully patched. The OVERSTEP rootkit deployment showcased attackers' ability to maintain long-term access while employing anti-forensic techniques to avoid detection.
Supply Chain Vulnerabilities Expand
Supply chain attacks have evolved beyond traditional software compromises to target the interconnected web of digital dependencies that define modern enterprise operations. With 79% of companies admitting limited oversight of their "nth-party" supply chain, attackers exploit these visibility gaps to achieve maximum impact through minimal effort.
Russian state-sponsored campaigns have specifically targeted Western logistics providers and IT companies supporting Ukrainian assistance efforts. These operations demonstrate how geopolitical tensions amplify supply chain risks, with attackers gaining access to transportation manifests, surveillance cameras, and border crossing systems.
Industry-Specific Risk Assessment July 2025
Financial Services Escalation
The financial sector faced intensified targeting through multimodal deepfake attacks combining voice, video, and behavioural cues to evade detection. The $25.5 million Arup engineering firm fraud exemplified how AI-generated executive impersonation attacks exploit corporate trust networks.
Deepfake fraud cases surged 1,740% in North America between 2022 and 2023, with financial losses exceeding $200 million in Q1 2025 alone. The sector's reliance on voice authentication systems creates particular vulnerability as AI voice cloning technology advances exponentially.
Healthcare Infrastructure Targets
Healthcare organizations continued facing sophisticated ransomware campaigns targeting both clinical systems and medical device networks. The sector's proliferation of Internet of Medical Things (IoMT) devices introduces new vulnerability vectors requiring comprehensive security adaptations.
Nation-state actors have intensified cyber-espionage efforts against healthcare organizations, targeting sensitive patient data and valuable intellectual property. The sector's legacy system dependencies and weak supply chain security create cascading vulnerabilities when external breaches occur.
Retail Sector Disruption
Major UK retailers including Marks & Spencer, Co-operative Group, and Harrods suffered significant cyberattacks during spring 2025. The M&S ransomware attack over Easter weekend disrupted all online orders and automated stock management systems, with estimated costs reaching £300 million in lost profits.
These attacks demonstrate how retail organizations' large organizational footprints and extensive customer databases make them attractive targets for cybercriminals seeking maximum data exposure and financial impact.
Government Sector Vulnerabilities
High-level U.S. government officials became targets of sophisticated voice deepfake campaigns using encrypted messaging platforms. The impersonation of Secretary of State Marco Rubio through AI-synthesized voice messages represents a significant evolution in social engineering tactics employed by nation-state actors.
Government defences continue struggling to keep pace with hostile states and criminals developing capabilities faster than anticipated. Legacy IT systems comprising significant portions of government infrastructure present substantial attack surfaces with high likelihood and impact risk profiles.
Attack Vector Evolution July 2025
Voice-Based Social Engineering Dominance
Voice-based attacks have emerged as the primary social engineering vector for 2025, with 37% of organizations worldwide already falling victim to voice deepfake scams. The technology's improvement at an exponential pace enables attackers to create convincing voice clones that bypass both automated systems and human verification.
Financial losses from voice-based fraud result in $25 billion annually, with Microsoft reporting widespread organizational impacts across multiple sectors. The democratization of voice cloning technology has dramatically lowered barriers to entry, making sophisticated attacks accessible to low-skill criminals.
Multi-Channel Attack Coordination
Threat actors increasingly deploy multi-channel campaigns combining email, voice, and messaging platforms to maximize success rates. The Russian OAuth phishing campaign targeting NGOs and human rights organizations exemplifies this approach, using Signal and WhatsApp communications to direct victims to legitimate Microsoft OAuth pages before stealing authentication tokens.
These response-based social engineering tactics comprise 99% of unblocked email threats, with attackers using simple emails containing phone numbers and QR codes to lure victims into less secure environments.
Zero-Day Exploitation Acceleration
The Microsoft zero-day vulnerability (CVE-2025-47981) exploited for cyber espionage demonstrates how threat actors manipulate Windows file execution search order to execute malicious code from remote servers. This technique enables attackers to avoid dropping files directly onto victim computers while evading detection.
Fortinet FortiWeb devices faced active exploitation via CVE-2025-25257, with over 85 devices infected with web shells within three days of public exploit availability. The rapid weaponization timeline highlights how quickly attackers capitalize on newly disclosed vulnerabilities.
Threat Actor Analysis July 2025
Nation-State Sophistication Advancement
Chinese state-sponsored groups demonstrated unprecedented coordination in the ToolShell SharePoint campaign, with Linen Typhoon and Violet Typhoon conducting synchronized attacks against critical infrastructure. These groups deployed custom espionage tools while maintaining persistent access through legitimate Windows components.
Russian threat actors UTA0352 and UTA0355 executed highly sophisticated OAuth phishing campaigns with personalized social engineering targeting European diplomats and Ukrainian officials. The campaigns' success rate demonstrates how nation-state actors leverage detailed reconnaissance to craft convincing impersonation attacks.
Ransomware Evolution Patterns
Ransomware operators have refined their deployment mechanisms, with new variants like BQTLOCK implementing multi-layered encryption approaches combining AES-256 and RSA-4096 cryptography. The Interlock ransomware group's specialized approach eschewing the prevalent ransomware-as-a-service model makes them more formidable to defend against.
SafePay ransomware organization's attack on Ingram Micro resulted in key systems offline for nearly a week, demonstrating how targeted attacks against critical supply chain partners create cascading operational impacts.
Criminal Innovation Acceleration
Cybercriminals increasingly leverage legitimate services and developer tools to bypass traditional security measures. The 200% increase in misuse of eSignature platforms and developer tools highlights how attackers exploit trusted services to deliver malicious content.
AI-powered phishing-as-a-service kits exist but remain less widely adopted than anticipated, with only 0.7-4.7% of phishing emails bypassing filters being AI-generated in 2024. However, the 4,151% increase in total phishing volume since ChatGPT's advent demonstrates AI's role in scaling attack operations.
Defensive Recommendations July 2025
Immediate Priority Actions
Organizations must implement comprehensive voice verification protocols beyond simple audio authentication. Multi-channel verification requiring family code words or unique personal knowledge becomes essential as voice cloning technology advances.
Advanced email authentication protocols including SPF, DKIM, and DMARC require immediate deployment, as major email providers now mandate these for reliable delivery. Zero-trust architecture implementation helps minimize the impact of successful initial compromises across all organizational systems.
Strategic Security Evolution
Adaptive deepfake detection systems require continuous retraining on the latest manipulation techniques, similar to how antivirus software evolves to catch new malware strains. Organizations cannot rely on static models when facing rapidly evolving AI-powered threats.
Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. The interconnected nature of modern business ecosystems means each vendor introduces potential entry points for cyber threats.
Technology Integration Priorities
AI-powered threat protection solutions with behavioural analytics capabilities become essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and real-time threat monitoring provide critical defensive layers.
Zero-trust network architecture combined with microsegmentation prevents lateral movement during successful compromises. Multi-factor authentication must extend beyond traditional methods to address voice cloning vulnerabilities.
Industry-Specific Defensive Measures
Financial Services Hardening
Financial institutions must implement enhanced wire transfer verification procedures requiring multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.
Real-time transaction monitoring with AI-powered anomaly detection becomes crucial as attackers leverage sophisticated social engineering to bypass traditional fraud prevention measures.
Healthcare Security Adaptation
Healthcare organizations must prioritize IoMT device security through network segmentation and continuous monitoring of medical device communications. Legacy system upgrade programmes require acceleration to address fundamental security vulnerabilities.
Third-party risk management becomes critical as healthcare supply chains face increasing targeting by nation-state actors seeking sensitive patient data and intellectual property.
Government Infrastructure Protection
Government agencies require enhanced authentication protocols for high-privilege communications, particularly when using encrypted messaging platforms that nation-state actors increasingly target. Personnel security training must address deepfake recognition and social engineering awareness.
Legacy system remediation programmes need immediate prioritization given the substantial gaps in understanding estate resilience to advanced persistent threats.
Conclusion July 2025
July 2025 represents a watershed moment in the evolution of cyber threats, with artificial intelligence fundamentally transforming both attack capabilities and defensive requirements. The convergence of AI-powered voice cloning, sophisticated supply chain targeting, and critical infrastructure exploitation creates an unprecedented threat environment requiring immediate strategic adaptation.
The democratization of deepfake technology has eliminated traditional indicators of fraudulent communications, forcing organizations to completely rethink authentication and verification processes. Voice-based attacks now represent the dominant social engineering vector, with financial losses exceeding billions annually and success rates surpassing traditional phishing campaigns.
Supply chain vulnerabilities have evolved beyond simple software compromises to encompass the entire digital ecosystem supporting modern business operations. With 79% of organizations lacking visibility into their extended supply chains, attackers exploit these blind spots to achieve maximum impact through coordinated campaigns targeting critical infrastructure and essential services.
The gap between cyber threat capabilities and organizational defences continues widening at an alarming rate. Nation-state actors develop sophisticated tools and techniques faster than government and private sector defences can adapt, creating capability gaps that criminals increasingly exploit for financial gain.
Success in this environment requires fundamental shifts in cybersecurity strategy, moving beyond traditional perimeter defence to embrace adaptive, AI-powered protection mechanisms. Organizations must combine advanced technical controls with comprehensive security awareness programmes tailored to address AI-powered social engineering and deepfake threats.
The cost of inaction has never been higher, with individual incidents now capable of causing hundreds of millions in damages while undermining customer trust and operational continuity. Organizations that fail to adapt their security postures to address these evolving threats face existential risks as the threat landscape continues its rapid evolution.
Immediate action remains essential, as the technological capabilities enabling these advanced attacks become more accessible and affordable. The window for proactive defence implementation continues narrowing as threat actors refine their techniques and expand their targeting scope across all industry sectors.
This analysis reflects cyberthreat intelligence gathered throughout July 2025 and represents current understanding of the rapidly evolving cybersecurity landscape. Organizations should implement appropriate security measures based on their specific risk profiles, regulatory requirements, and threat exposure assessments.
