TRENDS, THREATS & TACTICS FOR CYBER CERTAINTY™
BY DANIEL TOBOK
August 2025
NEW ALL-TIME RECORD LEVELS OF CYBER THREAT AND CONCERN: Global Trends & Threat Levels At An All Time High
S C A T T E R E D S P I D E R T A R G E T S A V I A T I O N : Social Engineering Crisis Demands Immediate Cyber Certainty™
- Tech firms warn ‘Scattered Spider’ hacks are targeting aviation sector
Hackers from the Scattered Spider group are actively targeting the aviation sector with sophisticated social engineering attacks, including SIM swapping, to steal employee credentials and gain unauthorized access to critical systems. Cybersecurity experts warn that the aviation industry’s complex supply chains and legacy systems make it especially vulnerable, and urge immediate improvements in identity controls and phishing-resistant multi-factor authentication.
My thoughts
- As I see it, the Scattered Spider campaign against the aviation industry is a stark reminder that threat actors are becoming more calculated and deliberate, choosing industries where a breach or disruption can cause not only financial chaos but also widespread operational and societal consequences. The aviation sector’s interdependencies — from airlines to airport operators and critical suppliers — make it an especially attractive target for these sophisticated threat actors.What concerns me most is how social engineering — not just technical vulnerabilities — continues to be the primary vector. By impersonating IT staff, exploiting SIM swapping, or manipulating multi-factor authentication processes, threat actors exploit human psychology and outdated identity controls to turn the very people meant to protect organizations into unwitting accomplices in breaches. This highlights a glaring gap: many organizations still underestimate the power of deception-based attacks compared to purely technical exploits.
What can we do?
- We must proactively adopt a mindset of Cyber Certainty™, which begins with the acknowledgment that social engineering is not a peripheral issue — it is often the main attack path. To build this certainty, organizations should deploy phishing-resistant multi-factor authentication, such as FIDO2 security keys or passkeys, which are immune to SIM swapping and one-time password interception. It is equally important to continuously train and test employees through regular simulated social engineering scenarios that evolve alongside emerging tactics used by threat actors. It is not wise to rely on annual checkbox exercises. Enforcing a zero trust architecture ensures every user and device is continuously authenticated, authorized, and monitored, particularly when accessing sensitive systems or data. Organizations must also strengthen vendor and third-party security assessments, recognizing that aviation supply chains often involve numerous contractors who can become the weakest link exploited by threat actors. Finally, leveraging real-time threat intelligence is essential to anticipate and adapt defenses against evolving social engineering techniques, by keeping organizations informed and prepared to stay ahead of adversaries=
M I C R O S O F T B L O C K S E M A I L B O M B I N G I N O F F I C E 3 6 5 : Why Organizations Must Strengthen Awareness Now
- Microsoft Defender for Office 365 now blocks email bombing attacks
Microsoft has updated Defender for Office 365 to automatically detect and block email bombing attacks, a tactic where threat actors flood victims’ inboxes with thousands of emails to overwhelm them or hide malicious activity like account takeovers. This new feature proactively filters suspicious surges of inbound emails, helping organizations protect users from distraction-based attacks and reducing the risk of missing critical security alerts.
My thoughts
When I first read about Microsoft’s addition of email bombing protection in Defender for Office 365, I saw it as a significant and necessary step in defending against a tactic that many organizations still underestimate. Email bombing — where threat actors flood a victim’s inbox with thousands of emails from subscriptions, forms, or spam bots — isn’t simply an annoyance; it’s a deliberate strategy used to distract victims and security teams, often masking more targeted activities like account takeovers or credential theft. What concerns me most is how email bombing exploits human limitations rather than technical vulnerabilities, by overwhelming employees so they miss password reset alerts or suspicious login notifications. This demonstrates once again that threat actors continue to innovate beyond traditional phishing attacks, and seek to manipulate users’ ability to respond effectively during critical moments.
What can we do?
Organizations must ensure employees understand that a sudden flood of emails can be a red flag of malicious intent, prompting immediate verification of sensitive accounts for unauthorized changes. Security teams should monitor for patterns of unusual inbound email volumes that could indicate an active email bombing attempt, and use Microsoft’s new automated filtering as part of a layered defense strategy. Additionally, implementing phishing-resistant multi-factor authentication will make it harder for threat actors to exploit distraction windows created by email bombing. Finally, organizations should regularly review and secure mailbox rules and forwarding settings, since threat actors often use these to maintain persistence after an account compromise hidden during the chaos of an email bombing campaign.
2 6 3 , 0 0 0 P A T I E N T S A T R I S K : Esse Health Breach Shows Why Email Security Gaps Let Threat Actors Win
- Esse Health says recent data breach affects over 263,000 patients
I find the Esse Health data breach especially alarming because it underscores how even a single compromised email account can result in massive exposure of sensitive patient information. In this case, threat actors gained unauthorized access to employee email accounts, exfiltrated data that included names, Social Security numbers, medical information, and insurance details — and essentially provided everything needed for identity theft and medical fraud. What concerns me most is that email compromise is still one of the most effective attack vectors, yet many healthcare organizations lag in deploying effective defenses. This incident also highlights the dangerous gap between the time threat actors gained access and when the breach was detected, giving them days or even weeks to siphon off data undetected. The healthcare sector remains one of the most attractive targets for threat actors because patient data retains value for years and can be exploited repeatedly, posing long-term risks to victims.
What can we do?
We need to prioritize securing email accounts by implementing phishing-resistant multi-factor authentication across the entire workforce, and reduce the chance that compromised credentials alone can grant threat actors access. It’s also critical to deliver ongoing, adaptive security awareness training to employees, by focusing on recognizing evolving phishing techniques and other social engineering methods. Investing in advanced email security tools with anomaly detection can help identify suspicious behaviors — such as unusual login locations or times — and enable faster responses. Encrypting sensitive data both at rest and in transit adds another layer of protection, and ensures that even if an account is compromised, the exposed data is less useful to threat actors. Finally, healthcare organizations must develop and rehearse robust incident response plans so they can quickly contain breaches, notify affected individuals, and comply with legal obligations under regulations like HIPAA, all while minimizing damage.
