September 2025 saw a significant array of cybersecurity events, including coordinated takedowns of phishing campaigns, urgent government advisories about SaaS app exploits, sanctions targeting global scam syndicates, sophisticated attacks and breaches at major technology companies, and the resurgence of previously “retired” threat actors. Each of these incidents highlighted complex threat actor collaboration, critical vulnerabilities across high-value platforms, and evolving responses from security teams and regulators.
Microsoft and Cloudflare Dismantle Large-Scale Phishing-as-a-Service Network
In a significant blow against enterprise-targeted phishing operations, security teams from Microsoft and Cloudflare, working with law enforcement, seized control of over 300 domains involved in the RacoonO365 phishing-as-a-service (PhaaS) operation earlier this month. The targeted domains were heavily leveraged to launch convincing attacks against Microsoft 365 users. The RacoonO365 actors ran a service-based model, renting access for their toolkit to other threat groups at subscription rates around $11 per day, for up to three months.
Technical dismantling measures included forcibly revoking administrator access for the group, deactivating malicious Cloudflare scripts that enhanced site legitimacy, and quarantining the fraudulent domains. An operational mistake involving the exposure of the group leader’s cryptocurrency wallet played a pivotal role in tracking and identifying operators. This incident demonstrates the growing sophistication of both adversaries and defenders in the realm of PhaaS operations, as well as the continued vulnerability of enterprise cloud users to such schemes.
FBI Issues High-Priority Advisory for Salesforce Users Amid Renewed Attacks
The FBI Cyber Division sounded an emergency alert for all Salesforce clients on September 12, revealing two new, complex attack campaigns directly targeting both core users and customers via integrations, notably with the Salesloft Drift platform. These incidents appear to be a continuation of larger campaigns observed earlier in the year, which included network infiltrations from groups like ShinyHunters and recent collaborative “supergroups” pooling exploits, intelligence, and compromised assets.
Attackers have increasingly found success by chaining weaknesses—gaining initial access through integrations, then escalating privileges within Salesforce or pivoting to connected business applications. The advisory urges affected organizations to audit third-party app connections, strengthen authentication controls, and monitor for anomalous logins or data exfiltration behaviors.
U.S. Treasury Sanctions Southeast Asian Cyber Scam Network Operators
In a landmark action, the U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned 19 individuals and entities operating sprawling cyber scam centers across Southeast Asia. These organizations, located predominantly in Burma and Cambodia, are responsible for an estimated $10 billion in losses from romance and investment scams that heavily targeted Americans in 2024.
Sanctioned groups have been linked not only to sophisticated fraud and money laundering operations, but also to forced labor and violence, as well as broader criminal and paramilitary syndicates spanning major parts of Southeast Asia. Several are reportedly tied to high-level government and military actors, underscoring the profound complexity and reach of these transnational financial crime operations. The move marks an escalation in the use of financial policy as a cybersecurity enforcement tool, aiming to freeze digital and fiat assets and disrupt adversarial capabilities at scale.
Google Law Enforcement Platform Breach Threatens Sensitive eCheck System Data
Security researchers confirmed that members of the LAPSUS$ hacker group, thought to be disbanded, successfully breached Google’s Law Enforcement Request System (LERS) via a fraudulent access account. While Google verified the breach and acted quickly to remove the rogue account, attackers publicly released screenshots demonstrating their high-level access, raising concerns about the platform’s integrity.
LERS serves as a central portal for law enforcement worldwide, providing access to sensitive investigation data, including the FBI’s eCheck system. The breach highlights the risks posed by weak account onboarding or verification procedures in systems with privileged access to confidential data and national security resources. Google’s response has involved auditing all related accounts, reviewing platform permissions, and liaising with impacted agencies, although ongoing investigations have yet to confirm any data exfiltration.
Scattered Spider Group Resurfaces Despite “Retirement” Claims, Major Arrests Follow
Contrary to claims of disbandment, the notorious Scattered Spider collective resurfaced with new attacks against U.S. banks and other major businesses. Security analysts found strong evidence connecting these activities to the same campaign clusters responsible for recent Salesforce and Google incidents, suggesting a unified operational structure or shared infrastructure among threat actors.
Law enforcement agencies in the U.S. and UK have arrested and charged two alleged key members of the group with cyber extortion and related offenses. The arrests appear to be influencing the group’s stated intentions to “go dark,” yet coordinated attacks continue, indicating either further operatives at large or a decentralized operational model. The group’s return—and law enforcement’s persistent legal efforts against it—offer a stark illustration of the revolving nature of threat actor regrouping under pressure.
Nevada Government Cyberattack: Recovery Progress and Security Enhancements
The state of Nevada recently experienced a significant cyberattack that prompted many government offices to shut down public-facing services for several days. Several weeks after the incident, officials reported that 90% of state web services had been brought back online, with remaining services nearing full restoration. The state’s IT teams have since implemented enhanced security controls and protocols following a period of elevated risk.
Although some data exposure occurred during the breach, investigations so far have not found evidence that personally identifiable information was compromised. This event is notable both for its operational disruption and as an example of proactive public communication and security hardening by state agencies in the aftermath of a substantial incident.
Delayed Disclosure of Large-Scale Credit Union Breach Exposes Customer Data
Fairmont Federal Credit Union, based in West Virginia, began notifying approximately 187,000 customers in September that their sensitive information had been compromised—not by a recent attack, but in a breach that took place nearly two years ago. The compromised data set includes credit and debit card numbers, tax and bank information, credentials, full identity details, and even health information.
While there have not yet been any confirmed cases of fraud related to the incident, the breadth of the exposed data presents ongoing identity theft risks. Impacted individuals have been offered one to two years of free credit and identity monitoring services. This case underscores the dangers of delayed discovery and disclosure of serious breaches in the financial sector, with a prolonged window for malicious exploitation.