Executive Summary - July 2025
Overview
The cybersecurity cyberthreat landscape during July 2025 marked a critical inflection point, demonstrating an unprecedented convergence of AI-powered attacks, sophisticated supply chain compromises, and targeted infrastructure exploitation. Following the trends identified in our June report, threat actors have accelerated their use of artificial intelligence while expanding attack surfaces through deepfake technology and advanced social engineering campaigns.
Global cybercrime costs continue their relentless climb, with AI-enhanced threats fundamentally transforming the attack landscape. The period witnessed a dramatic surge in voice-based social engineering attacks, with deepfake technology enabling criminals to bypass traditional authentication mechanisms. Simultaneously, ransomware operators have refined their tactics, deploying new variants like BQTLOCK and Interlock while exploiting critical vulnerabilities in enterprise systems.
Key Threat Indicators July 2025:
AI-powered voice cloning has reached commercial viability, enabling scammers to replicate voices with just 3-5 seconds of audio samples. The technology now passes both automated systems and human verification, creating unprecedented risks for financial institutions and corporate communications.
Microsoft SharePoint zero-day exploits designated as "ToolShell" have compromised over 400 organizations worldwide, including U.S. nuclear agencies, with Chinese state-sponsored groups leading coordinated campaigns.
QR code phishing (quishing) incidents surged dramatically, with Action Fraud receiving 784 reports between April 2024 and April 2025, resulting in £3.5 million in losses. The 5.3 billion projected QR code redemptions in 2025 represent equivalent opportunities for criminal exploitation.
Business Email Compromise attacks increased 30% as of March 2025, with 60% of compromises occurring within five minutes of victims clicking malicious links. AI-generated BEC emails now account for an estimated 40% of all BEC phishing communications.
Emerging Threat Analysis July 2025
AI-Powered Attack Maturation
The integration of artificial intelligence into cybercriminal operations reached a significant milestone in July 2025, with AI agents now outperforming elite human red teams by 24% in creating effective phishing campaigns. This represents a dramatic shift from 2023, when AI was 31% less effective than human attackers, demonstrating the rapid evolution of AI-powered threat capabilities.
Voice-based deepfakes have emerged as the dominant social engineering vector, with voice-based phishing now outpacing visual deepfakes in both frequency and impact. The technology's accessibility has democratized fraud, with voice cloning tools now costing less than $1 per call and requiring mere seconds to set up. Financial institutions face particular vulnerability, as AI has "fully defeated" voiceprint authentication systems according to OpenAI's CEO.
Critical Infrastructure Under Siege
July 2025 witnessed unprecedented targeting of critical infrastructure systems, with the ToolShell campaign representing the most significant SharePoint exploitation ever recorded. Chinese state-sponsored groups Linen Typhoon and Violet Typhoon coordinated attacks against over 400 organizations, demonstrating sophisticated persistence techniques and advanced reconnaissance capabilities.
The SonicWall SMA 100 series compromise revealed how end-of-life systems provide persistent attack vectors even when fully patched. The OVERSTEP rootkit deployment showcased attackers' ability to maintain long-term access while employing anti-forensic techniques to avoid detection.
Supply Chain Vulnerabilities Expand
Supply chain attacks have evolved beyond traditional software compromises to target the interconnected web of digital dependencies that define modern enterprise operations. With 79% of companies admitting limited oversight of their "nth-party" supply chain, attackers exploit these visibility gaps to achieve maximum impact through minimal effort.
Russian state-sponsored campaigns have specifically targeted Western logistics providers and IT companies supporting Ukrainian assistance efforts. These operations demonstrate how geopolitical tensions amplify supply chain risks, with attackers gaining access to transportation manifests, surveillance cameras, and border crossing systems.
Industry-Specific Risk Assessment July 2025
Financial Services Escalation
The financial sector faced intensified targeting through multimodal deepfake attacks combining voice, video, and behavioural cues to evade detection. The $25.5 million Arup engineering firm fraud exemplified how AI-generated executive impersonation attacks exploit corporate trust networks.
Deepfake fraud cases surged 1,740% in North America between 2022 and 2023, with financial losses exceeding $200 million in Q1 2025 alone. The sector's reliance on voice authentication systems creates particular vulnerability as AI voice cloning technology advances exponentially.
Healthcare Infrastructure Targets
Healthcare organizations continued facing sophisticated ransomware campaigns targeting both clinical systems and medical device networks. The sector's proliferation of Internet of Medical Things (IoMT) devices introduces new vulnerability vectors requiring comprehensive security adaptations.
Nation-state actors have intensified cyber-espionage efforts against healthcare organizations, targeting sensitive patient data and valuable intellectual property. The sector's legacy system dependencies and weak supply chain security create cascading vulnerabilities when external breaches occur.
Retail Sector Disruption
Major UK retailers including Marks & Spencer, Co-operative Group, and Harrods suffered significant cyberattacks during spring 2025. The M&S ransomware attack over Easter weekend disrupted all online orders and automated stock management systems, with estimated costs reaching £300 million in lost profits.
These attacks demonstrate how retail organizations' large organizational footprints and extensive customer databases make them attractive targets for cybercriminals seeking maximum data exposure and financial impact.
Government Sector Vulnerabilities
High-level U.S. government officials became targets of sophisticated voice deepfake campaigns using encrypted messaging platforms. The impersonation of Secretary of State Marco Rubio through AI-synthesized voice messages represents a significant evolution in social engineering tactics employed by nation-state actors.
Government defences continue struggling to keep pace with hostile states and criminals developing capabilities faster than anticipated. Legacy IT systems comprising significant portions of government infrastructure present substantial attack surfaces with high likelihood and impact risk profiles.
Attack Vector Evolution July 2025
Voice-Based Social Engineering Dominance
Voice-based attacks have emerged as the primary social engineering vector for 2025, with 37% of organizations worldwide already falling victim to voice deepfake scams. The technology's improvement at an exponential pace enables attackers to create convincing voice clones that bypass both automated systems and human verification.
Financial losses from voice-based fraud result in $25 billion annually, with Microsoft reporting widespread organizational impacts across multiple sectors. The democratization of voice cloning technology has dramatically lowered barriers to entry, making sophisticated attacks accessible to low-skill criminals.
Multi-Channel Attack Coordination
Threat actors increasingly deploy multi-channel campaigns combining email, voice, and messaging platforms to maximize success rates. The Russian OAuth phishing campaign targeting NGOs and human rights organizations exemplifies this approach, using Signal and WhatsApp communications to direct victims to legitimate Microsoft OAuth pages before stealing authentication tokens.
These response-based social engineering tactics comprise 99% of unblocked email threats, with attackers using simple emails containing phone numbers and QR codes to lure victims into less secure environments.
Zero-Day Exploitation Acceleration
The Microsoft zero-day vulnerability (CVE-2025-47981) exploited for cyber espionage demonstrates how threat actors manipulate Windows file execution search order to execute malicious code from remote servers. This technique enables attackers to avoid dropping files directly onto victim computers while evading detection.
Fortinet FortiWeb devices faced active exploitation via CVE-2025-25257, with over 85 devices infected with web shells within three days of public exploit availability. The rapid weaponization timeline highlights how quickly attackers capitalize on newly disclosed vulnerabilities.
Threat Actor Analysis July 2025
Nation-State Sophistication Advancement
Chinese state-sponsored groups demonstrated unprecedented coordination in the ToolShell SharePoint campaign, with Linen Typhoon and Violet Typhoon conducting synchronized attacks against critical infrastructure. These groups deployed custom espionage tools while maintaining persistent access through legitimate Windows components.
Russian threat actors UTA0352 and UTA0355 executed highly sophisticated OAuth phishing campaigns with personalized social engineering targeting European diplomats and Ukrainian officials. The campaigns' success rate demonstrates how nation-state actors leverage detailed reconnaissance to craft convincing impersonation attacks.
Ransomware Evolution Patterns
Ransomware operators have refined their deployment mechanisms, with new variants like BQTLOCK implementing multi-layered encryption approaches combining AES-256 and RSA-4096 cryptography. The Interlock ransomware group's specialized approach eschewing the prevalent ransomware-as-a-service model makes them more formidable to defend against.
SafePay ransomware organization's attack on Ingram Micro resulted in key systems offline for nearly a week, demonstrating how targeted attacks against critical supply chain partners create cascading operational impacts.
Criminal Innovation Acceleration
Cybercriminals increasingly leverage legitimate services and developer tools to bypass traditional security measures. The 200% increase in misuse of eSignature platforms and developer tools highlights how attackers exploit trusted services to deliver malicious content.
AI-powered phishing-as-a-service kits exist but remain less widely adopted than anticipated, with only 0.7-4.7% of phishing emails bypassing filters being AI-generated in 2024. However, the 4,151% increase in total phishing volume since ChatGPT's advent demonstrates AI's role in scaling attack operations.
Defensive Recommendations July 2025
Immediate Priority Actions
Organizations must implement comprehensive voice verification protocols beyond simple audio authentication. Multi-channel verification requiring family code words or unique personal knowledge becomes essential as voice cloning technology advances.
Advanced email authentication protocols including SPF, DKIM, and DMARC require immediate deployment, as major email providers now mandate these for reliable delivery. Zero-trust architecture implementation helps minimize the impact of successful initial compromises across all organizational systems.
Strategic Security Evolution
Adaptive deepfake detection systems require continuous retraining on the latest manipulation techniques, similar to how antivirus software evolves to catch new malware strains. Organizations cannot rely on static models when facing rapidly evolving AI-powered threats.
Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. The interconnected nature of modern business ecosystems means each vendor introduces potential entry points for cyber threats.
Technology Integration Priorities
AI-powered threat protection solutions with behavioural analytics capabilities become essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and real-time threat monitoring provide critical defensive layers.
Zero-trust network architecture combined with microsegmentation prevents lateral movement during successful compromises. Multi-factor authentication must extend beyond traditional methods to address voice cloning vulnerabilities.
