I. July 2025 Cyber Threat Landscape: An Executive Overview
July 2025 saw threat actors launch a full-scale assault on the foundational pillars of the modern enterprise: core collaboration software and critical infrastructure. A global campaign exploiting zero-day vulnerabilities in Microsoft SharePoint servers demonstrated how a single flaw could paralyze organizations worldwide, while parallel attacks on aviation systems and warnings about perimeter appliance exploits revealed the fragility of the systems we depend on for commerce and communication.14
This analysis will provide a deep dive into the “ToolShell” SharePoint zero-day campaign, the widespread disruption at European airports caused by the Collins Aerospace hack, and critical CISA warnings about the “Citrix Bleed 2” vulnerability. The report also examines a major nation-state espionage campaign against the U.S. National Guard and the continued dominance of third-party risk in major data breaches.16
II. The Headliner: The “ToolShell” SharePoint and “Citrix Bleed 2” Exploits
July’s threat landscape was defined by the weaponization of vulnerabilities in two of the most essential and trusted components of enterprise IT: the internal collaboration hub and the external access gateway.
SharePoint Under Siege (CVE-2025-53770)
A critical Remote Code Execution (RCE) zero-day vulnerability in on-premise Microsoft SharePoint servers became the centerpiece of a global cyberattack campaign dubbed “ToolShell”.18 Before a patch was available, attackers began exploiting this flaw, compromising over 400 systems, with some estimates reaching over 750.14 The victims spanned a wide range of sectors, including banks, universities, hospitals, and multiple U.S. government agencies, with the Department of Energy confirming it was “minimally impacted”.14 The vulnerability, with a CVSS score of 9.8, allowed unauthenticated attackers to gain administrative access to SharePoint environments, effectively handing them the keys to an organization’s most sensitive internal documents and data.14
Attribution and Geopolitical Context
Investigations by Microsoft and Mandiant quickly pointed to the involvement of China-linked Advanced Persistent Threat (APT) groups. Specifically, exploitation activity was attributed to the nation-state actors tracked as Linen Typhoon and Violet Typhoon, as well as another China-linked group, Storm-2603.15 This attribution firmly placed the “ToolShell” campaign in the realm of state-sponsored cyber espionage, rather than purely criminal activity.
Citrix Bleed 2 – The Perimeter Breach
As defenders scrambled to patch their SharePoint servers, a parallel threat emerged targeting the network perimeter. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a stark warning about the active exploitation of a major flaw in Citrix NetScaler Application Delivery Controllers (ADCs), dubbed “Citrix Bleed 2”.14 This vulnerability was particularly dangerous because it allowed attackers to bypass authentication protocols—even those protected by multi-factor authentication (MFA)—and gain direct access to corporate networks. This effectively turned a critical piece of defensive infrastructure into an open door for intruders.14
These were not random, opportunistic attacks. Threat actors deliberately and strategically targeted two of the most trusted and ubiquitous pieces of enterprise infrastructure. SharePoint serves as the central nervous system for a vast number of organizations, acting as the authoritative repository for internal collaboration, document management, and institutional knowledge. Meanwhile, Citrix NetScaler and similar ADCs function as the fortified gateways for the modern remote workforce, charged with securely connecting external users to internal resources.
By compromising these “trust anchors,” attackers achieve a far greater impact than simply stealing a dataset. Exploiting a zero-day in SharePoint allows an adversary to operate inside the trusted zone with high authority, bypassing many internal security controls designed to detect external threats. Exploiting a flaw in a Citrix ADC allows an attacker to bypass the entire perimeter defense structure, rendering firewalls and access policies irrelevant. The simultaneous exploitation of both types of systems—the collaboration core and the access gateway—demonstrates a sophisticated strategy. This dual-pronged approach maximizes the chances of a successful breach and reveals a deep, architectural understanding of how modern enterprises operate and where their most critical points of failure lie.
III. Monthly Threat Briefing: Major Data Breaches and Ransomware Operations
The focus on critical systems and supply chains extended beyond SharePoint and Citrix, with the aviation and retail sectors experiencing significant disruptions.
Aviation in Turmoil
- Collins Aerospace: A cyberattack on the MUSE passenger processing software, developed by Collins Aerospace, caused massive operational disruptions at major European airports, including Heathrow, Brussels, and Berlin.20 The failure of this critical third-party system forced airlines to revert to slow and inefficient manual check-in and boarding processes, leading to significant flight delays and cancellations. The incident served as a stark reminder of how digital supply-chain failures can have immediate and tangible consequences for physical critical infrastructure.21
- Qantas: Australia’s national airline disclosed a data breach affecting up to six million customers.16 The breach originated not from Qantas’s own systems, but from a third-party contact center platform it utilized. The attack was tentatively linked to the prolific cybercrime group
Scattered Spider, known for its social engineering prowess.16
Retail and Supply Chain Under Fire
- Co-op UK: The British retail giant confirmed that a cyberattack on its third-party loyalty program provider, Azpiral, had exposed the personal data of 6.5 million members.16 This incident, also linked to
Scattered Spider, again highlighted how customer engagement platforms managed by external vendors can become a significant weak point in a company’s security posture.26
- Ingram Micro: The massive IT solutions distributor was hit by the SafePay ransomware group, forcing a multi-day shutdown of its internal systems and operations.14 The attack, which likely began with a compromise of the company’s VPN, caused severe disruption to its order processing and distribution network, with experts estimating daily losses of up to $136 million.14
July 2025 Data Breach & Ransomware Summary
The following table summarizes July’s key incidents, illustrating the different facets of supply-chain and critical infrastructure risk.
