Quarterly Threat Report: Q4 2025 Round Up

Cyber threats surged again this quarter, hitting UK organisations hard across government, IT services, education, retail, and manufacturing. Attackers leaned heavily on AI, crafting convincing phishing emails, automating vulnerability scans, and impersonating senior staff. At the same time, cloud-targeted and hybrid ransomware attacks continued to rise.

The Microsoft Digital Defence Report 2025 highlights this change:

• Phishing-resistant MFA now blocks over 99% of unauthorised access attempts.
• AI-driven phishing achieved a 54% click rate – nearly five times higher than traditional emails.

As we closed out 2025, these trends played out in real-time across several high-impact UK incidents.

Major Cyber Incidents: October – December 2025

1. Heathrow Airport – Credential Theft & Operational Disruption

What happened: In late November, attackers used stolen privileged credentials, harvested via an infostealer, to access Heathrow’s internal employee portal. They attempted to disrupt logistics and scheduling systems supporting luggage routing and staff rostering.

Impact:

• Delays across Terminals 2 and 5
• Disruption to staff scheduling and baggage handling
• Temporary switch to manual processes
• Increased scrutiny of identity controls
• No passenger data reported stolen

Why it matters: Airports remain prime targets for attackers seeking operational chaos rather than data theft. This shows how quickly stolen credentials can cripple critical infrastructure.

2. UK Local Councils – AI-Driven Phishing Wave

What happened: Multiple councils across England and Scotland faced a coordinated phishing campaign using AI-generated emails. Attackers impersonated contractors and legal partners using stolen supplier data.

Impact:

• Compromised council inboxes
• Exposure of sensitive resident data
• Fraudulent payment redirection attempts
• Significant recovery costs

Why it matters: Attackers exploited the partner ecosystem, not just councils. With 28% of breaches starting with phishing, UK public-sector bodies remain top global targets.

3. UK Manufacturing Firm – Hybrid Ransomware Attack

What happened: A major UK engineering firm suffered a ransomware attack that began on legacy on-prem servers and spread into Azure. Attackers exploited exposed remote services and deployed a hybrid payload to encrypt backups across cloud and on-premise environments.

Impact:

• Production halted for three days
• R&D files encrypted
• Aerospace and automotive supply chain delays
• Losses exceeding £6 million
• Recovery complicated by cloud deletion attempts

Why it matters: Cloud-targeting ransomware is up 87% globally. Manufacturing remains one of the hardest-hit sectors.

4. University of Manchester – Nation-State Credential Harvesting

What happened: Malicious attempts targeted research networks linked to health science and advanced materials. Techniques matched known nation-state actors.

Impact:

• Temporary shutdown of research clusters
• Compromised academic accounts
• Attempts to access grant proposals and research data

Why it matters: UK research is a strategic target. Nation-state actors seek intellectual property and emerging technologies.

5. UK Retail & Finance – Holiday Deepfake Fraud Surge

What happened: During Black Friday and Christmas, attackers used AI-generated voice and video deepfakes to impersonate executives and request urgent payments.

Impact:

• Fraudulent transfers at mid-market retailers
• Brand impersonation via cloned websites
• HR targeted with malware-laced documents
• Surge in virtual credit card fraud

Why it matters: Deepfakes erode trust in internal processes. Traditional safeguards like email approval chains are no longer enough.

Key Trends from Q4 2025

• Infostealers drive breaches: 51% of infections linked to Lumma Stealer, fuelling password spray and MFA fatigue attacks.
• Supply chain risk rising: Compromised suppliers and shared cloud access featured in most incidents.
• Cloud disruption as a primary target: Attackers aim to delete or corrupt infrastructure, not just encrypt data.
• AI embedded in every stage: From phishing and deepfakes to vulnerability scanning and malware scripting.

Recommendations for UK Organisations

Strengthen supplier security

• Enforce MFA and breach notification clauses
• Treat suppliers as part of your risk surface

Enhance staff awareness

• Train teams to spot deepfakes
• Run AI-based phishing simulations

Improve access controls

• Deploy phishing-resistant MFA everywhere
• Remove legacy login methods

Segment critical systems

• Separate production and user networks
• Monitor for behavioural anomalies

Prepare for operational disruption

• Update continuity plans with cyber scenarios
• Test restore processes and keep immutable backups

Act now to protect your organisation

Q4 has shown that UK businesses can no longer rely on reactive cyber security. AI-driven threats, credential theft and cloud disruption are becoming the norm and without strong, multi-layered security, the impact can be severe.

We’re here to help you build resilience. Our Managed Cyber Security services provide round-the-clock protection, rapid detection, and clear, approachable guidance tailored to the way you work.

If you’d like to understand your risk exposure or strengthen your defences for 2026, we offer free consultations to help you prioritise what matters and take practical steps forward.