Industry-Specific Defensive Measures
Financial Services Hardening
Financial institutions must implement enhanced wire transfer verification procedures requiring multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.
Real-time transaction monitoring with AI-powered anomaly detection becomes crucial as attackers leverage sophisticated social engineering to bypass traditional fraud prevention measures.
Healthcare Security Adaptation
Healthcare organizations must prioritize IoMT device security through network segmentation and continuous monitoring of medical device communications. Legacy system upgrade programmes require acceleration to address fundamental security vulnerabilities.
Third-party risk management becomes critical as healthcare supply chains face increasing targeting by nation-state actors seeking sensitive patient data and intellectual property.
Government Infrastructure Protection
Government agencies require enhanced authentication protocols for high-privilege communications, particularly when using encrypted messaging platforms that nation-state actors increasingly target. Personnel security training must address deepfake recognition and social engineering awareness.
Legacy system remediation programmes need immediate prioritization given the substantial gaps in understanding estate resilience to advanced persistent threats.
Conclusion July 2025
July 2025 represents a watershed moment in the evolution of cyber threats, with artificial intelligence fundamentally transforming both attack capabilities and defensive requirements. The convergence of AI-powered voice cloning, sophisticated supply chain targeting, and critical infrastructure exploitation creates an unprecedented threat environment requiring immediate strategic adaptation.
The democratization of deepfake technology has eliminated traditional indicators of fraudulent communications, forcing organizations to completely rethink authentication and verification processes. Voice-based attacks now represent the dominant social engineering vector, with financial losses exceeding billions annually and success rates surpassing traditional phishing campaigns.
Supply chain vulnerabilities have evolved beyond simple software compromises to encompass the entire digital ecosystem supporting modern business operations. With 79% of organizations lacking visibility into their extended supply chains, attackers exploit these blind spots to achieve maximum impact through coordinated campaigns targeting critical infrastructure and essential services.
The gap between cyber threat capabilities and organizational defences continues widening at an alarming rate. Nation-state actors develop sophisticated tools and techniques faster than government and private sector defences can adapt, creating capability gaps that criminals increasingly exploit for financial gain.
Success in this environment requires fundamental shifts in cybersecurity strategy, moving beyond traditional perimeter defence to embrace adaptive, AI-powered protection mechanisms. Organizations must combine advanced technical controls with comprehensive security awareness programmes tailored to address AI-powered social engineering and deepfake threats.
The cost of inaction has never been higher, with individual incidents now capable of causing hundreds of millions in damages while undermining customer trust and operational continuity. Organizations that fail to adapt their security postures to address these evolving threats face existential risks as the threat landscape continues its rapid evolution.
Immediate action remains essential, as the technological capabilities enabling these advanced attacks become more accessible and affordable. The window for proactive defence implementation continues narrowing as threat actors refine their techniques and expand their targeting scope across all industry sectors.
This analysis reflects cyberthreat intelligence gathered throughout July 2025 and represents current understanding of the rapidly evolving cybersecurity landscape. Organizations should implement appropriate security measures based on their specific risk profiles, regulatory requirements, and threat exposure assessments.
Executive Summary - July 2025
Overview
The cybersecurity cyberthreat landscape during July 2025 marked a critical inflection point, demonstrating an unprecedented convergence of AI-powered attacks, sophisticated supply chain compromises, and targeted infrastructure exploitation. Following the trends identified in our June report, threat actors have accelerated their use of artificial intelligence while expanding attack surfaces through deepfake technology and advanced social engineering campaigns.
Global cybercrime costs continue their relentless climb, with AI-enhanced threats fundamentally transforming the attack landscape. The period witnessed a dramatic surge in voice-based social engineering attacks, with deepfake technology enabling criminals to bypass traditional authentication mechanisms. Simultaneously, ransomware operators have refined their tactics, deploying new variants like BQTLOCK and Interlock while exploiting critical vulnerabilities in enterprise systems.
Key Threat Indicators July 2025:
AI-powered voice cloning has reached commercial viability, enabling scammers to replicate voices with just 3-5 seconds of audio samples. The technology now passes both automated systems and human verification, creating unprecedented risks for financial institutions and corporate communications.
Microsoft SharePoint zero-day exploits designated as "ToolShell" have compromised over 400 organizations worldwide, including U.S. nuclear agencies, with Chinese state-sponsored groups leading coordinated campaigns.
QR code phishing (quishing) incidents surged dramatically, with Action Fraud receiving 784 reports between April 2024 and April 2025, resulting in £3.5 million in losses. The 5.3 billion projected QR code redemptions in 2025 represent equivalent opportunities for criminal exploitation.
Business Email Compromise attacks increased 30% as of March 2025, with 60% of compromises occurring within five minutes of victims clicking malicious links. AI-generated BEC emails now account for an estimated 40% of all BEC phishing communications.
Emerging Threat Analysis July 2025
AI-Powered Attack Maturation
The integration of artificial intelligence into cybercriminal operations reached a significant milestone in July 2025, with AI agents now outperforming elite human red teams by 24% in creating effective phishing campaigns. This represents a dramatic shift from 2023, when AI was 31% less effective than human attackers, demonstrating the rapid evolution of AI-powered threat capabilities.
Voice-based deepfakes have emerged as the dominant social engineering vector, with voice-based phishing now outpacing visual deepfakes in both frequency and impact. The technology's accessibility has democratized fraud, with voice cloning tools now costing less than $1 per call and requiring mere seconds to set up. Financial institutions face particular vulnerability, as AI has "fully defeated" voiceprint authentication systems according to OpenAI's CEO.
Critical Infrastructure Under Siege
July 2025 witnessed unprecedented targeting of critical infrastructure systems, with the ToolShell campaign representing the most significant SharePoint exploitation ever recorded. Chinese state-sponsored groups Linen Typhoon and Violet Typhoon coordinated attacks against over 400 organizations, demonstrating sophisticated persistence techniques and advanced reconnaissance capabilities.
The SonicWall SMA 100 series compromise revealed how end-of-life systems provide persistent attack vectors even when fully patched. The OVERSTEP rootkit deployment showcased attackers' ability to maintain long-term access while employing anti-forensic techniques to avoid detection.
Supply Chain Vulnerabilities Expand
Supply chain attacks have evolved beyond traditional software compromises to target the interconnected web of digital dependencies that define modern enterprise operations. With 79% of companies admitting limited oversight of their "nth-party" supply chain, attackers exploit these visibility gaps to achieve maximum impact through minimal effort.
Russian state-sponsored campaigns have specifically targeted Western logistics providers and IT companies supporting Ukrainian assistance efforts. These operations demonstrate how geopolitical tensions amplify supply chain risks, with attackers gaining access to transportation manifests, surveillance cameras, and border crossing systems.
Industry-Specific Risk Assessment July 2025
Financial Services Escalation
The financial sector faced intensified targeting through multimodal deepfake attacks combining voice, video, and behavioural cues to evade detection. The $25.5 million Arup engineering firm fraud exemplified how AI-generated executive impersonation attacks exploit corporate trust networks.
Deepfake fraud cases surged 1,740% in North America between 2022 and 2023, with financial losses exceeding $200 million in Q1 2025 alone. The sector's reliance on voice authentication systems creates particular vulnerability as AI voice cloning technology advances exponentially.
Healthcare Infrastructure Targets
Healthcare organizations continued facing sophisticated ransomware campaigns targeting both clinical systems and medical device networks. The sector's proliferation of Internet of Medical Things (IoMT) devices introduces new vulnerability vectors requiring comprehensive security adaptations.
Nation-state actors have intensified cyber-espionage efforts against healthcare organizations, targeting sensitive patient data and valuable intellectual property. The sector's legacy system dependencies and weak supply chain security create cascading vulnerabilities when external breaches occur.
Retail Sector Disruption
Major UK retailers including Marks & Spencer, Co-operative Group, and Harrods suffered significant cyberattacks during spring 2025. The M&S ransomware attack over Easter weekend disrupted all online orders and automated stock management systems, with estimated costs reaching £300 million in lost profits.
These attacks demonstrate how retail organizations' large organizational footprints and extensive customer databases make them attractive targets for cybercriminals seeking maximum data exposure and financial impact.
Government Sector Vulnerabilities
High-level U.S. government officials became targets of sophisticated voice deepfake campaigns using encrypted messaging platforms. The impersonation of Secretary of State Marco Rubio through AI-synthesized voice messages represents a significant evolution in social engineering tactics employed by nation-state actors.
Government defences continue struggling to keep pace with hostile states and criminals developing capabilities faster than anticipated. Legacy IT systems comprising significant portions of government infrastructure present substantial attack surfaces with high likelihood and impact risk profiles.
Attack Vector Evolution July 2025
Voice-Based Social Engineering Dominance
Voice-based attacks have emerged as the primary social engineering vector for 2025, with 37% of organizations worldwide already falling victim to voice deepfake scams. The technology's improvement at an exponential pace enables attackers to create convincing voice clones that bypass both automated systems and human verification.
Financial losses from voice-based fraud result in $25 billion annually, with Microsoft reporting widespread organizational impacts across multiple sectors. The democratization of voice cloning technology has dramatically lowered barriers to entry, making sophisticated attacks accessible to low-skill criminals.
Multi-Channel Attack Coordination
Threat actors increasingly deploy multi-channel campaigns combining email, voice, and messaging platforms to maximize success rates. The Russian OAuth phishing campaign targeting NGOs and human rights organizations exemplifies this approach, using Signal and WhatsApp communications to direct victims to legitimate Microsoft OAuth pages before stealing authentication tokens.
These response-based social engineering tactics comprise 99% of unblocked email threats, with attackers using simple emails containing phone numbers and QR codes to lure victims into less secure environments.
Zero-Day Exploitation Acceleration
The Microsoft zero-day vulnerability (CVE-2025-47981) exploited for cyber espionage demonstrates how threat actors manipulate Windows file execution search order to execute malicious code from remote servers. This technique enables attackers to avoid dropping files directly onto victim computers while evading detection.
