Cisco Talos have published the findings of its Q2 2025 report, and whilst phishing remains the predominant access method, there has been a clear shift in methodology adopted by cybercriminals with a clear shift moving towards compromised internal or trusted business partner email accounts.
This quarter, 75% of observed phishing attacks originated from compromised internal or trusted business partner email accounts. Many users were tricked into entering their credentials and MFA tokens on sophisticated fake login pages, enabling attackers to steal valuable information for use in further attacks or for sale on underground markets.
New ransomware observations
Ransomware was responsible for 50% of all incidents in Q2. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware.
In its first encounter with Qilin ransomware, Talos documented previously unseen tools and tactics. The Qilin attack began with stolen credentials, followed by lateral movement using remote access tools. Attackers employed a unique encryptor and new exfiltration techniques, including CyberDuck for data theft and Backblaze for command and control.
They established persistence by creating automated processes to restart the ransomware after reboots and logins, resulting in extensive system damage and requiring a full rebuild and organization-wide password resets.
Talos’ analysis further suggests that the Qilin group may be expanding its affiliate network or accelerating its operations.
Attacks using old scripting language
A concerning trend is the use of the outdated PowerShell v1.0 scripting language in a third of ransomware attacks, taking advantage of its lack of security features such as script logging and antivirus integration. Cisco Talos advises organizations to mandate PowerShell 5.0 or higher to mitigate these risks.
Education sector most targeted
The education sector emerged as the most targeted industry globally in Q2 2025, a significant change from the previous quarter. High levels of ransomware activity were also observed in manufacturing, construction, and public administration.
Multi-factor authentication: enable and monitor
Over 40% of the second quarter’s incidents involved MFA issues, such as misconfiguration, absence, or bypass. Cisco Talos recommends enabling and closely monitoring MFA to prevent misuse and strengthen organizational security.
Fady Younes, Managing Director for Cybersecurity at Cisco Middle East, Africa, Türkiye, Romania and CIS, stated, “Cybercriminals are increasingly exploiting trust, whether through compromised partner accounts, misconfigured security tools, or outdated systems. The latest Talos findings underscore that credentials remain a prime target, and organizations must not only enable multi-factor authentication but also continuously validate and monitor its effectiveness. Building cyber resilience requires a proactive approach where people, processes, and technologies work together to minimize risk and strengthen defenses against evolving threats.”
