Wednesday, October 22, 2025

1. Social engineering gains ground as preferred method of initial access

Link: https://www.cybersecuritydive.com/news/social-engineering-preferred-initial-access/803363/

Summary: Attackers are increasingly bypassing technical barriers by targeting people — using deep-fake video, voice cloning, impersonation of executives, and other social engineering tricks. From May 2024 to May 2025, about 36% of breach incidents studied by Palo Alto Networks were initiated via social engineering, often aimed at privileged or executive accounts. The shift reflects that as organizations strengthen MFA, patching and endpoint defenses, attackers are returning to exploiting the human link. The article emphasizes that senior leaders, their family members and their public digital footprint are prime targets. 

2. Microsoft warns of a 32% surge in identity hacks, mainly driven by stolen passwords

Link: https://therecord.media/microsoft-warns-of-surge-identity-hacks-passwords

Summary: According to Microsoft’s Digital Defense Report 2025, identity-based attacks climbed by 32% in the first half of 2025, and more than 97% of those attacks leveraged passwords. Hackers are harvesting credentials through leaks, infostealer malware and help-desk social engineering, and then exploiting them to breach organizations—particularly in IT and government sectors. The report even notes attackers exploiting antivirus exclusions to evade detection in about 30 % of human-operated ransomware incidents. 

3. Beware of threats lurking in booby-trapped PDF files

Link: https://www.welivesecurity.com/en/malware/threats-lurking-pdf-files/

Summary: Simple PDF files are being weaponized. According to ESET’s research, PDFs remain among the most abused file types in phishing campaigns, zero-day attacks and APT operations. Threats include embedded JavaScript, hidden malicious links, or disguised executables masquerading as PDFs. The article lists red-flags (unexpected file, double extension, suspicious sender) and gives practical steps: verify sender, check extension, scan the file, use protected view. 

4. Why security awareness training doesn’t work — and how to fix it

Link: https://www.cybersecuritydive.com/news/cybersecurity-awareness-training-research-flaws/803201/

Summary: Organizations have invested heavily in phishing simulations and mandatory training, but a review of studies suggests these methods deliver limited protection and sometimes even backfire. Researchers found no clear link between training and fewer phishing failures, and that effects often disappear within six months. They argue that training often ignores behavioral science: knowledge doesn’t always translate to better habits. The fix? Training must include targeted, actionable content, continuous feedback (‘nudges’), and focus on behaviour-change rather than checking a compliance box.