| Victim Organization | Threat Actor / Ransomware Group | Scope of Impact (Records, Data Types) | Attack Vector & Key Insight |
| Multiple Global Orgs | Linen Typhoon, Violet Typhoon (China-linked) | 400-750+ systems; Sensitive documents, internal data | Zero-day exploit (CVE-2025-53770) in Microsoft SharePoint. Attack on a core enterprise collaboration platform. |
| European Airports | Unknown | Widespread flight delays/cancellations | Third-party software compromise (Collins Aerospace MUSE). Demonstrates digital supply-chain risk to physical critical infrastructure. |
| Qantas | Scattered Spider (suspected) | Up to 6 million customers; PII, frequent-flyer data | Third-party contact center compromise. Highlights vendor risk in the airline industry. |
| Co-op UK | Scattered Spider | 6.5 million members; PII, loyalty card details | Third-party loyalty program provider breach. Shows how customer engagement platforms can be a weak link. |
| Ingram Micro | SafePay Ransomware | Major operational shutdown; Data exfiltration | Ransomware attack via compromised VPN. Illustrates the devastating business continuity impact on IT supply chains. |
IV. Vulnerability & Exploit Analysis: The Digital Arms Race
The month’s vulnerability landscape was dominated by the flaws in widely deployed enterprise systems. The SharePoint RCE (CVE-2025-53770) and the “Citrix Bleed 2” flaw were highly prized by attackers because they provide a direct path to high-value assets, either by compromising the heart of internal data storage or by dismantling the front door of the network.14 Beyond these, other notable disclosures included security updates from Apple to patch multiple vulnerabilities in iOS and iPadOS, and a maximum-severity RCE flaw discovered in the Cisco Identity Services Engine (ISE), a critical network access control solution.18
V. Strategic Threat Intelligence: Nation-State Espionage Deepens
July provided a clear view into the long-term, strategic operations of nation-state actors, which often precede more disruptive attacks.
The U.S. National Guard Breach
It was disclosed in July that the Chinese APT group Salt Typhoon had maintained persistent, undetected access to a U.S. Army National Guard network for a staggering nine months throughout 2024.17 During this extended dwell time, the attackers exfiltrated highly sensitive data, including administrator credentials, detailed network diagrams, maps of geographic locations, and the PII of service members. This level of access provided Beijing with invaluable intelligence that could be used to facilitate future attacks against other National Guard units and their state-level cybersecurity partners.17
Russian Espionage Campaign
In a separate campaign, Microsoft’s Threat Intelligence team uncovered an operation by the Russian state-sponsored actor Secret Blizzard.18 This group was observed targeting embassies located in Moscow using sophisticated adversary-in-the-middle (AiTM) techniques. By intercepting communications, the group was able to deploy its custom ApolloShadow malware, likely for the purpose of long-term intelligence gathering on diplomatic activities.18
These espionage campaigns are not just about stealing data for its own sake; they are strategic intelligence-gathering operations designed to enable future disruptive or destructive attacks. A nation-state’s primary goal is often strategic advantage, not immediate financial gain. The network diagrams and credentials stolen by Salt Typhoon are not easily monetizable but are invaluable for planning a future military or infrastructure attack. This data effectively serves as a playbook, revealing how the network is built, who operates it, and where its critical vulnerabilities lie. Similarly, Secret Blizzard’s access to diplomatic communications provides geopolitical leverage that can be used to preempt or counter political moves.
Therefore, these campaigns should be viewed as a leading indicator of future risk. The intelligence gathered today is being cataloged and analyzed, and could be weaponized years from now in a geopolitical crisis, allowing for precise and devastating cyberattacks against critical infrastructure, military command and control systems, or diplomatic channels.
VI. Synthesis and Recommendations for Security Leaders
July’s events demonstrated that attackers are successfully targeting the connective tissue of modern enterprises—the collaboration platforms, access gateways, and third-party services that all other operations depend on. The distinction between a data theft incident and an operational disruption is collapsing, as seen in the airport chaos and the Ingram Micro shutdown.
Security leaders should internalize the lessons of July and take the following steps:
- Assume Perimeter Breach: With critical vulnerabilities like Citrix Bleed 2 being actively exploited in the wild, a security model that relies solely on a hardened perimeter is obsolete. Organizations must prioritize the adoption of a Zero Trust architecture, focusing on robust network segmentation, strict access controls, and comprehensive internal monitoring to detect and contain threats that have already bypassed the edge.
- Urgently Address On-Premise Vulnerabilities: While cloud adoption continues to accelerate, legacy on-premise systems like SharePoint servers remain high-value targets for sophisticated actors. A rigorous and timely patch management program is non-negotiable. For systems that cannot be adequately secured, organizations should consider isolating them from the main network or accelerating their migration to a more secure cloud environment.
- Map Critical Third-Party Dependencies: Vendor risk management must evolve beyond data security questionnaires. It is crucial to identify and map the software and service providers, like Collins Aerospace, whose failure would cause a direct and immediate operational shutdown. For these critical dependencies, organizations must develop detailed contingency plans, including viable manual workarounds.
- Integrate Geopolitical Threat Intelligence: The activities of state-sponsored groups like Salt Typhoon and Secret Blizzard are not abstract threats. CISOs, particularly those in critical infrastructure, defense, and government sectors, must incorporate nation-state threat intelligence into their risk assessments to understand which adversaries are targeting their industry, what their motivations are, and what TTPs they are likely to employ.