Fortinet FortiWeb devices faced active exploitation via CVE-2025-25257, with over 85 devices infected with web shells within three days of public exploit availability. The rapid weaponization timeline highlights how quickly attackers capitalize on newly disclosed vulnerabilities.
Threat Actor Analysis July 2025
Nation-State Sophistication Advancement
Chinese state-sponsored groups demonstrated unprecedented coordination in the ToolShell SharePoint campaign, with Linen Typhoon and Violet Typhoon conducting synchronized attacks against critical infrastructure. These groups deployed custom espionage tools while maintaining persistent access through legitimate Windows components.
Russian threat actors UTA0352 and UTA0355 executed highly sophisticated OAuth phishing campaigns with personalized social engineering targeting European diplomats and Ukrainian officials. The campaigns' success rate demonstrates how nation-state actors leverage detailed reconnaissance to craft convincing impersonation attacks.
Ransomware Evolution Patterns
Ransomware operators have refined their deployment mechanisms, with new variants like BQTLOCK implementing multi-layered encryption approaches combining AES-256 and RSA-4096 cryptography. The Interlock ransomware group's specialized approach eschewing the prevalent ransomware-as-a-service model makes them more formidable to defend against.
SafePay ransomware organization's attack on Ingram Micro resulted in key systems offline for nearly a week, demonstrating how targeted attacks against critical supply chain partners create cascading operational impacts.
Criminal Innovation Acceleration
Cybercriminals increasingly leverage legitimate services and developer tools to bypass traditional security measures. The 200% increase in misuse of eSignature platforms and developer tools highlights how attackers exploit trusted services to deliver malicious content.
AI-powered phishing-as-a-service kits exist but remain less widely adopted than anticipated, with only 0.7-4.7% of phishing emails bypassing filters being AI-generated in 2024. However, the 4,151% increase in total phishing volume since ChatGPT's advent demonstrates AI's role in scaling attack operations.
Defensive Recommendations July 2025
Immediate Priority Actions
Organizations must implement comprehensive voice verification protocols beyond simple audio authentication. Multi-channel verification requiring family code words or unique personal knowledge becomes essential as voice cloning technology advances.
Advanced email authentication protocols including SPF, DKIM, and DMARC require immediate deployment, as major email providers now mandate these for reliable delivery. Zero-trust architecture implementation helps minimize the impact of successful initial compromises across all organizational systems.
Strategic Security Evolution
Adaptive deepfake detection systems require continuous retraining on the latest manipulation techniques, similar to how antivirus software evolves to catch new malware strains. Organizations cannot rely on static models when facing rapidly evolving AI-powered threats.
Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. The interconnected nature of modern business ecosystems means each vendor introduces potential entry points for cyber threats.
Technology Integration Priorities
AI-powered threat protection solutions with behavioural analytics capabilities become essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and real-time threat monitoring provide critical defensive layers.
Zero-trust network architecture combined with microsegmentation prevents lateral movement during successful compromises. Multi-factor authentication must extend beyond traditional methods to address voice cloning vulnerabilities.
Industry-Specific Defensive Measures
Financial Services Hardening
Financial institutions must implement enhanced wire transfer verification procedures requiring multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.
Real-time transaction monitoring with AI-powered anomaly detection becomes crucial as attackers leverage sophisticated social engineering to bypass traditional fraud prevention measures.
Healthcare Security Adaptation
Healthcare organizations must prioritize IoMT device security through network segmentation and continuous monitoring of medical device communications. Legacy system upgrade programmes require acceleration to address fundamental security vulnerabilities.
Third-party risk management becomes critical as healthcare supply chains face increasing targeting by nation-state actors seeking sensitive patient data and intellectual property.
Government Infrastructure Protection
Government agencies require enhanced authentication protocols for high-privilege communications, particularly when using encrypted messaging platforms that nation-state actors increasingly target. Personnel security training must address deepfake recognition and social engineering awareness.
Legacy system remediation programmes need immediate prioritization given the substantial gaps in understanding estate resilience to advanced persistent threats.
Conclusion July 2025
July 2025 represents a watershed moment in the evolution of cyber threats, with artificial intelligence fundamentally transforming both attack capabilities and defensive requirements. The convergence of AI-powered voice cloning, sophisticated supply chain targeting, and critical infrastructure exploitation creates an unprecedented threat environment requiring immediate strategic adaptation.
The democratization of deepfake technology has eliminated traditional indicators of fraudulent communications, forcing organizations to completely rethink authentication and verification processes. Voice-based attacks now represent the dominant social engineering vector, with financial losses exceeding billions annually and success rates surpassing traditional phishing campaigns.
Supply chain vulnerabilities have evolved beyond simple software compromises to encompass the entire digital ecosystem supporting modern business operations. With 79% of organizations lacking visibility into their extended supply chains, attackers exploit these blind spots to achieve maximum impact through coordinated campaigns targeting critical infrastructure and essential services.
The gap between cyber threat capabilities and organizational defences continues widening at an alarming rate. Nation-state actors develop sophisticated tools and techniques faster than government and private sector defences can adapt, creating capability gaps that criminals increasingly exploit for financial gain.
Success in this environment requires fundamental shifts in cybersecurity strategy, moving beyond traditional perimeter defence to embrace adaptive, AI-powered protection mechanisms. Organizations must combine advanced technical controls with comprehensive security awareness programmes tailored to address AI-powered social engineering and deepfake threats.
The cost of inaction has never been higher, with individual incidents now capable of causing hundreds of millions in damages while undermining customer trust and operational continuity. Organizations that fail to adapt their security postures to address these evolving threats face existential risks as the threat landscape continues its rapid evolution.
Immediate action remains essential, as the technological capabilities enabling these advanced attacks become more accessible and affordable. The window for proactive defence implementation continues narrowing as threat actors refine their techniques and expand their targeting scope across all industry sectors.
This analysis reflects cyberthreat intelligence gathered throughout July 2025 and represents current understanding of the rapidly evolving cybersecurity landscape. Organizations should implement appropriate security measures based on their specific risk profiles, regulatory requirements, and threat exposure assessments.
Jun 1, 2025
Threat Intelligence
Executive Summary - June 2025
Overview
The cyberthreat landscape continues to evolve at an unprecedented pace, with email-based attacks increasing between September 2024 and February 2025. Organisations face a perfect storm of AI-enhanced threats, sophisticated social engineering campaigns, and targeted industry-specific attacks that are bypassing traditional security measures with alarming frequency.
Global cybercrime costs are projected to reach trillions annually by 2025, representing a dramatic increase from previous years. This escalation is driven by the democratisation of AI tools, the expansion of attack surfaces through remote work and cloud adoption, and increasingly sophisticated threat actor capabilities.
Key Threat Indicators:
Most phishing emails now exhibit some use of AI
There has been a significant increase in ransomware payloads delivered through email attacks
Attacks from compromised accounts are on the rise
A small but growing percentage of phishing attacks include QR codes, representing a dramatic increase since 2021
Advanced email attacks on financial services have risen year-over-year
Emerging Threat Analysis
AI-Powered Attack Evolution
The integration of artificial intelligence into cybercriminal operations has fundamentally transformed the threat landscape. AI-powered polymorphic phishing campaigns are now present in most phishing attacks, with the vast majority of polymorphic emails showing AI usage. These campaigns create nearly identical emails that differ only by small details, making them extremely difficult for traditional signature-based detection systems to identify.
Generative AI tools enable cybercriminals to craft thousands of highly convincing phishing emails in minutes, often personalised to each victim using data harvested from social media, corporate websites, and previous breaches. The sophistication has reached levels where most adults are unsure of their ability to distinguish AI-cloned voices from authentic communications.
Quishing: The QR Code Threat Revolution
QR code phishing, or "quishing," has emerged as a dominant attack vector, with QR code redemptions projected to reach billions in 2025. This represents billions of opportunities for cybercriminals to exploit unsuspecting users through malicious codes that bypass traditional email security measures.
A small but notable percentage of all scanned QR codes are now malicious, highlighting the scale of this emerging threat. Attackers are employing increasingly sophisticated techniques including coloured backgrounds to evade detection, password-protected attachments, and macro-enabled files that assemble malicious URLs dynamically.
The UK's Action Fraud received a substantial number of reports of quishing in 2024 alone, representing a massive jump from just a handful of reports in 2019. Criminal organisations are targeting high-traffic areas like car parks and restaurants, placing fake QR codes over legitimate signage.
Deepfake and Voice Spoofing Proliferation
Voice-based deepfakes have reached remarkable sophistication levels, with cybercriminals able to capture voice samples from interviews, podcasts, or social media clips and generate convincing audio impersonations. Many adults have experienced or know someone affected by an AI voice cloning scam.
Financial institutions are particularly vulnerable, with attackers using deepfake technology to impersonate executives or trusted clients for fraudulent wire transfers. A recent case involved a major bank being defrauded through a cloned voice of a trusted client.
Industry-Specific Risk Assessment
Financial Services Under Siege
The financial services sector faces unprecedented targeting, with advanced email attacks rising year-over-year. Phishing attacks on financial institutions have increased between April 2024 and April 2025. The sector's susceptibility stems from handling massive volumes of sensitive data, processing large sums in daily transactions, and managing extensive high-net-worth client networks.
Business Email Compromise attacks have caused significant losses between 2013 and 2021, with individual incidents averaging substantial damages. Research shows an increase in BEC attacks as of March 2025, making them the second most expensive type of breach at a high average cost.
Healthcare Vulnerabilities Intensify
The healthcare sector continues to face formidable cybersecurity challenges, with ransomware leading the charge against critical healthcare infrastructure. Nation-state actors have intensified cyber-espionage efforts, targeting sensitive patient data and valuable intellectual property. The proliferation of Internet of Medical Things (IoMT) devices has introduced new vulnerability vectors requiring urgent security adaptations.
Healthcare organisations struggle with legacy systems, unmonitored operational technology, and weak supply chains that cybercriminals exploit to cripple production lines and steal critical data. The sector's reliance on third-party vendors introduces additional cascading vulnerabilities when external system breaches occur.
