M&S & Co-op Group 2025: Identity-Based Vishing Unleashes Ransomware Chaos
Executive Summary
In early 2025, Marks & Spencer (M&S) and Co-op Group, two major UK retailers, suffered significant ransomware attacks following sophisticated vishing campaigns. Attackers impersonated IT support and targeted outsourced helpdesk staff to capture corporate credentials, enabling unauthorized access to internal networks. Once inside, threat actors leveraged overprivileged accounts and weak segmentation to laterally move and exfiltrate sensitive data, ultimately deploying ransomware that disrupted operations. The incidents resulted in direct losses exceeding £500 million (USD 667 million), with long-term impacts including reputational harm and regulatory scrutiny.
This breach underscores the ongoing threat of identity-based attacks, particularly those exploiting social engineering and credential harvesting to bypass perimeter defenses. With the rise of distributed workforces, cloud adoption, and third-party supply chains, organizations of all sizes remain vulnerable to similar tactics, making identity security and robust privilege management more urgent than ever.
Why This Matters Now
Identity-based attacks such as vishing and targeted credential theft are escalating, enabling attackers to exploit gaps in privilege management and segmented controls. As digital transformation accelerates, urgent implementation of zero trust principles and stronger authentication has become critical to defend against evolving threats and minimize breach impact.
Attack Path Analysis
Attackers initiated access by harvesting employee credentials via vishing attacks on IT helpdesk staff. Using these credentials, they bypassed authentication and escalated privileges by leveraging overprovisioned accounts and potential misconfigurations. Once inside, threat actors moved laterally across cloud and on-premise resources, exploiting weak segmentation and excessive permissions. They established command and control using covert channels, possibly utilizing encrypted or obfuscated outbound connections. Sensitive data was exfiltrated, and finally, attackers deployed ransomware, resulting in system encryption, business disruption, and significant financial and reputational impact.
Kill Chain Progression
Initial Compromise
Description
Adversaries performed vishing attacks to socially engineer IT helpdesk personnel, successfully obtaining valid corporate credentials.
Related CVEs
CVE-2024-12345
CVSS 4.4A vulnerability in INW Krbyyyzo 25.2002 allows local attackers with high privileges to cause a denial of service through resource consumption via the 's' parameter in /gbo.aspx.
Affected Products:
INW Krbyyyzo – 25.2002
Exploit Status:
no public exploitCVE-2025-9769
CVSS 7.8A command injection vulnerability in D-Link DI-7400G+ firmware 19.12.25A1 allows attackers to execute arbitrary commands via the 'addr' parameter in /mng_platform.asp.
Affected Products:
D-Link DI-7400G+ – 19.12.25A1
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Phishing
Phishing for Information
Valid Accounts
Brute Force
Credentials from Password Stores
Remote Services
Data Encrypted for Impact
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Multi-factor Authentication for All Access
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
CISA Zero Trust Maturity Model 2.0 – Continuous Identity Governance
Control ID: Identity Pillar – Identity Governance
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 8
NIS2 Directive – Security of Network and Information Systems – Access Control
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Identity-based attacks targeting retailers like M&S and Co-op demonstrate vulnerability to vishing, credential theft, and ransomware causing massive financial losses and operational disruption.
Financial Services
High-value targets for credential abuse and phishing attacks requiring strong PAM, MFA, and zero trust segmentation to protect sensitive financial data and customer accounts.
Information Technology/IT
IT service providers face supply chain identity risks through compromised helpdesks and outsourced services, enabling lateral movement across multiple client environments via privileged access.
Oil/Energy/Solar/Greentech
Critical infrastructure like Colonial Pipeline vulnerable to identity-based ransomware attacks through legacy VPN brute-force, requiring enhanced egress security and encrypted traffic protection.
Sources
- Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posturehttps://www.welivesecurity.com/en/business-security/phishing-privileges-passwords-identity-cybersecurity-posture/Verified
- Vulnerability Summary for the Week of January 27, 2025https://www.cisa.gov/news-events/bulletins/sb25-034Verified
- CVE-2024-12345 | Tenable®https://www.tenable.com/cve/CVE-2024-12345Verified
- CVE-2025-9769 - Exploits & Severity - Feedlyhttps://feedly.com/cve/CVE-2025-9769Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls including identity-based segmentation, centralized policy enforcement, and egress monitoring could have constrained the adversaries' lateral movement, privilege escalation, and exfiltration efforts. Applying CNSF capabilities such as Zero Trust Segmentation, East-West Traffic Security, and Egress Policy Enforcement would have limited blast radius, hindered data theft, and accelerated detection and response.
Control: Multicloud Visibility & Control
Mitigation: Suspicious credential usage would be rapidly detected across environments.
Control: Zero Trust Segmentation
Mitigation: Least privilege network policy would confine user access, reducing escalation pathways.
Control: East-West Traffic Security
Mitigation: Unauthorized intra-cloud movement would be blocked or alerted.
Control: Threat Detection & Anomaly Response
Mitigation: Real-time anomaly detection would flag and contain suspicious C2 activity.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data transfers to unapproved destinations would be blocked or logged.
Distributed inline controls help detect and contain widespread ransomware actions.
Impact at a Glance
Affected Business Functions
- Retail Operations
- Customer Service
- Supply Chain Management
Estimated downtime: 14 days
Estimated loss: $667,000,000
Potential exposure of customer personal and payment information due to compromised credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce identity-based Zero Trust segmentation to restrict lateral movement from compromised accounts.
- • Deploy centralized visibility and anomaly detection to rapidly identify suspicious credential usage and insider threats.
- • Apply outbound egress filtering and policy enforcement to stop data exfiltration and C2 traffic.
- • Regularly review and minimize privilege assignments, using automated tools to detect overprivileged or dormant accounts.
- • Integrate inline detection and response controls across cloud and hybrid environments to contain ransomware and unauthorized actions in real-time.
