Cloud intrusions increased by 136% in the first half of 2025 compared to all of 2024.

The government sector experienced a 71% year-over-year increase in overall interactive intrusions and a 185% year-over-year increase in targeted intrusion activity.

Lumma Stealer is the most encountered malware family found in the wild during Q2 and is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.

Healthcare was the third most targeted sector for email-based attacks in Q2 2025, accounting for 19% of attacks.

Retail was the second most targeted sector for email-based attacks in Q2 2025, accounting for 20% of attacks.

SCATTERED SPIDER moved from initial access to encryption by deploying ransomware in under 24 hours in one observed case

There were 3,649 documented ransomware attacks in H1 2025.

Ransomware attacks grew in frequency to 608 per month, or roughly 20 per day.

The Manufacturing sector was the prime target for email-based attacks in Q2 2025, accounting for 26% of all incidents.

A staggering 155,005 copy attempts and 313,120 paste attempts were logged in a single month, demonstrating potential data exposure.

Legal or HR notices account for 5% in phishing emails.

Interactive intrusions increased 27% year-over-year.

Travel-themed messages account for 10% in phishing emails.

For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms.

The amount of data uploaded to genAI apps each month has increased from 7.7 GB to 8.2 GB quarter over quarter.

ChatGPT saw its first decrease in enterprise popularity since Netskope started tracking it in 2023.

Zero-day exploits increased 46% in H1 2025.

Modbus accounted for 57% of OT protocol traffic in Forescout honeypots in H1 2025.

The U.S. was the top ransomware target, accounting for 53% of all ransomware incidents, in H1 2025.

24% of breaches IN h1 2025 were on email systems.