SOCshare: cyber threat landscape in July 2025

Icon

SOCshare: external facing assets

In July 2025, threat activity across the region was largely driven by external facing assets attack vectors. Adversaries showed a clear preference for targeting publicly reachable systems and services, with the main purpose of exploiting exposed entry points. 

Scanning activity 

Throughout July 2025, widespread reconnaissance activity was observed, characterized by multiple waves of automated scanning against externally facing infrastructure. Threat actors actively probed perimeter devices, including firewalls and remote access services, with a noticeable increase in high-volume UDP scanning. In parallel, persistent SSL-VPN brute-force attempts were detected, indicating systematic efforts to identify exposed services and weak authentication points across public attack surfaces.  

Sharepoint Zero-Day 

In July 2025, a critical SharePoint zero-day vulnerability drew significant interest from threat actors. Increased scanning and probing activity was observed against internet-exposed SharePoint instances, indicating both attempts to exploit the flaw and efforts to identify vulnerable systems. This activity demonstrated how quickly newly disclosed vulnerabilities become a target, particularly when affecting widely used external-facing platforms. 

What Else Happened in July 2025? 

  1. July continued to show elevated phishing activity,with deception campaigns increasingly relying on fake documents, branded attachments, and social engineering lures to trick recipients into exposing credentials orinitiating malicious actions. 
  2. Somebreach events and data exposures were observed in the region during July, including unsecured servers leaking large datasets.

Looking ahead

Improving resiliency on external facing assets
Improving resiliency on external facing assets
Never have default passwords, and always have systems fully patched
Threat monitoring
Threat monitoring
Monitoring threat feeds to constantly become aware of what’s happening around cyber space

 July 2025 highlighted how threat actors continue to capitalize on exposed attack surfaces rather than relying on novel techniques alone. Publicly accessible systems, perimeter services, and widely deployed platforms remained the primary targets, with rapid exploitation attempts following vulnerability disclosures. These developments reinforce that effective cybersecurity now depends on strong external exposure management, timely patching, continuous monitoring, and shared situational awareness across the region. 

References 

Other news and updates

The 3rd edition of the Guide for developing a National Cybersecurity Strategy
The 3rd edition of the Guide for developing a National Cybersecurity Strategy
SOCshare April 2026 review : Adobe Acrobat Reader, Claude and phishing
SOCshare April 2026 review : Adobe Acrobat Reader, Claude and phishing
SOCcare March 2026: A “Little Gift” from the photo shop
SOCcare March 2026: A “Little Gift” from the photo shop
Safe4SOC updates: enhancing CyberSOC efficiency through unified alert sharing
Safe4SOC updates: enhancing CyberSOC efficiency through unified alert sharing
SOCshare: cybersecurity landscape in February 2026
SOCshare: cybersecurity landscape in February 2026
SOCshare January 2026: cybersecurity landscape review
SOCshare January 2026: cybersecurity landscape review
SOCshare: cybersecurity landscape in December 2025
SOCshare: cybersecurity landscape in December 2025
CTI-AI project: end of year update
CTI-AI project: end of year update