The Five Cyberattacks That Defined 2025 and Why This Year Changed Everything

Cybersecurity in 2025 marked a pivotal shift: major vulnerabilities not only exposed sensitive data but impacted operations across sectors, challenged assumptions about AI safety, and demonstrated that threat actors can exploit both technical flaws and human trust at scale. This retrospective examines the most significant cyberattacks of the year and why their impact still matters.

1. EchoLeak: When AI Became the Attack Surface

The most unsettling cyber incident of 2025 did not involve ransomware or stolen credentials. It involved trusting an AI to read your email.

May 2025 revealed a zero-click vulnerability in Microsoft 365 Copilot— a suite of AI-assisted workplace tools integrated into Outlook, Teams, Word, and other Office products. This vulnerability was cataloged as CVE-2025-32711, a critical prompt-injection flaw in Microsoft 365 Copilot, and dubbed EchoLeak by analysts due to its ability to exfiltrate sensitive organizational data via crafted content.

What made EchoLeak distinctive was its zero-click nature: attackers had embedded commands inside emails and documents that Copilot processed automatically, potentially causing the model to leak data without any user action. The flaw took more than a month to fully contain because the problem was not the code, it was how the AI interpreted language. Microsoft had to redesign prompt-handling logic and deploy server-side controls across tenants. During that time, many organizations limited or suspended Copilot use entirely.

Microsoft then issued a server-side mitigation in June 2025 to address the flaw. Nonetheless, EchoLeak established a new category of risk for AI assistant interfaces by demonstrating how LLM-driven workflows can be weaponized to access privileged data.

EchoLeak showed the world that AI tools could be active security risks.

2. Salt Typhoon and the Quiet Compromise of U.S. Telecom

While EchoLeak made headlines, the most strategically dangerous cyber activity of 2025 unfolded almost entirely in the background.Salt Typhoon is widely regarded as one of the most significant cyberattacks to be formally recognized in 2025, not because it began that year, but because 2025 was when they scaled, attacked high profile targets, and their national-security impact became fully clear.

Attributed to China’s Ministry of State Security, Salt Typhoon was a long-running cyber-espionage campaign that operated largely undetected for 18–24 months, with initial intrusions dating back to 2022–2023 and expanding through 2024. The attackers embedded themselves deep within U.S. telecommunications infrastructure, exploiting core routing equipment and lawful-intercept systems that handle call and text metadata.

By 2025, at least nine U.S. telecommunications providers were affected, including AT&T, Verizon, Lumen Technologies, T-Mobile, Spectrum, Windstream, Consolidated Communications, and Charter Communications, along with additional unnamed carriers acknowledged by U.S. officials. This access raised serious concerns about the exposure of communications linked to senior government officials, political figures, and law-enforcement targets.

The campaign became a defining 2025 cyber event through a series of high-profile escalations. In January 2025, the U.S. Treasury imposed sanctions related to Salt Typhoon, elevating it to a geopolitical issue. In August 2025, the FBI publicly disclosed that the campaign had compromised at least 200 U.S. organizations, extending far beyond telecom providers. In December 2025, investigators identified intrusions into U.S. House committee email systems, including committees handling intelligence and national security matters.

Throughout 2025, the FBI and CISA coordinated the federal response, issuing warnings, assisting affected providers, and cautioning that the threat remained persistent and difficult to fully eradicate. Their involvement underscored the seriousness of the breach and led to rare public guidance encouraging encrypted communications.

As of 2026, the Salt Typhoon cyber threat has still not been fully resolved. It did not involve ransomware or try to disrupt services, but has been mainly focused on espionage. The Salt Typhoon cyberattacks indicate how quietly cyber espionage can scale when it targets infrastructure designed decades before modern threat models existed.

3. United Natural Foods Inc. (UNFI) Supply Chain Disruption

One of 2025’s most visible operational impacts came from a cyberattack affecting United Natural Foods Inc. (UNFI), a major food distribution company in the United States.

In June 2025, UNFI detected unauthorized activity inside its network. Within days, systems that controlled ordering, logistics, and warehouse operations were offline.

UNFI supplies food to over 30,000 U.S. stores, including Whole Foods. When its systems went down, the effects rippled outward almost immediately. Deliveries were delayed. Shelves emptied. Manual workarounds collapsed under scale.

