Monthly Threat Intelligence Report: June 2025
AMVIA's June 2025 threat intelligence report covers the month's top attack trends, active threat actor campaigns, notable vulnerabilities and recommended defensive actions for UK businesses. Key themes this month include AI-assisted phishing campaigns, critical Microsoft Exchange vulnerabilities and continued ransomware activity against UK SMEs.
Nathan Hill-Haimes
Technical Director
Executive Summary
June 2025 saw continued elevated phishing volumes targeting UK business email, with several active campaigns using AI-generated personalised lures that proved harder to detect through conventional training. The month also saw two critical vulnerabilities disclosed in widely used enterprise software with active exploitation observed within 48 hours of public disclosure — reinforcing the importance of rapid patch deployment workflows.
Ransomware affiliates continued to target SMEs in UK professional services, manufacturing and healthcare sectors. Average recovery time from a significant ransomware incident in the UK remains approximately 21 days, with average recovery costs — inclusive of forensics, remediation and business interruption — substantially exceeding initial ransom demands even when the ransom is not paid.
Top Threats: June 2025
AI-Assisted Spear Phishing
Multiple campaigns this month used AI-generated personalisation to craft phishing emails that referenced recipients' job titles, recent company announcements and LinkedIn activity. These emails bypassed traditional phishing indicators (generic salutation, poor grammar, irrelevant content) and achieved higher click rates in environments relying primarily on human vigilance for phishing detection.
Recommended action: Ensure email security filtering includes AI-based behavioural analysis, not just reputation and signature matching. Supplement user training with guidance on AI-personalised phishing, which looks legitimate precisely because it is personalised.
Microsoft Exchange and Outlook Vulnerabilities
CVE-2025-3087 (critical, CVSS 9.8), a remote code execution vulnerability in Microsoft Exchange Server, was disclosed in early June 2025 and had confirmed active exploitation within 48 hours. On-premises Exchange deployments that had not applied the June Patch Tuesday updates were vulnerable.
Recommended action: Businesses running on-premises Exchange should apply June 2025 Cumulative Updates immediately. Businesses on Exchange Online (Microsoft 365) were not affected. AMVIA recommends all clients on on-premises Exchange complete a migration roadmap assessment if one has not been undertaken recently.
Business Email Compromise (BEC) via MFA Bypass
Adversary-in-the-middle (AiTM) phishing kits continued to be widely used in June. These kits proxy the authentication session in real time, capturing session tokens and bypassing standard MFA prompts. Victims visit a phishing page that appears to be a legitimate Microsoft sign-in, enter credentials and MFA code, which the attacker relays to the real Microsoft service in real time — capturing the authenticated session token.
Recommended action: Transition from SMS/TOTP-based MFA to phishing-resistant MFA methods: FIDO2 hardware security keys or Microsoft Entra ID's passkey support. Where passkeys are not yet deployed, Conditional Access policies with sign-in risk detection provide partial mitigation by flagging anomalous authenticated sessions.
Vulnerability Spotlight
Key vulnerabilities requiring attention in June 2025:
- CVE-2025-3087: Microsoft Exchange Server RCE — Critical (CVSS 9.8). Patch immediately.
- CVE-2025-2991: Fortinet FortiGate SSL-VPN authentication bypass — High (CVSS 8.1). Patch and audit VPN access logs for exploitation indicators.
- CVE-2025-3156: VMware vCenter heap overflow — Critical (CVSS 9.0). Affects virtualisation infrastructure; patch immediately in production environments.
- CVE-2025-2844: Progress MOVEit Transfer SQL injection — High (CVSS 8.8). MOVEit has been a consistent target since 2023; prioritise patching if in use.
Ransomware Activity Summary
Active ransomware groups observed targeting UK organisations in June 2025:
- LockBit 4 (rebranded): Continued activity following law enforcement disruption; new RaaS infrastructure observed. Targeting manufacturing and logistics.
- Akira: Active against UK professional services firms, exploiting unpatched VPN appliances as initial access vector.
- RansomHub: Healthcare and education sector focus; double extortion (encrypt and exfiltrate) model.
All three groups demonstrated capability to move from initial access to ransomware detonation in under 12 hours in some observed incidents — highlighting that response SLAs matter as much as detection capability.
Recommended Actions for July
- Apply all June Patch Tuesday updates to Windows endpoints, Exchange Server and any Fortinet/VMware infrastructure
- Review MFA configuration — assess readiness to migrate to phishing-resistant methods
- Run a tabletop ransomware exercise — test your incident response plan before an incident
- Audit VPN access logs for the indicators associated with CVE-2025-2991 exploitation
- Confirm offline backup integrity — verify that your most recent clean backup is restorable
Is Your Business Protected Against These Threats?
AMVIA's managed detection and response service monitors your environment for the indicators associated with active threat campaigns, providing 24/7 detection and response capability.
Frequently Asked Questions
An AiTM attack uses a proxy server between the victim and a legitimate website (like Microsoft's sign-in page). The victim types their credentials and MFA code into a convincing phishing page, which relays them to the real site in real time, capturing the authenticated session token. The attacker then uses this token to access the victim's account without needing the password or MFA code again. Standard MFA does not protect against AiTM; phishing-resistant FIDO2 keys do. <strong>Security Management</strong> is the fastest-growing MDM segment, driven by mobile ransomware and phishing threats (Yahoo Finance MDM report, 2025). <em>(Uk)</em>
No — CVE-2025-3087 and similar Exchange Server vulnerabilities affect on-premises Exchange deployments only. Microsoft 365 Exchange Online is managed by Microsoft, who applies patches to the underlying infrastructure. However, businesses using on-premises Exchange or Exchange in a hybrid configuration should apply patches as a matter of urgency when critical vulnerabilities are disclosed.
Based on NCSC and CISA reporting, the average time from public disclosure to active exploitation has shortened to under 72 hours for critical vulnerabilities in widely used software. For some vulnerabilities (particularly in VPN appliances and remote access tools), exploitation begins within hours of disclosure. This makes a rapid patch deployment process — not a monthly manual patching cycle — essential for reducing exposure. <strong>84% of SMBs</strong> that reported breaches faced phishing attacks. <em>(UK Government)</em>
Standard MFA (TOTP codes from an authenticator app, SMS codes, push notifications) can be intercepted via AiTM attacks or social engineering. Phishing-resistant MFA — primarily FIDO2 hardware security keys and passkeys — uses cryptographic authentication tied to the specific website domain. Because the authentication is domain-bound, it cannot be relayed by an AiTM proxy, making these methods genuinely resistant to phishing attacks. <strong>Cybercrime cost (non-phishing):</strong> Average £990 per victim business (£1,970 excluding £0 responses). <em>(UK Government)</em>
Related Reading
Phishing Protection for UK Businesses | AMVIA Guide
Technical and training controls for protecting your business from phishing attacks including AiTM techniques.
What Is Ransomware? | Plain English Guide for Business
How ransomware works, real UK examples and the defences that matter most.
Ransomware Protection | Safeguarding Business in 2025
The 2025 ransomware threat landscape and how AMVIA's managed security solutions protect UK businesses.