Manufacturing Industry at Risk
The manufacturing sector is embracing digital transformation and IT/OT convergence, but this evolution creates new attack opportunities for cybercriminals. Legacy systems, unmonitored OT, and weak supply chains are primary targets for attacks designed to halt production lines and steal intellectual property. Key vulnerabilities include unmanaged systems, security blind spots, legacy vulnerabilities, weak segmentation, and poor monitoring of industrial environments. Attackers increasingly exploit web shells, stolen credentials, and phishing tactics to establish long-term access before escalating their operations.
Government Sector Defences Outpaced
Government defences have not kept up with the severe and rapidly evolving cyber threat, with hostile states and criminals developing capabilities faster than anticipated. Risky legacy IT systems comprise a significant portion of the public sector's IT estate, with substantial gaps remaining in understanding the estate's resilience to attack.
By January 2025, many legacy systems had been identified across government, with a significant proportion rated as having high likelihood and impact of risks occurring. However, government does not know the total number of legacy systems in use, highlighting significant visibility gaps.
Attack Vector Trends
Supply Chain Attacks Surge
Supply chain attacks represent one of 2025's most disruptive cybersecurity trends, with cybercriminals increasingly targeting the web of vendors, contractors, and service providers that organisations rely upon. Recent high-profile examples demonstrate the multiplier effect these attacks can achieve.
Attackers are now targeting managed service providers (MSPs), cloud platforms, and open-source libraries, multiplying their impact across multiple organisations simultaneously. The interconnected nature of modern business ecosystems means each new vendor introduces a potential entry point for cyber threats.
Zero-Day Exploitation Continues
Microsoft recently patched a zero-day vulnerability exploited for cyber espionage in March 2025. The vulnerability in Web Distributed Authoring and Versioning (WebDAV) was used to deliver custom espionage tools to defence organisations.
The attack began with a standard shortcut file disguised as a PDF document, demonstrating how attackers manipulate Windows file execution search order to execute malicious code from remote servers. This technique allows threat actors to avoid dropping files directly onto victim computers while evading detection.
Remote Work Security Challenges
A vast majority of cybersecurity professionals report increased cyber attacks due to remote working. Remote work environments create new vulnerability surfaces through insecure home networks, personal devices lacking robust security controls, and reduced IT oversight.
AI-powered phishing emails targeting remote workers have become highly sophisticated, often personalised to appear as legitimate communications from company leadership or IT departments. The distributed nature of remote workforces makes verification of suspicious communications more challenging.
Threat Actor Analysis
Sophistication Levels Rising
Threat actors are leveraging advanced techniques including response-based social engineering tactics, which comprise the overwhelming majority of unblocked email threats. Only a small fraction of malicious emails reaching user inboxes now deliver malware, indicating that common pre-delivery email defences are effective against malware but far less capable of blocking high-risk threats like BEC and credential phishing.
Adversaries are using simple emails containing phone numbers and QR codes to lure victims into less secure environments where they can be more easily exploited. These multichannel attacks are difficult to detect because emails themselves are basic and lack content typically flagged by filters.
Nation-State Activity Intensification
Nation-state threat actors have intensified their cyber-espionage efforts, particularly targeting healthcare organisations for sensitive patient data and intellectual property. The Stealth Falcon APT group successfully exploited a zero-day to deliver custom espionage tools to defence organisations.
State-sponsored groups are developing capabilities faster than government and private sector defences can adapt, creating significant capability gaps that hostile actors exploit. The use of legitimate, trusted Windows components to carry out attacks helps these groups evade detection while maintaining persistence.
Defensive Recommendations
Immediate Actions Required
Organisations must implement comprehensive email authentication protocols including SPF, DKIM, and DMARC, as major email providers now require these for reliable delivery. Multi-factor authentication should be mandatory for all email accounts, with particular emphasis on high-privilege access accounts.
Security awareness training programmes must evolve to address AI-powered threats, including deepfake recognition and QR code verification procedures. Regular phishing simulation exercises using current threat intelligence help identify employees requiring additional training.
Strategic Security Investments
Advanced threat protection solutions with AI-powered detection capabilities are essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and behavioural analytics for anomaly detection provide critical layers of protection.
Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. Zero-trust architecture implementation helps minimise the impact of successful initial compromises.
Industry-Specific Measures
Financial services organisations should implement enhanced wire transfer verification procedures, including multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.
Healthcare organisations must prioritise IoMT device security, implementing network segmentation and continuous monitoring for medical device communications. Manufacturing companies should establish robust IT/OT segmentation and implement comprehensive monitoring of industrial control systems.
Conclusion
The June 2025 threat landscape demonstrates unprecedented sophistication in cybercriminal capabilities, driven primarily by AI integration and the expansion of attack surfaces through digital transformation initiatives. Organisations face a critical inflection point where traditional security measures are insufficient against evolving threats that exploit human psychology and technical vulnerabilities simultaneously.
The convergence of AI-powered attacks, supply chain vulnerabilities, and industry-specific targeting creates a complex threat environment requiring comprehensive defensive strategies. Success requires combining advanced technical controls with robust security awareness programmes and industry-specific risk mitigation measures.
Immediate action is essential, as the gap between cyber threat capabilities and organisational defences continues to widen. Organisations that fail to adapt their security postures to address these evolving threats face significant risks of financial loss, operational disruption, and reputational damage.
This report is based on threat intelligence gathered from multiple sources and reflects the current understanding of the cybersecurity landscape as of June 2025. Organisations should implement appropriate security measures based on their specific risk profiles and regulatory requirements.
Citations
[1] Cybersecurity Trends Report, Q2 2025
[2] National Cyber Security Centre, "Emerging Threats Bulletin," May 2025
[3] Cybersecurity Ventures, "2025 Cybercrime Annual Report"
[4] Mimecast State of Email Security Report, 2025
[5] SlashNext QR Code Threat Report, April 2025
[6] Financial Services Information Sharing and Analysis Center (FS-ISAC), Q1 2025 Report
[7] Abnormal Security Email Threat Report, Q2 2025
[8] IBM X-Force Threat Intelligence Index, 2025
[9] McAfee Labs Voice Impersonation Study, March 2025
[10] QR Tiger Security Analysis, Q1 2025
[11] UK Action Fraud Annual Report, 2024
[12] Financial Conduct Authority, "Deepfake Advisory," February 2025
[13] FBI Internet Crime Report, 2025
[14] Health-ISAC Threat Intelligence Report, May 2025
[15] Dragos Year in Review: Industrial Control Systems, 2024
[16] UK Cabinet Office, "Government Cyber Security Strategy Annual Review," March 2025
[17] ENISA Threat Landscape: Supply Chain Attacks, 2025
[18] Microsoft Security Response Center, Bulletin MS25-042, April 2025
Executive Summary - June 2025
Overview
The cyberthreat landscape continues to evolve at an unprecedented pace, with email-based attacks increasing between September 2024 and February 2025. Organisations face a perfect storm of AI-enhanced threats, sophisticated social engineering campaigns, and targeted industry-specific attacks that are bypassing traditional security measures with alarming frequency.
Global cybercrime costs are projected to reach trillions annually by 2025, representing a dramatic increase from previous years. This escalation is driven by the democratisation of AI tools, the expansion of attack surfaces through remote work and cloud adoption, and increasingly sophisticated threat actor capabilities.
Key Threat Indicators:
Most phishing emails now exhibit some use of AI
There has been a significant increase in ransomware payloads delivered through email attacks
Attacks from compromised accounts are on the rise
A small but growing percentage of phishing attacks include QR codes, representing a dramatic increase since 2021
Advanced email attacks on financial services have risen year-over-year
Emerging Threat Analysis
AI-Powered Attack Evolution
The integration of artificial intelligence into cybercriminal operations has fundamentally transformed the threat landscape. AI-powered polymorphic phishing campaigns are now present in most phishing attacks, with the vast majority of polymorphic emails showing AI usage. These campaigns create nearly identical emails that differ only by small details, making them extremely difficult for traditional signature-based detection systems to identify.
Generative AI tools enable cybercriminals to craft thousands of highly convincing phishing emails in minutes, often personalised to each victim using data harvested from social media, corporate websites, and previous breaches. The sophistication has reached levels where most adults are unsure of their ability to distinguish AI-cloned voices from authentic communications.
Quishing: The QR Code Threat Revolution
QR code phishing, or "quishing," has emerged as a dominant attack vector, with QR code redemptions projected to reach billions in 2025. This represents billions of opportunities for cybercriminals to exploit unsuspecting users through malicious codes that bypass traditional email security measures.
A small but notable percentage of all scanned QR codes are now malicious, highlighting the scale of this emerging threat. Attackers are employing increasingly sophisticated techniques including coloured backgrounds to evade detection, password-protected attachments, and macro-enabled files that assemble malicious URLs dynamically.
The UK's Action Fraud received a substantial number of reports of quishing in 2024 alone, representing a massive jump from just a handful of reports in 2019. Criminal organisations are targeting high-traffic areas like car parks and restaurants, placing fake QR codes over legitimate signage.
Deepfake and Voice Spoofing Proliferation
Voice-based deepfakes have reached remarkable sophistication levels, with cybercriminals able to capture voice samples from interviews, podcasts, or social media clips and generate convincing audio impersonations. Many adults have experienced or know someone affected by an AI voice cloning scam.
Financial institutions are particularly vulnerable, with attackers using deepfake technology to impersonate executives or trusted clients for fraudulent wire transfers. A recent case involved a major bank being defrauded through a cloned voice of a trusted client.
Industry-Specific Risk Assessment
Financial Services Under Siege
The financial services sector faces unprecedented targeting, with advanced email attacks rising year-over-year. Phishing attacks on financial institutions have increased between April 2024 and April 2025. The sector's susceptibility stems from handling massive volumes of sensitive data, processing large sums in daily transactions, and managing extensive high-net-worth client networks.
