This Week in Cybersecurity (September 15 - September 22, 2025) 

 Welcome back to another week of critical developments in cybersecurity. We continue to try and stay ahead of cyber threats; however, attackers are shifting tactics, exploiting identity systems, and turning backup and configuration services into attack vectors. Below are the top stories that stood out this past week, why they matter, and what actions organizations can take to reduce risk.  

The News 

1. Phishing Moves Beyond Email Attackers are no longer relying solely on email for phishing attacks. They are increasingly using social media, instant messaging apps, in-app message features, malicious ads (malvertising), and links delivered via SaaS-service emails to bypass traditional email security tools. (bleepingcomputer.com) 

2. Microsoft Entra ID Flaw Could Let Attackers Hijack Any Company’s Tenant A critical vulnerability (CVE-2025-55241), discovered by Dirk-jan Mollema of Outsider Security, involves “Actor Tokens” and a flaw in the Azure AD Graph API. These legacy components could have been used to impersonate users including Global Admins, in any Microsoft Entra ID tenant, bypassing conditional access, MFA, and leaving little to no trace in logs. Microsoft has issued a patch. (bleepingcomputer.com) 

3. SonicWall Cloud Backup Service Breach MySonicWall, a cloud backup service for SonicWall firewall configurations, suffered a breach. Threat actors accessed backup configuration files (network rules, VPN configurations, admin credentials, etc.). While the credentials in those backups were encrypted, the exposure of topology and configurations increases risk. SonicWall is urging affected customers to reset passwords, check if cloud backups are enabled, and review recent changes. It was reported that under 5% of customers were impacted. (thehackernews.com) 

4. How to Gain Control of AI Agents Researchers are highlighting attack vectors targeting AI agents. Misconfigurations, insufficient isolation, and over-privileged agents can be hijacked or manipulated by attackers to gain control, with potential knock-on effects in cloud, data, or internal systems. (thehackernews.com) 

5. Resilience 2025: Cyber Risk Trends The report “Resilience 2025” lays out evolving cyber risk trends including more dependency on interconnected systems and supply chains, rising exploitation of identity and access management weaknesses, regulatory/insurance pressures, and the growing role of AI/automation both in defenses and in adversarial use. (helpnetsecurity.com) 

6. ShinyHunters Claim 1.5 billion Salesforce Records Stolen The cybercrime group ShinyHunters claims it stole 1.5 billion Salesforce records by abusing OAuth tokens from integrations such as Drift and Salesloft, allegedly impacting 760 companies. This highlights risks tied to third-party SaaS integrations and token-based access. (bleepingcomputer.com) 

7. Airport Disruptions via Ransomware on Collins Aerospace A ransomware attack on Collins Aerospace disrupted check-in and baggage drop systems across European airports, causing significant delays. The attack demonstrates how ransomware is increasingly targeting critical infrastructure and supply chain providers that impact large populations quickly. (reuters.com) 

   
   

Why It Is Important 

• Attack vector diversification: The move beyond email for phishing means many security programs that focus heavily on email filtering, email-based training, and endpoint protection may be missing much of the newer threats. 

• Identity as a single point of failure: The Entra ID flaw underscores that IAM (Identity & Access Management) remains one of the highest stakes in cloud security. 

• Configuration data is sensitive: Backup files, config exports, VPN setups, and network topology provide attackers with insider maps of how systems are designed. 

• AI/agent risk is rising: As AI agents automate more workflows, their over-privileged access or unsafe defaults create new risks. 

• Supply chain and integration risk: The Salesforce/Drift breach shows how token misuse can ripple across hundreds of organizations. 

• Critical infrastructure at risk: The ransomware on Collins Aerospace is another example of how attackers can create societal disruption far beyond a single company. 

• Increased regulatory and insurance oversight: Reports like Resilience 2025 highlight pressure from regulators and insurers to prove that organizations can withstand these attacks. 

  
  

Actions 

Take action on the following as quickly as possible.

Broaden phishing protection beyond email 

1. Monitor and control links/content delivered via chat apps, social media, SaaS platforms. 

2. Use browser isolation or proxy tools to reduce malicious link exposure. 

Audit identity systems 

1. Eliminate reliance on legacy APIs and monitor token issuance. 

2. Enforce MFA and conditional access everywhere now.  

3. Test IAM attack paths regularly. 

   
   

Review backup and configuration data practices 

1. Treat backups as sensitive data; restrict and monitor access. 

2. Rotate credentials after exposure. 

Secure AI / agent systems 

1. Apply least privilege and sandboxing. 

2. Include AI agent misuse in risk assessments. 

Strengthen third-party SaaS and supply chain security 

1. Map OAuth and API integrations; restrict unnecessary scopes. 

2. Regularly review tokens and connected apps. 

Prepare for critical infrastructure disruption 

1. Tabletop exercises covering ransomware hitting key suppliers. 

2. Validate business continuity and disaster recovery plans. 

   
   

Armes Vantage Point 

From this week’s stories, several themes come to mind: 

• Legacy is dangerous — APIs and systems-built years ago can become the weakest link. 

• Visibility is key — attackers increasingly exploit blind spots in backups, SaaS tokens, and non-email phishing. 

• Attackers are adapting rapidly — targeting supply chains, critical infrastructure, and AI systems. 

• Prevention plus resilience wins — patch identity flaws quickly, reset exposed credentials, and prepare for large-scale disruption. 

At Armes Vantage, our view is clear: organizations must treat identity, backups, SaaS tokens, and supply chain dependencies as critical control points. Security programs that only cover endpoints and email are no longer enough. Now is the time to expand risk management programs, map hidden dependencies, and rehearse resilience for when these threats hit.