Monthly Threat Report May 2025

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on events from the month of April 2025. 

Executive Summary

• Email Authentication Protocols: DMARC, DKIM, and SPF are becoming more necessary in today’s security ecosystem. This month’s report provides some info and resources on these email authentication protocols. 
• Exploited OAuth Workflows: Russian threat actors have been using social engineering method of tricking users to provide long term persisten access into M365 accounts via OAuth. 
• BreachForums Zero-Day Exploit: A zero-day vulnerability in BreachForums’ MyBB software was exploited, allowing attackers to gain administrative control and exfiltrate user data before the site was taken offline. 
• Cobb County, Georgia Ransomware Attack: The Qilin ransomware group targeted Cobb County, Georgia, encrypting critical systems and stealing sensitive data, disrupting county services and prompting federal investigation. 
• Marks & Spencer Ransomware Attack: The Scattered Spider ransomware group successfully compromised Marks & Spencer’s internal systems via phishing, encrypting data and exfiltrating customer payment information, disrupting operations. 

DMARC, DKIM, and SPF Defense Focus 

Email authentication protocols like DMARC, SPF, and DKIM play a crucial role in ensuring the integrity of email communications and protecting organizations from email-based attacks. DMARC (Domain-based Message Authentication, Reporting & Conformance) allows domain owners to specify which mechanisms—such as SPF or DKIM—are used to authenticate their emails, and provides reporting capabilities to monitor and enforce the policy. SPF (Sender Policy Framework) allows domain owners to define which IP addresses are authorized to send emails on their behalf, preventing unauthorized users from sending malicious emails. DKIM (DomainKeys Identified Mail) adds an extra layer of security by allowing senders to attach a cryptographic signature to emails, ensuring that the content has not been tampered with during transit. These protocols work together to combat spoofing and phishing, reducing the chances of malicious emails reaching your users. 

By implementing these protocols, organizations can significantly improve their email security posture and protect against common threats such as phishing and business email compromise (BEC). They ensure that emails are verified before being delivered, providing an additional line of defense against attackers who might impersonate legitimate senders. When properly configured, these protocols not only enhance security but also bolster the organization’s reputation, as recipients can trust that emails coming from the domain are legitimate. Failing to implement these protocols, on the other hand, leaves businesses exposed to a higher risk of email fraud and data breaches. 

Additional DMARC Resources 

• Read more on Why is Email Authentication Important? 
• Check DMARC, DKIM, and SPF for your Domain 

Industry Threat and Incident Overview 

Exploited OAuth Workflows to Hijack M365 Accounts 

In April 2025, Russian threat actors, identified as UTA0352 and UTA0355, exploited OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts belonging to employees of organizations related to Ukraine and human rights. The attackers initiated contact via Signal or WhatsApp, impersonating European officials or Ukrainian diplomats, and invited targets to private video meetings discussing Ukraine-related affairs. Once communication was established, the adversaries sent malicious OAuth phishing URLs under the pretext of granting access to the video call. These URLs led victims to authorize persistent access to Microsoft 365 accounts, bypassing traditional authentication mechanisms. 

Attack Chain Analysis: 

• Initial Access: The attackers initiated contact via Signal or WhatsApp, impersonating trusted officials to establish communication. 
• Social Engineering: They invited targets to private video meetings, creating a sense of urgency and legitimacy. 
• Malicious Link Distribution: Once trust was established, they sent OAuth phishing URLs disguised as access links to the video call. 
• OAuth Authorization: Victims were prompted to provide an auth code, granting attackers persistent access to their Microsoft 365 accounts. 
• Exploitation: With authorized access, attackers could exfiltrate sensitive information and potentially move laterally within the organization. 

BreachForums Zero-Day Exploit 

It seems even popular hacking forums are not immune to cyberattack either. In April 2025, the notorious hacking forum, BreachForums, was compromised by a zero-day exploit that targeted an unpatched vulnerability in the forum’s MyBB software. To add to the drama, it’s unknown who exactly is responsible for the incident. While a user by the name Momondo has taken credit, there are some circles that believe the FBI was involved. Whatever the truth here is, this incident is important for a few reasons. 

• BreachForums is a highly popular site used by threat actors to procure data dumps. These dumps are then used to launch attacks. Despite being taken down a number of times now, the site continues to come back, allowing bad actors to continue buying and selling ill gotten data dumps. 
• Even though BreachForums is a popular hacking forum, the breach can remind security teams of one thing. Don’t forget to include public facing or legacy software in your patching process. Because, sooner or later, the bad actors will stop attacking each other and business as usual will resume. 

Cobb County, Georgia Ransomware Attack 

On April 28, 2025, Cobb County, Georgia, became the target of a cyberattack by the Qilin ransomware group. While not officially confirmed, officials have stated that several individuals have been directly impacted with their data being leaked. Qilin claims to have 400,000 documents ready to publish unless they are paid. This follows the standard double-extortion playbook that so many threat-actor groups follow. The stolen data allegedly contains: 

• Autopsy Photos 
• Drivers licenses (and the associated information) 
• Social Security Cards 

While this is a smaller scale local incident, it’s worth bringing it up to reinforce the fact that just because you’re not a international megacorp, that doesn’t mean you can’t be a target. Many smaller organizations become lax thinking they are too small to be targeted. Sadly, many find out the hard way. 

Marks & Spencer Ransomware Attack 

In late April, UK-based retailer Marks & Spencer (M&S) was targeted by the Scattered Spider ransomware group (known as Octo Tempest as well). A direct form of initial entry has not been reported, but Bleeping Computer is reporting that attackers were in M&S systems as early as February. What is notable here is that the NTDS.dit file was lifted from company domain controllers. From there attackers spread laterally through the environment until ultimately installing DragonForce Encryptor on the organization’s ESXi hosts, targeting VMs directly. 

The retail sector continues to be a highly targeted industry. Not just for the finances of a given organization, but the personal data of customers as well. 

Predictions for the Coming Months 

Given the types of attacks we continue to see make heavy use of targeting on-premises resources, as well as the human element, it is our prediction that both of the below items will continue to be a focal point for the industry for some time. 

Cloud-Based Backup and Recovery Solutions Will Continue to Grow 

With ransomware attacks targeting traditional on-premises backup systems, organizations will accelerate the adoption of cloud-native backup solutions. These solutions offer greater resilience with immutable storage, enabling faster recovery and reducing reliance on potentially compromised on-site backups. 

Security Awareness Training Will Continue to Evolve for the Modern Workforce 

Security awareness training will shift from occasional sessions to continuous, interactive programs. Organizations will implement regular phishing simulations and real-time threat intelligence sharing, ensuring employees stay informed about the latest attack tactics and reinforcing a culture of vigilance against cyber threats. 

Monthly Recommendations

Given the current threatening ecosystem and the types of attacks that are taking place, below are our recommendations for this month: 

• Secure Access to Domain Controllers: Given what happened to M&S, it’s worth taking a look at the security of any on-premises domain controllers at this point in time. Given the cloud era domain controllers have become somewhat neglected by some organizations. DCs that go unsecured are an incident waiting to happen and a gold mine for threat actors. Reviewing your security posture for these systems regularly should be near the top of your list. 
• Monitor & Manage Known Vulnerabilities: Regularly conduct security scans to identify and patch zero-day vulnerabilities in all software, especially any public-facing services. If a vulnerability does not have a fix, take appropriate security mitigations. 

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.