Business Email Compromise attacks have caused significant losses between 2013 and 2021, with individual incidents averaging substantial damages. Research shows an increase in BEC attacks as of March 2025, making them the second most expensive type of breach at a high average cost.
Healthcare Vulnerabilities Intensify
The healthcare sector continues to face formidable cybersecurity challenges, with ransomware leading the charge against critical healthcare infrastructure. Nation-state actors have intensified cyber-espionage efforts, targeting sensitive patient data and valuable intellectual property. The proliferation of Internet of Medical Things (IoMT) devices has introduced new vulnerability vectors requiring urgent security adaptations.
Healthcare organisations struggle with legacy systems, unmonitored operational technology, and weak supply chains that cybercriminals exploit to cripple production lines and steal critical data. The sector's reliance on third-party vendors introduces additional cascading vulnerabilities when external system breaches occur.
Manufacturing Industry at Risk
The manufacturing sector is embracing digital transformation and IT/OT convergence, but this evolution creates new attack opportunities for cybercriminals. Legacy systems, unmonitored OT, and weak supply chains are primary targets for attacks designed to halt production lines and steal intellectual property. Key vulnerabilities include unmanaged systems, security blind spots, legacy vulnerabilities, weak segmentation, and poor monitoring of industrial environments. Attackers increasingly exploit web shells, stolen credentials, and phishing tactics to establish long-term access before escalating their operations.
Government Sector Defences Outpaced
Government defences have not kept up with the severe and rapidly evolving cyber threat, with hostile states and criminals developing capabilities faster than anticipated. Risky legacy IT systems comprise a significant portion of the public sector's IT estate, with substantial gaps remaining in understanding the estate's resilience to attack.
By January 2025, many legacy systems had been identified across government, with a significant proportion rated as having high likelihood and impact of risks occurring. However, government does not know the total number of legacy systems in use, highlighting significant visibility gaps.
Attack Vector Trends
Supply Chain Attacks Surge
Supply chain attacks represent one of 2025's most disruptive cybersecurity trends, with cybercriminals increasingly targeting the web of vendors, contractors, and service providers that organisations rely upon. Recent high-profile examples demonstrate the multiplier effect these attacks can achieve.
Attackers are now targeting managed service providers (MSPs), cloud platforms, and open-source libraries, multiplying their impact across multiple organisations simultaneously. The interconnected nature of modern business ecosystems means each new vendor introduces a potential entry point for cyber threats.
Zero-Day Exploitation Continues
Microsoft recently patched a zero-day vulnerability exploited for cyber espionage in March 2025. The vulnerability in Web Distributed Authoring and Versioning (WebDAV) was used to deliver custom espionage tools to defence organisations.
The attack began with a standard shortcut file disguised as a PDF document, demonstrating how attackers manipulate Windows file execution search order to execute malicious code from remote servers. This technique allows threat actors to avoid dropping files directly onto victim computers while evading detection.
Remote Work Security Challenges
A vast majority of cybersecurity professionals report increased cyber attacks due to remote working. Remote work environments create new vulnerability surfaces through insecure home networks, personal devices lacking robust security controls, and reduced IT oversight.
AI-powered phishing emails targeting remote workers have become highly sophisticated, often personalised to appear as legitimate communications from company leadership or IT departments. The distributed nature of remote workforces makes verification of suspicious communications more challenging.
Threat Actor Analysis
Sophistication Levels Rising
Threat actors are leveraging advanced techniques including response-based social engineering tactics, which comprise the overwhelming majority of unblocked email threats. Only a small fraction of malicious emails reaching user inboxes now deliver malware, indicating that common pre-delivery email defences are effective against malware but far less capable of blocking high-risk threats like BEC and credential phishing.
Adversaries are using simple emails containing phone numbers and QR codes to lure victims into less secure environments where they can be more easily exploited. These multichannel attacks are difficult to detect because emails themselves are basic and lack content typically flagged by filters.
Nation-State Activity Intensification
Nation-state threat actors have intensified their cyber-espionage efforts, particularly targeting healthcare organisations for sensitive patient data and intellectual property. The Stealth Falcon APT group successfully exploited a zero-day to deliver custom espionage tools to defence organisations.
State-sponsored groups are developing capabilities faster than government and private sector defences can adapt, creating significant capability gaps that hostile actors exploit. The use of legitimate, trusted Windows components to carry out attacks helps these groups evade detection while maintaining persistence.
Defensive Recommendations
Immediate Actions Required
Organisations must implement comprehensive email authentication protocols including SPF, DKIM, and DMARC, as major email providers now require these for reliable delivery. Multi-factor authentication should be mandatory for all email accounts, with particular emphasis on high-privilege access accounts.
Security awareness training programmes must evolve to address AI-powered threats, including deepfake recognition and QR code verification procedures. Regular phishing simulation exercises using current threat intelligence help identify employees requiring additional training.
Strategic Security Investments
Advanced threat protection solutions with AI-powered detection capabilities are essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and behavioural analytics for anomaly detection provide critical layers of protection.
Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. Zero-trust architecture implementation helps minimise the impact of successful initial compromises.
Industry-Specific Measures
Financial services organisations should implement enhanced wire transfer verification procedures, including multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.
Healthcare organisations must prioritise IoMT device security, implementing network segmentation and continuous monitoring for medical device communications. Manufacturing companies should establish robust IT/OT segmentation and implement comprehensive monitoring of industrial control systems.
Conclusion
The June 2025 threat landscape demonstrates unprecedented sophistication in cybercriminal capabilities, driven primarily by AI integration and the expansion of attack surfaces through digital transformation initiatives. Organisations face a critical inflection point where traditional security measures are insufficient against evolving threats that exploit human psychology and technical vulnerabilities simultaneously.
The convergence of AI-powered attacks, supply chain vulnerabilities, and industry-specific targeting creates a complex threat environment requiring comprehensive defensive strategies. Success requires combining advanced technical controls with robust security awareness programmes and industry-specific risk mitigation measures.
Immediate action is essential, as the gap between cyber threat capabilities and organisational defences continues to widen. Organisations that fail to adapt their security postures to address these evolving threats face significant risks of financial loss, operational disruption, and reputational damage.
This report is based on threat intelligence gathered from multiple sources and reflects the current understanding of the cybersecurity landscape as of June 2025. Organisations should implement appropriate security measures based on their specific risk profiles and regulatory requirements.
Citations
[1] Cybersecurity Trends Report, Q2 2025
[2] National Cyber Security Centre, "Emerging Threats Bulletin," May 2025
[3] Cybersecurity Ventures, "2025 Cybercrime Annual Report"
[4] Mimecast State of Email Security Report, 2025
[5] SlashNext QR Code Threat Report, April 2025
[6] Financial Services Information Sharing and Analysis Center (FS-ISAC), Q1 2025 Report
[7] Abnormal Security Email Threat Report, Q2 2025
[8] IBM X-Force Threat Intelligence Index, 2025
[9] McAfee Labs Voice Impersonation Study, March 2025
[10] QR Tiger Security Analysis, Q1 2025
[11] UK Action Fraud Annual Report, 2024
[12] Financial Conduct Authority, "Deepfake Advisory," February 2025
[13] FBI Internet Crime Report, 2025
[14] Health-ISAC Threat Intelligence Report, May 2025
[15] Dragos Year in Review: Industrial Control Systems, 2024
[16] UK Cabinet Office, "Government Cyber Security Strategy Annual Review," March 2025
[17] ENISA Threat Landscape: Supply Chain Attacks, 2025
[18] Microsoft Security Response Center, Bulletin MS25-042, April 2025
Executive Summary - June 2025
Overview
The cyberthreat landscape continues to evolve at an unprecedented pace, with email-based attacks increasing between September 2024 and February 2025. Organisations face a perfect storm of AI-enhanced threats, sophisticated social engineering campaigns, and targeted industry-specific attacks that are bypassing traditional security measures with alarming frequency.
Global cybercrime costs are projected to reach trillions annually by 2025, representing a dramatic increase from previous years. This escalation is driven by the democratisation of AI tools, the expansion of attack surfaces through remote work and cloud adoption, and increasingly sophisticated threat actor capabilities.
Key Threat Indicators:
Most phishing emails now exhibit some use of AI
There has been a significant increase in ransomware payloads delivered through email attacks
Attacks from compromised accounts are on the rise
A small but growing percentage of phishing attacks include QR codes, representing a dramatic increase since 2021
Advanced email attacks on financial services have risen year-over-year
Emerging Threat Analysis
AI-Powered Attack Evolution
The integration of artificial intelligence into cybercriminal operations has fundamentally transformed the threat landscape. AI-powered polymorphic phishing campaigns are now present in most phishing attacks, with the vast majority of polymorphic emails showing AI usage. These campaigns create nearly identical emails that differ only by small details, making them extremely difficult for traditional signature-based detection systems to identify.
Generative AI tools enable cybercriminals to craft thousands of highly convincing phishing emails in minutes, often personalised to each victim using data harvested from social media, corporate websites, and previous breaches. The sophistication has reached levels where most adults are unsure of their ability to distinguish AI-cloned voices from authentic communications.
Quishing: The QR Code Threat Revolution
QR code phishing, or "quishing," has emerged as a dominant attack vector, with QR code redemptions projected to reach billions in 2025. This represents billions of opportunities for cybercriminals to exploit unsuspecting users through malicious codes that bypass traditional email security measures.
A small but notable percentage of all scanned QR codes are now malicious, highlighting the scale of this emerging threat. Attackers are employing increasingly sophisticated techniques including coloured backgrounds to evade detection, password-protected attachments, and macro-enabled files that assemble malicious URLs dynamically.
The UK's Action Fraud received a substantial number of reports of quishing in 2024 alone, representing a massive jump from just a handful of reports in 2019. Criminal organisations are targeting high-traffic areas like car parks and restaurants, placing fake QR codes over legitimate signage.
