Sophos published its Annual Threat Report 2025, highlighting the biggest threats posed against SMBs last year.
According to Sophos’ incident response (IR) and MDR cases, the top attacker method for infiltrating networks is through network edge devices such as firewalls, routers and VPNs, which accounted for an initial compromise in nearly 30 percent of cases.
Firewalls with VPNs were particularly vulnerable, with VPNs the most frequent compromise point across MDR and IR, accounting for over 25 percent of incidents and ransomware and data exfiltration events.
“Over the past several years, attackers have aggressively targeted edge devices,”said Sophos principal threat researcher, Sean Gallagher. “Compounding the issue is the increasing number of end-of-life (EOL) devices found in the wild – a problem Sophos calls digital detritus. Because these devices are exposed to the internet and often low on the patching priority list, they are a highly effective method for infiltrating networks. However, targeting edge devices is part of a larger shift we’re witnessing in which attackers don’t have to deploy custom malware. Instead, they can exploit businesses’ own systems, increasing their agility and hiding in the places security leaders aren’t looking.”
Other key findings included:
- Ransomware accounting for 90+ percent of IR cases involving midsized organizations, and 70 percent of cases involving small businesses.
- Attackers bypassing MFA through adversary-in-the-middle authentication token capture, whereby attackers use a phishing platform to mimic the authentication process, then capture credentials.
- Commercial remote access tools were involved in 34 percent of IR and MDR cases.
- Attackers using QR codes (quishing), phone messages (vishing) and email bombing – sending thousands of spam emails in as little as 1-2 hours – to compromise businesses.
