Executive Summary - June 2025

Overview

The cyberthreat landscape continues to evolve at an unprecedented pace, with email-based attacks increasing between September 2024 and February 2025. Organisations face a perfect storm of AI-enhanced threats, sophisticated social engineering campaigns, and targeted industry-specific attacks that are bypassing traditional security measures with alarming frequency.

Global cybercrime costs are projected to reach trillions annually by 2025, representing a dramatic increase from previous years. This escalation is driven by the democratisation of AI tools, the expansion of attack surfaces through remote work and cloud adoption, and increasingly sophisticated threat actor capabilities.

Key Threat Indicators:

• Most phishing emails now exhibit some use of AI

• There has been a significant increase in ransomware payloads delivered through email attacks

• Attacks from compromised accounts are on the rise

• A small but growing percentage of phishing attacks include QR codes, representing a dramatic increase since 2021

• Advanced email attacks on financial services have risen year-over-year

Emerging Threat Analysis

AI-Powered Attack Evolution

The integration of artificial intelligence into cybercriminal operations has fundamentally transformed the threat landscape. AI-powered polymorphic phishing campaigns are now present in most phishing attacks, with the vast majority of polymorphic emails showing AI usage. These campaigns create nearly identical emails that differ only by small details, making them extremely difficult for traditional signature-based detection systems to identify.

Generative AI tools enable cybercriminals to craft thousands of highly convincing phishing emails in minutes, often personalised to each victim using data harvested from social media, corporate websites, and previous breaches. The sophistication has reached levels where most adults are unsure of their ability to distinguish AI-cloned voices from authentic communications.

Quishing: The QR Code Threat Revolution

QR code phishing, or "quishing," has emerged as a dominant attack vector, with QR code redemptions projected to reach billions in 2025. This represents billions of opportunities for cybercriminals to exploit unsuspecting users through malicious codes that bypass traditional email security measures.

A small but notable percentage of all scanned QR codes are now malicious, highlighting the scale of this emerging threat. Attackers are employing increasingly sophisticated techniques including coloured backgrounds to evade detection, password-protected attachments, and macro-enabled files that assemble malicious URLs dynamically.

The UK's Action Fraud received a substantial number of reports of quishing in 2024 alone, representing a massive jump from just a handful of reports in 2019. Criminal organisations are targeting high-traffic areas like car parks and restaurants, placing fake QR codes over legitimate signage.

Deepfake and Voice Spoofing Proliferation

Voice-based deepfakes have reached remarkable sophistication levels, with cybercriminals able to capture voice samples from interviews, podcasts, or social media clips and generate convincing audio impersonations. Many adults have experienced or know someone affected by an AI voice cloning scam.

Financial institutions are particularly vulnerable, with attackers using deepfake technology to impersonate executives or trusted clients for fraudulent wire transfers. A recent case involved a major bank being defrauded through a cloned voice of a trusted client.

Industry-Specific Risk Assessment

Financial Services Under Siege

The financial services sector faces unprecedented targeting, with advanced email attacks rising year-over-year. Phishing attacks on financial institutions have increased between April 2024 and April 2025. The sector's susceptibility stems from handling massive volumes of sensitive data, processing large sums in daily transactions, and managing extensive high-net-worth client networks.

Business Email Compromise attacks have caused significant losses between 2013 and 2021, with individual incidents averaging substantial damages. Research shows an increase in BEC attacks as of March 2025, making them the second most expensive type of breach at a high average cost.

Healthcare Vulnerabilities Intensify

The healthcare sector continues to face formidable cybersecurity challenges, with ransomware leading the charge against critical healthcare infrastructure. Nation-state actors have intensified cyber-espionage efforts, targeting sensitive patient data and valuable intellectual property. The proliferation of Internet of Medical Things (IoMT) devices has introduced new vulnerability vectors requiring urgent security adaptations.

Healthcare organisations struggle with legacy systems, unmonitored operational technology, and weak supply chains that cybercriminals exploit to cripple production lines and steal critical data. The sector's reliance on third-party vendors introduces additional cascading vulnerabilities when external system breaches occur.

Manufacturing Industry at Risk

The manufacturing sector is embracing digital transformation and IT/OT convergence, but this evolution creates new attack opportunities for cybercriminals. Legacy systems, unmonitored OT, and weak supply chains are primary targets for attacks designed to halt production lines and steal intellectual property. Key vulnerabilities include unmanaged systems, security blind spots, legacy vulnerabilities, weak segmentation, and poor monitoring of industrial environments. Attackers increasingly exploit web shells, stolen credentials, and phishing tactics to establish long-term access before escalating their operations.

Government Sector Defences Outpaced

Government defences have not kept up with the severe and rapidly evolving cyber threat, with hostile states and criminals developing capabilities faster than anticipated. Risky legacy IT systems comprise a significant portion of the public sector's IT estate, with substantial gaps remaining in understanding the estate's resilience to attack.

By January 2025, many legacy systems had been identified across government, with a significant proportion rated as having high likelihood and impact of risks occurring. However, government does not know the total number of legacy systems in use, highlighting significant visibility gaps.

Attack Vector Trends

Supply Chain Attacks Surge

Supply chain attacks represent one of 2025's most disruptive cybersecurity trends, with cybercriminals increasingly targeting the web of vendors, contractors, and service providers that organisations rely upon. Recent high-profile examples demonstrate the multiplier effect these attacks can achieve.

Attackers are now targeting managed service providers (MSPs), cloud platforms, and open-source libraries, multiplying their impact across multiple organisations simultaneously. The interconnected nature of modern business ecosystems means each new vendor introduces a potential entry point for cyber threats.