Deepfake and Voice Spoofing Proliferation
Voice-based deepfakes have reached remarkable sophistication levels, with cybercriminals able to capture voice samples from interviews, podcasts, or social media clips and generate convincing audio impersonations. Many adults have experienced or know someone affected by an AI voice cloning scam.
Financial institutions are particularly vulnerable, with attackers using deepfake technology to impersonate executives or trusted clients for fraudulent wire transfers. A recent case involved a major bank being defrauded through a cloned voice of a trusted client.
Industry-Specific Risk Assessment
Financial Services Under Siege
The financial services sector faces unprecedented targeting, with advanced email attacks rising year-over-year. Phishing attacks on financial institutions have increased between April 2024 and April 2025. The sector's susceptibility stems from handling massive volumes of sensitive data, processing large sums in daily transactions, and managing extensive high-net-worth client networks.
Business Email Compromise attacks have caused significant losses between 2013 and 2021, with individual incidents averaging substantial damages. Research shows an increase in BEC attacks as of March 2025, making them the second most expensive type of breach at a high average cost.
Healthcare Vulnerabilities Intensify
The healthcare sector continues to face formidable cybersecurity challenges, with ransomware leading the charge against critical healthcare infrastructure. Nation-state actors have intensified cyber-espionage efforts, targeting sensitive patient data and valuable intellectual property. The proliferation of Internet of Medical Things (IoMT) devices has introduced new vulnerability vectors requiring urgent security adaptations.
Healthcare organisations struggle with legacy systems, unmonitored operational technology, and weak supply chains that cybercriminals exploit to cripple production lines and steal critical data. The sector's reliance on third-party vendors introduces additional cascading vulnerabilities when external system breaches occur.
Manufacturing Industry at Risk
The manufacturing sector is embracing digital transformation and IT/OT convergence, but this evolution creates new attack opportunities for cybercriminals. Legacy systems, unmonitored OT, and weak supply chains are primary targets for attacks designed to halt production lines and steal intellectual property. Key vulnerabilities include unmanaged systems, security blind spots, legacy vulnerabilities, weak segmentation, and poor monitoring of industrial environments. Attackers increasingly exploit web shells, stolen credentials, and phishing tactics to establish long-term access before escalating their operations.
Government Sector Defences Outpaced
Government defences have not kept up with the severe and rapidly evolving cyber threat, with hostile states and criminals developing capabilities faster than anticipated. Risky legacy IT systems comprise a significant portion of the public sector's IT estate, with substantial gaps remaining in understanding the estate's resilience to attack.
By January 2025, many legacy systems had been identified across government, with a significant proportion rated as having high likelihood and impact of risks occurring. However, government does not know the total number of legacy systems in use, highlighting significant visibility gaps.
Attack Vector Trends
Supply Chain Attacks Surge
Supply chain attacks represent one of 2025's most disruptive cybersecurity trends, with cybercriminals increasingly targeting the web of vendors, contractors, and service providers that organisations rely upon. Recent high-profile examples demonstrate the multiplier effect these attacks can achieve.
Attackers are now targeting managed service providers (MSPs), cloud platforms, and open-source libraries, multiplying their impact across multiple organisations simultaneously. The interconnected nature of modern business ecosystems means each new vendor introduces a potential entry point for cyber threats.
Zero-Day Exploitation Continues
Microsoft recently patched a zero-day vulnerability exploited for cyber espionage in March 2025. The vulnerability in Web Distributed Authoring and Versioning (WebDAV) was used to deliver custom espionage tools to defence organisations.
The attack began with a standard shortcut file disguised as a PDF document, demonstrating how attackers manipulate Windows file execution search order to execute malicious code from remote servers. This technique allows threat actors to avoid dropping files directly onto victim computers while evading detection.
Remote Work Security Challenges
A vast majority of cybersecurity professionals report increased cyber attacks due to remote working. Remote work environments create new vulnerability surfaces through insecure home networks, personal devices lacking robust security controls, and reduced IT oversight.
AI-powered phishing emails targeting remote workers have become highly sophisticated, often personalised to appear as legitimate communications from company leadership or IT departments. The distributed nature of remote workforces makes verification of suspicious communications more challenging.
Threat Actor Analysis
Sophistication Levels Rising
Threat actors are leveraging advanced techniques including response-based social engineering tactics, which comprise the overwhelming majority of unblocked email threats. Only a small fraction of malicious emails reaching user inboxes now deliver malware, indicating that common pre-delivery email defences are effective against malware but far less capable of blocking high-risk threats like BEC and credential phishing.
Adversaries are using simple emails containing phone numbers and QR codes to lure victims into less secure environments where they can be more easily exploited. These multichannel attacks are difficult to detect because emails themselves are basic and lack content typically flagged by filters.
Nation-State Activity Intensification
Nation-state threat actors have intensified their cyber-espionage efforts, particularly targeting healthcare organisations for sensitive patient data and intellectual property. The Stealth Falcon APT group successfully exploited a zero-day to deliver custom espionage tools to defence organisations.
State-sponsored groups are developing capabilities faster than government and private sector defences can adapt, creating significant capability gaps that hostile actors exploit. The use of legitimate, trusted Windows components to carry out attacks helps these groups evade detection while maintaining persistence.
Defensive Recommendations
Immediate Actions Required
Organisations must implement comprehensive email authentication protocols including SPF, DKIM, and DMARC, as major email providers now require these for reliable delivery. Multi-factor authentication should be mandatory for all email accounts, with particular emphasis on high-privilege access accounts.
Security awareness training programmes must evolve to address AI-powered threats, including deepfake recognition and QR code verification procedures. Regular phishing simulation exercises using current threat intelligence help identify employees requiring additional training.
Strategic Security Investments
Advanced threat protection solutions with AI-powered detection capabilities are essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and behavioural analytics for anomaly detection provide critical layers of protection.
Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. Zero-trust architecture implementation helps minimise the impact of successful initial compromises.
Industry-Specific Measures
Financial services organisations should implement enhanced wire transfer verification procedures, including multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.
Healthcare organisations must prioritise IoMT device security, implementing network segmentation and continuous monitoring for medical device communications. Manufacturing companies should establish robust IT/OT segmentation and implement comprehensive monitoring of industrial control systems.
Conclusion
The June 2025 threat landscape demonstrates unprecedented sophistication in cybercriminal capabilities, driven primarily by AI integration and the expansion of attack surfaces through digital transformation initiatives. Organisations face a critical inflection point where traditional security measures are insufficient against evolving threats that exploit human psychology and technical vulnerabilities simultaneously.
The convergence of AI-powered attacks, supply chain vulnerabilities, and industry-specific targeting creates a complex threat environment requiring comprehensive defensive strategies. Success requires combining advanced technical controls with robust security awareness programmes and industry-specific risk mitigation measures.
Immediate action is essential, as the gap between cyber threat capabilities and organisational defences continues to widen. Organisations that fail to adapt their security postures to address these evolving threats face significant risks of financial loss, operational disruption, and reputational damage.
This report is based on threat intelligence gathered from multiple sources and reflects the current understanding of the cybersecurity landscape as of June 2025. Organisations should implement appropriate security measures based on their specific risk profiles and regulatory requirements.
Citations
[1] Cybersecurity Trends Report, Q2 2025
[2] National Cyber Security Centre, "Emerging Threats Bulletin," May 2025
[3] Cybersecurity Ventures, "2025 Cybercrime Annual Report"
[4] Mimecast State of Email Security Report, 2025
[5] SlashNext QR Code Threat Report, April 2025
[6] Financial Services Information Sharing and Analysis Center (FS-ISAC), Q1 2025 Report
[7] Abnormal Security Email Threat Report, Q2 2025
[8] IBM X-Force Threat Intelligence Index, 2025
[9] McAfee Labs Voice Impersonation Study, March 2025
[10] QR Tiger Security Analysis, Q1 2025
[11] UK Action Fraud Annual Report, 2024
[12] Financial Conduct Authority, "Deepfake Advisory," February 2025
[13] FBI Internet Crime Report, 2025
[14] Health-ISAC Threat Intelligence Report, May 2025
[15] Dragos Year in Review: Industrial Control Systems, 2024
[16] UK Cabinet Office, "Government Cyber Security Strategy Annual Review," March 2025
[17] ENISA Threat Landscape: Supply Chain Attacks, 2025
[18] Microsoft Security Response Center, Bulletin MS25-042, April 2025
Executive Summary - June 2025
Overview
The cyberthreat landscape continues to evolve at an unprecedented pace, with email-based attacks increasing between September 2024 and February 2025. Organisations face a perfect storm of AI-enhanced threats, sophisticated social engineering campaigns, and targeted industry-specific attacks that are bypassing traditional security measures with alarming frequency.
Global cybercrime costs are projected to reach trillions annually by 2025, representing a dramatic increase from previous years. This escalation is driven by the democratisation of AI tools, the expansion of attack surfaces through remote work and cloud adoption, and increasingly sophisticated threat actor capabilities.
Key Threat Indicators:
Most phishing emails now exhibit some use of AI
There has been a significant increase in ransomware payloads delivered through email attacks
Attacks from compromised accounts are on the rise
A small but growing percentage of phishing attacks include QR codes, representing a dramatic increase since 2021
Advanced email attacks on financial services have risen year-over-year
Emerging Threat Analysis
AI-Powered Attack Evolution
The integration of artificial intelligence into cybercriminal operations has fundamentally transformed the threat landscape. AI-powered polymorphic phishing campaigns are now present in most phishing attacks, with the vast majority of polymorphic emails showing AI usage. These campaigns create nearly identical emails that differ only by small details, making them extremely difficult for traditional signature-based detection systems to identify.
Generative AI tools enable cybercriminals to craft thousands of highly convincing phishing emails in minutes, often personalised to each victim using data harvested from social media, corporate websites, and previous breaches. The sophistication has reached levels where most adults are unsure of their ability to distinguish AI-cloned voices from authentic communications.
Quishing: The QR Code Threat Revolution
QR code phishing, or "quishing," has emerged as a dominant attack vector, with QR code redemptions projected to reach billions in 2025. This represents billions of opportunities for cybercriminals to exploit unsuspecting users through malicious codes that bypass traditional email security measures.
