RIYADH, SAUDI ARABIA – A new report from Cisco Talos reveals that while phishing attempts declined by 40% in the second quarter of 2025, they remain the leading method for cybercriminals to gain initial access. The report highlights a concerning trend: attackers are increasingly leveraging compromised internal or trusted partner email accounts, which were responsible for 75% of observed phishing attacks. This tactic exploits trust to steal credentials and multi-factor authentication (MFA) tokens.

Ransomware continues to be a major threat, accounting for 50% of all incidents in Q2. New ransomware groups like Qilin and Medusa were observed for the first time, with Qilin attacks showing sophisticated techniques, including the use of outdated scripting languages like PowerShell v1.0 to bypass security features.

The education sector was the most targeted industry globally, while the manufacturing, construction, and public administration sectors also saw high levels of ransomware activity.

MFA remains a critical point of vulnerability, with over 40% of incidents involving misconfiguration or bypass issues. Cisco Talos strongly recommends that organizations not only enable MFA but also continuously monitor and validate its effectiveness.

Fady Younes, Managing Director for Cybersecurity at Cisco Middle East, Africa, Türkiye, Romania and CIS, emphasized the need for a proactive approach. “The latest Talos findings underscore that credentials remain a prime target, and organizations must not only enable multi-factor authentication but also continuously validate and monitor its effectiveness,” he said. “Building cyber resilience requires people, processes, and technologies to work together to minimize risk and strengthen defenses against evolving threats.”