It's not you, it's your printer: State-sponsored and phishing threats in 2025

In this episode of Talos Takes, host Amy Semenisi and guest Martin Lee from Cisco Talos dive into the evolving threat landscape of 2025, focusing on the rise of sophisticated phishing campaigns and state-sponsored cyberattacks. They highlight a troubling shift toward internal phishing—where attackers, once inside a network, use deceptive emails to steal credentials and move laterally—underscoring the need for behavioral monitoring and user vigilance. A major concern is the weaponization of Microsoft 365's 'Direct Send' feature, an unauthenticated email protocol that allows attackers to bypass perimeter defenses once inside. The episode also explores how Chinese and North Korean state-linked groups are blending zero-day exploits with highly convincing social engineering, including AI-enhanced impersonations of remote IT workers. Martin emphasizes that while attribution remains difficult and often misleading, defenders should prioritize foundational security hygiene—patching, network segmentation, identity management, and threat hunting—over obsessing over who is behind an attack. He concludes with a practical suggestion: deploying honeypots to demonstrate real-world risk to leadership and secure funding for upgrades. Key takeaways include: 1) Internal phishing is a growing threat that requires behavioral analytics and user education; 2) Disable unauthenticated features like Microsoft 365 Direct Send; 3) Prioritize patching and network hygiene over attribution; 4) Use honeypots to prove risk and secure resources; 5) Be skeptical of remote hires, especially from high-risk regions, and verify identities through in-person meetings; 6) AI-powered impersonation is a serious threat, but simple questions like 'How fat is Kim Jong-un?' can expose fakes; 7) Blurred lines between espionage and financial motives make attribution unreliable—focus on stopping the attack, not identifying the actor.