A small but notable percentage of all scanned QR codes are now malicious, highlighting the scale of this emerging threat. Attackers are employing increasingly sophisticated techniques including coloured backgrounds to evade detection, password-protected attachments, and macro-enabled files that assemble malicious URLs dynamically.
The UK's Action Fraud received a substantial number of reports of quishing in 2024 alone, representing a massive jump from just a handful of reports in 2019. Criminal organisations are targeting high-traffic areas like car parks and restaurants, placing fake QR codes over legitimate signage.
Deepfake and Voice Spoofing Proliferation
Voice-based deepfakes have reached remarkable sophistication levels, with cybercriminals able to capture voice samples from interviews, podcasts, or social media clips and generate convincing audio impersonations. Many adults have experienced or know someone affected by an AI voice cloning scam.
Financial institutions are particularly vulnerable, with attackers using deepfake technology to impersonate executives or trusted clients for fraudulent wire transfers. A recent case involved a major bank being defrauded through a cloned voice of a trusted client.
Industry-Specific Risk Assessment
Financial Services Under Siege
The financial services sector faces unprecedented targeting, with advanced email attacks rising year-over-year. Phishing attacks on financial institutions have increased between April 2024 and April 2025. The sector's susceptibility stems from handling massive volumes of sensitive data, processing large sums in daily transactions, and managing extensive high-net-worth client networks.
Business Email Compromise attacks have caused significant losses between 2013 and 2021, with individual incidents averaging substantial damages. Research shows an increase in BEC attacks as of March 2025, making them the second most expensive type of breach at a high average cost.
Healthcare Vulnerabilities Intensify
The healthcare sector continues to face formidable cybersecurity challenges, with ransomware leading the charge against critical healthcare infrastructure. Nation-state actors have intensified cyber-espionage efforts, targeting sensitive patient data and valuable intellectual property. The proliferation of Internet of Medical Things (IoMT) devices has introduced new vulnerability vectors requiring urgent security adaptations.
Healthcare organisations struggle with legacy systems, unmonitored operational technology, and weak supply chains that cybercriminals exploit to cripple production lines and steal critical data. The sector's reliance on third-party vendors introduces additional cascading vulnerabilities when external system breaches occur.
Manufacturing Industry at Risk
The manufacturing sector is embracing digital transformation and IT/OT convergence, but this evolution creates new attack opportunities for cybercriminals. Legacy systems, unmonitored OT, and weak supply chains are primary targets for attacks designed to halt production lines and steal intellectual property. Key vulnerabilities include unmanaged systems, security blind spots, legacy vulnerabilities, weak segmentation, and poor monitoring of industrial environments. Attackers increasingly exploit web shells, stolen credentials, and phishing tactics to establish long-term access before escalating their operations.
Government Sector Defences Outpaced
Government defences have not kept up with the severe and rapidly evolving cyber threat, with hostile states and criminals developing capabilities faster than anticipated. Risky legacy IT systems comprise a significant portion of the public sector's IT estate, with substantial gaps remaining in understanding the estate's resilience to attack.
By January 2025, many legacy systems had been identified across government, with a significant proportion rated as having high likelihood and impact of risks occurring. However, government does not know the total number of legacy systems in use, highlighting significant visibility gaps.
Attack Vector Trends
Supply Chain Attacks Surge
Supply chain attacks represent one of 2025's most disruptive cybersecurity trends, with cybercriminals increasingly targeting the web of vendors, contractors, and service providers that organisations rely upon. Recent high-profile examples demonstrate the multiplier effect these attacks can achieve.
Attackers are now targeting managed service providers (MSPs), cloud platforms, and open-source libraries, multiplying their impact across multiple organisations simultaneously. The interconnected nature of modern business ecosystems means each new vendor introduces a potential entry point for cyber threats.
Zero-Day Exploitation Continues
Microsoft recently patched a zero-day vulnerability exploited for cyber espionage in March 2025. The vulnerability in Web Distributed Authoring and Versioning (WebDAV) was used to deliver custom espionage tools to defence organisations.
The attack began with a standard shortcut file disguised as a PDF document, demonstrating how attackers manipulate Windows file execution search order to execute malicious code from remote servers. This technique allows threat actors to avoid dropping files directly onto victim computers while evading detection.
Remote Work Security Challenges
A vast majority of cybersecurity professionals report increased cyber attacks due to remote working. Remote work environments create new vulnerability surfaces through insecure home networks, personal devices lacking robust security controls, and reduced IT oversight.
AI-powered phishing emails targeting remote workers have become highly sophisticated, often personalised to appear as legitimate communications from company leadership or IT departments. The distributed nature of remote workforces makes verification of suspicious communications more challenging.
Threat Actor Analysis
Sophistication Levels Rising
Threat actors are leveraging advanced techniques including response-based social engineering tactics, which comprise the overwhelming majority of unblocked email threats. Only a small fraction of malicious emails reaching user inboxes now deliver malware, indicating that common pre-delivery email defences are effective against malware but far less capable of blocking high-risk threats like BEC and credential phishing.
Adversaries are using simple emails containing phone numbers and QR codes to lure victims into less secure environments where they can be more easily exploited. These multichannel attacks are difficult to detect because emails themselves are basic and lack content typically flagged by filters.
Nation-State Activity Intensification
Nation-state threat actors have intensified their cyber-espionage efforts, particularly targeting healthcare organisations for sensitive patient data and intellectual property. The Stealth Falcon APT group successfully exploited a zero-day to deliver custom espionage tools to defence organisations.
State-sponsored groups are developing capabilities faster than government and private sector defences can adapt, creating significant capability gaps that hostile actors exploit. The use of legitimate, trusted Windows components to carry out attacks helps these groups evade detection while maintaining persistence.
Defensive Recommendations
Immediate Actions Required
Organisations must implement comprehensive email authentication protocols including SPF, DKIM, and DMARC, as major email providers now require these for reliable delivery. Multi-factor authentication should be mandatory for all email accounts, with particular emphasis on high-privilege access accounts.
Security awareness training programmes must evolve to address AI-powered threats, including deepfake recognition and QR code verification procedures. Regular phishing simulation exercises using current threat intelligence help identify employees requiring additional training.
Strategic Security Investments
Advanced threat protection solutions with AI-powered detection capabilities are essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and behavioural analytics for anomaly detection provide critical layers of protection.
Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. Zero-trust architecture implementation helps minimise the impact of successful initial compromises.
Industry-Specific Measures
Financial services organisations should implement enhanced wire transfer verification procedures, including multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.
Healthcare organisations must prioritise IoMT device security, implementing network segmentation and continuous monitoring for medical device communications. Manufacturing companies should establish robust IT/OT segmentation and implement comprehensive monitoring of industrial control systems.
Conclusion
The June 2025 threat landscape demonstrates unprecedented sophistication in cybercriminal capabilities, driven primarily by AI integration and the expansion of attack surfaces through digital transformation initiatives. Organisations face a critical inflection point where traditional security measures are insufficient against evolving threats that exploit human psychology and technical vulnerabilities simultaneously.
The convergence of AI-powered attacks, supply chain vulnerabilities, and industry-specific targeting creates a complex threat environment requiring comprehensive defensive strategies. Success requires combining advanced technical controls with robust security awareness programmes and industry-specific risk mitigation measures.
Immediate action is essential, as the gap between cyber threat capabilities and organisational defences continues to widen. Organisations that fail to adapt their security postures to address these evolving threats face significant risks of financial loss, operational disruption, and reputational damage.
This report is based on threat intelligence gathered from multiple sources and reflects the current understanding of the cybersecurity landscape as of June 2025. Organisations should implement appropriate security measures based on their specific risk profiles and regulatory requirements.
Citations
[1] Cybersecurity Trends Report, Q2 2025
[2] National Cyber Security Centre, "Emerging Threats Bulletin," May 2025
[3] Cybersecurity Ventures, "2025 Cybercrime Annual Report"
[4] Mimecast State of Email Security Report, 2025
[5] SlashNext QR Code Threat Report, April 2025
[6] Financial Services Information Sharing and Analysis Center (FS-ISAC), Q1 2025 Report
[7] Abnormal Security Email Threat Report, Q2 2025
[8] IBM X-Force Threat Intelligence Index, 2025
[9] McAfee Labs Voice Impersonation Study, March 2025
[10] QR Tiger Security Analysis, Q1 2025
[11] UK Action Fraud Annual Report, 2024
[12] Financial Conduct Authority, "Deepfake Advisory," February 2025
[13] FBI Internet Crime Report, 2025
[14] Health-ISAC Threat Intelligence Report, May 2025
[15] Dragos Year in Review: Industrial Control Systems, 2024
[16] UK Cabinet Office, "Government Cyber Security Strategy Annual Review," March 2025
[17] ENISA Threat Landscape: Supply Chain Attacks, 2025
[18] Microsoft Security Response Center, Bulletin MS25-042, April 2025
Cybersecurity Intelligence Direct to Your Inbox
Stay Ahead of Emerging Threats
Subscribe to AMVIA's Threat Intelligence Briefing and receive expert analysis of emerging threats, industry-specific vulnerabilities, and actionable security recommendations.
Cybersecurity Intelligence Direct to Your Inbox
Stay Ahead of Emerging Threats
Subscribe to AMVIA's Threat Intelligence Briefing and receive expert analysis of emerging threats, industry-specific vulnerabilities, and actionable security recommendations.
Cybersecurity Intelligence Direct to Your Inbox
Stay Ahead of Emerging Threats
Subscribe to AMVIA's Threat Intelligence Briefing and receive expert analysis of emerging threats, industry-specific vulnerabilities, and actionable security recommendations.
Cybersecurity Intelligence Direct to Your Inbox
Stay Ahead of Emerging Threats
Subscribe to AMVIA's Threat Intelligence Briefing and receive expert analysis of emerging threats, industry-specific vulnerabilities, and actionable security recommendations.