Zero-Day Exploitation Continues

Microsoft recently patched a zero-day vulnerability exploited for cyber espionage in March 2025. The vulnerability in Web Distributed Authoring and Versioning (WebDAV) was used to deliver custom espionage tools to defence organisations.

The attack began with a standard shortcut file disguised as a PDF document, demonstrating how attackers manipulate Windows file execution search order to execute malicious code from remote servers. This technique allows threat actors to avoid dropping files directly onto victim computers while evading detection.

Remote Work Security Challenges

A vast majority of cybersecurity professionals report increased cyber attacks due to remote working. Remote work environments create new vulnerability surfaces through insecure home networks, personal devices lacking robust security controls, and reduced IT oversight.

AI-powered phishing emails targeting remote workers have become highly sophisticated, often personalised to appear as legitimate communications from company leadership or IT departments. The distributed nature of remote workforces makes verification of suspicious communications more challenging.

Threat Actor Analysis

Sophistication Levels Rising

Threat actors are leveraging advanced techniques including response-based social engineering tactics, which comprise the overwhelming majority of unblocked email threats. Only a small fraction of malicious emails reaching user inboxes now deliver malware, indicating that common pre-delivery email defences are effective against malware but far less capable of blocking high-risk threats like BEC and credential phishing.

Adversaries are using simple emails containing phone numbers and QR codes to lure victims into less secure environments where they can be more easily exploited. These multichannel attacks are difficult to detect because emails themselves are basic and lack content typically flagged by filters.

Nation-State Activity Intensification

Nation-state threat actors have intensified their cyber-espionage efforts, particularly targeting healthcare organisations for sensitive patient data and intellectual property. The Stealth Falcon APT group successfully exploited a zero-day to deliver custom espionage tools to defence organisations.

State-sponsored groups are developing capabilities faster than government and private sector defences can adapt, creating significant capability gaps that hostile actors exploit. The use of legitimate, trusted Windows components to carry out attacks helps these groups evade detection while maintaining persistence.

Defensive Recommendations

Immediate Actions Required

Organisations must implement comprehensive email authentication protocols including SPF, DKIM, and DMARC, as major email providers now require these for reliable delivery. Multi-factor authentication should be mandatory for all email accounts, with particular emphasis on high-privilege access accounts.

Security awareness training programmes must evolve to address AI-powered threats, including deepfake recognition and QR code verification procedures. Regular phishing simulation exercises using current threat intelligence help identify employees requiring additional training.

Strategic Security Investments

Advanced threat protection solutions with AI-powered detection capabilities are essential for identifying sophisticated attacks that bypass traditional defences. Sandboxing technology for suspicious attachments and behavioural analytics for anomaly detection provide critical layers of protection.

Supply chain risk management programmes must include comprehensive vendor security assessments, continuous monitoring, and incident response coordination. Zero-trust architecture implementation helps minimise the impact of successful initial compromises.

Industry-Specific Measures
Financial services organisations should implement enhanced wire transfer verification procedures, including multi-channel confirmation for high-value transactions. Voice authentication systems should incorporate deepfake detection capabilities to prevent audio impersonation attacks.

Healthcare organisations must prioritise IoMT device security, implementing network segmentation and continuous monitoring for medical device communications. Manufacturing companies should establish robust IT/OT segmentation and implement comprehensive monitoring of industrial control systems.

Conclusion

The June 2025 threat landscape demonstrates unprecedented sophistication in cybercriminal capabilities, driven primarily by AI integration and the expansion of attack surfaces through digital transformation initiatives. Organisations face a critical inflection point where traditional security measures are insufficient against evolving threats that exploit human psychology and technical vulnerabilities simultaneously.

The convergence of AI-powered attacks, supply chain vulnerabilities, and industry-specific targeting creates a complex threat environment requiring comprehensive defensive strategies. Success requires combining advanced technical controls with robust security awareness programmes and industry-specific risk mitigation measures.

Immediate action is essential, as the gap between cyber threat capabilities and organisational defences continues to widen. Organisations that fail to adapt their security postures to address these evolving threats face significant risks of financial loss, operational disruption, and reputational damage.

This report is based on threat intelligence gathered from multiple sources and reflects the current understanding of the cybersecurity landscape as of June 2025. Organisations should implement appropriate security measures based on their specific risk profiles and regulatory requirements.

Citations
[1] Cybersecurity Trends Report, Q2 2025
[2] National Cyber Security Centre, "Emerging Threats Bulletin," May 2025
[3] Cybersecurity Ventures, "2025 Cybercrime Annual Report"
[4] Mimecast State of Email Security Report, 2025
[5] SlashNext QR Code Threat Report, April 2025
[6] Financial Services Information Sharing and Analysis Center (FS-ISAC), Q1 2025 Report
[7] Abnormal Security Email Threat Report, Q2 2025
[8] IBM X-Force Threat Intelligence Index, 2025
[9] McAfee Labs Voice Impersonation Study, March 2025
[10] QR Tiger Security Analysis, Q1 2025
[11] UK Action Fraud Annual Report, 2024
[12] Financial Conduct Authority, "Deepfake Advisory," February 2025
[13] FBI Internet Crime Report, 2025
[14] Health-ISAC Threat Intelligence Report, May 2025
[15] Dragos Year in Review: Industrial Control Systems, 2024
[16] UK Cabinet Office, "Government Cyber Security Strategy Annual Review," March 2025
[17] ENISA Threat Landscape: Supply Chain Attacks, 2025
[18] Microsoft Security Response Center, Bulletin MS25-042, April 2025