The attack resulted in significant distribution delays and logistical disruptions for over 30,000 U.S. stores, including grocery partners such as Whole Foods Market and thousands of other retailers dependent on UNFI’s network. Core systems were restored over approximately three weeks, but residual supply-chain effects persisted beyond initial containment.

The attack appears to have begun with compromised credentials or third-party access and escalated into a ransomware-driven shutdown. Even without confirmed mass data theft, UNFI had no choice but to halt operations to contain the damage.

Core systems took about three weeks to recover. Full normalization took closer to six weeks. The financial impact—lost revenue, spoiled goods, emergency logistics, and security upgrades—was estimated between $350 million and $400 million.

It was a stark reminder that supply-chain cyberattacks do not stay digital for long.

4. Microsoft SharePoint “ToolShell” Zero-Day Exploits

The summer of 2025 saw one of the most widely exploited server vulnerabilities in recent years. Beginning around July 18, 2025, security firms such as CrowdStrike observed active exploitation of two critical vulnerabilities in on-premises Microsoft SharePoint Server — tracked as CVE-2025-53770 and CVE-2025-53771 — collectively dubbed “ToolShell.”These flaws permitted remote code execution without authentication, allowing attackers to place web shells on vulnerable systems and steal cryptographic keys or service tokens for persistence.

A patch rollout occurred in late July 2025, but rapid exploitation meant many organizations were compromised before full remediation.

The hardest-hit organizations were not careless. Many were government agencies, healthcare providers, and enterprises that still relied on on-prem SharePoint for regulatory or operational reasons. Unlike cloud environments, these systems lacked uniform monitoring and rapid update mechanisms.

Emergency patches were released, but for many victims, the damage was already done. Incident response took weeks, not days, and in some cases required complete rebuilds of affected servers.

The SharePoint incident underscored the vulnerability of legacy, on-prem infrastructure, especially when automated exploitation tools and chainable flaws are present. Exploited servers were often used as footholds for deeper lateral movement within enterprise networks.

5. Scattered Spider in 2025: When Identity Became the Attack Vector

Throughout 2025, Scattered Spider cemented its reputation as one of the most disruptive cybercriminal groups in operation—not because of unique malware or zero-day exploits, but because of how effectively it exploited people, processes, and identity systems.

Tracked by U.S. authorities as UNC3944, Scattered Spider is a financially motivated cybercrime group known for social engineering–driven intrusions. According to a joint CISA and FBI advisory issued in July 2025, the group routinely bypassed technical controls by impersonating employees, contractors, or IT staff to manipulate help desks into resetting passwords or registering attacker-controlled MFA devices.

CISA notes that recent updates to the advisory also document the use of ransomware variants such as DragonForce, and the shifting mix of techniques the group uses to stay under detection.

These tactics were visible in several high-profile 2025 incidents. Between April and July 2025, UK retailers including Marks & Spencer (M&S), Co-Op, and Harrods suffered cyberattacks involving data theft and, in some cases, DragonForce ransomware. Public reporting confirmed that social engineering and credential compromise played a central role. M&S incurred losses to the tune of £300 million (approximately $403 million USD), making it one of the most financially damaging retail cyber incidents of the year.

Scattered Spider activity was not limited to retail. In June 2025, U.S. insurance firms—including Aflac—disclosed breaches involving unauthorized access to sensitive customer data such as Social Security numbers and claims information. While not all victims publicly named the attackers, the FBI warned that Scattered Spider was actively targeting the insurance and financial services sectors using the same identity-centric techniques.

By mid-2025, government agencies expanded warnings to include the airline industry and its supply chain, citing increased risk from vishing, MFA fatigue attacks, and help-desk impersonation.

The lesson from 2025 was clear: MFA alone is not enough if attackers can socially engineer the systems that manage identity. Scattered Spider showed that in modern enterprises, the help desk can be just as critical—and vulnerable—as the firewall.

Going Forward

The cyberattacks that defined 2025 made one thing unmistakably clear: these were not isolated security failures, but symptoms of deeper, systemic weaknesses across modern digital ecosystems. From zero-day exploits in widely deployed platforms to AI systems introducing entirely new attack surfaces, and from supply-chain disruptions to human-targeted identity attacks, the year exposed how tightly coupled technology, people, and operations have become. Shared services, identity systems, and third-party dependencies continue to amplify impact well beyond IT teams. Looking forward, organizations must move beyond reactive security toward AI-aware architectures, rapid vulnerability response, resilience planning, and identity-centric defenses that assume compromise is possible..