SOC Threat Radar — December 2025

Notable threats targeting organizations seen by Barracuda Managed XDR

Takeaways

• A rise in attackers trying to use ScreenConnect for unauthorized remote access
• Attackers using bought or stolen credentials for ransomware and data theft
• A rise in Microsoft 365 login attempts from unfamiliar countries

Attackers using ScreenConnect for unauthorized remote access

What’s happening?

The SOC team recently noticed a rise in the suspicious use of ScreenConnect. This includes attackers attempting to connect endpoints to targets’ ScreenConnect deployments, and attackers deploying ScreenConnect themselves to control hosts remotely.

ScreenConnect is a trusted and popular remote device management tool used by many organizations and their managed service providers. As a result, the detection of ScreenConnect does not immediately arouse suspicion.

Earlier in 2025, attackers discovered a serious weakness in older versions of ScreenConnect that could allow them break into systems and run harmful programs without permission. Hackers are using this vulnerability to take control of systems remotely, install ransomware, steal data, and move through the network to other connected systems.

The successful breach of an existing deployment can give criminals access to many devices and even organizations.

ScreenConnect released a patch for the vulnerability on April 24, 2025.

Your organization may be at risk if you are:

• Running older versions of ScreenConnect that haven’t been updated.
• Using unmanaged or unauthorized remote access tools.
• Lack multifactor authentication (MFA) for admin accounts.
• Have not yet applied the software patch to address the bug.

To protect your organization:

• Implement a strong, multilayered security solution such as Barracuda XDR Managed Endpoint Security that can spot and contain suspicious ScreenConnect activity.
• Ensure your ScreenConnect software is running the latest version (25.2.4 or newer).
• Check your logs for suspicious or unusual activity.
• Enable MFA for all accounts, especially administrator accounts.
• Block unknown remote access tools and closely monitor attempts to look up or connect to ScreenConnect web addresses.

Attackers using bought or stolen credentials for ransomware and data theft

What’s happening?

Cybercriminals are stealing or buying usernames and passwords (credentials) and using them to break into systems. Once inside, they launch ransomware attacks or steal sensitive data.

These attacks often look like normal activity because the hackers use genuine credentials. Barracuda Managed XDR’s SOC tools spot the clues left by attackers such as the unusual use of legitimate administrative tools (PsExec, PowerShell), multiple repeat or simultaneous login attempts or the unexpected creation of remote services.

Your organization may be at risk if you are:

• Allowing employees to use weak or reused passwords.
• Lack MFA or don’t enforce it consistently across the organization.
• Not monitoring unusual logins or the use of admin tools.
• Lack alerts for suspicious remote access or script execution.

To protect your organization:

• Enforce the use of complex, unique passwords.
• Implement password policies that rotate credentials at regular intervals, for example every three months.
• Enable MFA everywhere, especially for admin and remote access accounts.
• Monitor activity, looking for odd login times, the unexpected use of admin tools, or new remote services.
• Train employees to spot phishing attempts and report them.
• Implement a strong, multilayered security solution that can spot and block incidents at different stages of the attack chain.

A rise in Microsoft 365 login attempts from unfamiliar countries

What’s happening?

Barracuda’s SOC team has detected a significant rise in attempts to log into Microsoft 365 accounts from countries where the targets don’t operate — a clear red flag that attackers are trying to access accounts using stolen usernames and passwords.

If the attackers succeed in breaching the network, they can access emails and files and impersonate the legitimate account holder to launch convincing internal phishing attacks and move deeper into the network.

Your organization may be at risk if you are:

• Not implementing geo-blocking or location-based login rules.
• Allowing employees to use weak or reused passwords.
• Lack MFA or don’t enforce it consistently across the organization.
• Not monitoring logins for unusual locations or times.
• Lack monitoring for unusual login patterns.

To protect your organization:

• Enforce the use of complex, unique passwords, and consider password managers.
• Enable MFA everywhere — this is the single most effective step you can take.
• Monitor login alerts.
• Implement conditional access policies that block logins originating from a restricted country/region.
• Train employees to spot phishing attempts and report them.
• Implement a strong, multilayered security solution that can spot and block incidents at different stages of the attack chain.

How Barracuda Managed XDR can help your organization

Barracuda Managed XDR delivers advanced protection against the threats identified in this report by combining cutting-edge technology with expert SOC oversight. With real-time threat intelligence, automated responses, a 24/7/365 SOC team and 

XDR Managed Vulnerability Security that identifies security gaps and oversights, Barracuda Managed XDR ensures comprehensive, proactive protection across your network, cloud, email, servers and endpoints, giving you the confidence to stay ahead of evolving threats.

For further information on how we can help, please get in touch with Barracuda Managed XDR.