“Cleaner flight is possible, but it requires changing how we think about both risk and return,” Victor said. “We need new institutions, incentives, and partnerships that reward innovation, not just incrementalism.”
The commentary, written by a multinational team of scholars, also highlights a broader lesson for climate policy: global decarbonization goals such as “net zero by 2050” sound bold and ambitious. But when it becomes clear that they can’t be met these goals make it harder to focus on the practical steps needed today to drive change in real-world markets.
Ultimately, the paper argues for action that begins now. By developing better tools to evaluate climate-friendly investments and by rewarding companies willing to take calculated risks on breakthrough technologies, governments, investors and industry leaders can accelerate real progress toward decarbonization.
The paper was co-authored by Thomas Conlon of University College Dublin, Philipp Goedeking of Johannes Gutenberg University of Mainz (Germany) and Andreas W. Schäfer of University College London.
Read the full article, “Mobilizing Capital and Technology for a Clean Aviation Industry,” in Science.
Learn more about research and education at UC San Diego in:
Please enable JavaScript if it is disabled in your browser or access the information through the links provided below.
October 16, 2025
Agencies announce withdrawal of principles for climate-related financial risk management
Federal Deposit Insurance Corporation
Federal Reserve Board
Office of the Comptroller of the Currency
For release at 3:00 p.m. EDT
The federal bank regulatory agencies today announced the withdrawal of interagency Principles for Climate-Related Financial Risk Management for Large Financial Institutions.
The agencies do not believe principles for managing climate-related financial risk are necessary because the agencies’ existing safety and soundness standards require all supervised institutions to have effective risk management commensurate with their size, complexity, and activities. In addition, all supervised institutions are expected to consider and appropriately address all material financial risks and should be resilient to a range of risks, including emerging risks.
The interagency principles were previously issued jointly by the agencies in October 2023. The notice, which will be issued in the Federal Register, rescinds these principles effective immediately. The OCC withdrew its participation in the principles earlier this year.
Traders work on the floor of the New York Stock Exchange (NYSE) on October 13, 2025, in New York City.
Spencer Platt | Getty Images
Stocks fell Thursday, giving up earlier gains, led by declines in bank stocks on worries about bad loans. Traders also juggled persistent trade tensions and an ongoing U.S. government shutdown.
The Dow Jones Industrial Average lost 411 points, or 0.9%, after gaining 170 points at one point. The S&P 500 traded nearly 1% lower, giving up a 0.6% gain at the highs of the session. The Nasdaq Composite fell 0.9%.
Regional banks Zions and Western Alliance fell to their lows of the day as indexes rolled over. Zions plunged 12% after taking a sizable charge because of bad loans to a couple borrowers. Western Alliance dropped 10% after alleging a borrower had committed fraud.
“The market is just really skittish about credit-related losses,” Jed Ellerbroek, portfolio manager at Argent Capital Management, told CNBC. “The market is not very happy about [the regional banks’ comments], so most small-cap financials, banks are down today.”
The banking industry has been on edge lately following the bankruptcies of two auto industry-related companies that have raised concerns about loose lending practices, especially in the opaque private credit market.
“When you see one cockroach, there are probably more,” JPMorgan CEO Jamie Dimon said on the bank’s earnings conference call earlier this week, related to the collapse of First Brands and Tricolor Holdings. Jefferies, which has some exposure to First Brands, shed 10% on Thursday, bringing its losses for the month to 25%.
Zions, 1 day
The decline in stocks coincided with a jump in the Cboe Volatility Index and moves lower in bond yields and the U.S. dollar. The Vix spiked to its highest since May, while the 10-year Treasury yield fell and broke below 4%. The U.S. dollar index lost 0.4% and hit its lows of the session midday.
Trade tensions between China and the U.S. recently increased, adding to volatility on Wall Street.
President Donald Trump last week threatened to place an additional 100% tariff on any goods coming from China in response to the country’s new export controls on rare earth minerals. The trade tone softened over subsequent days, but tensions increased again Tuesday, when Trump on threatened China with a cooking oil trade ban.
“The Trump administration desires to influence and control a lot more things than past administrations have … so they’re constantly jolting the market in unexpected ways,” Ellerbroek said. “That’s going to continue, and investors just have to kind of accept that as a new fact of life and be on their toes.”
Investors are also keeping a watchful eye as the U.S. government shutdown continues for a third week. The stoppage has led to an indefinite shutdown of crucial economic data releases from federal agencies.
Treasury Department data does not reflect how much hedge funds domiciled in the Cayman Islands are dominating the so-called basis trade, according to a team at the Federal Reserve.
Data from the U.S. Treasury Department is failing to capture Cayman Island hedge-fund exposures to Treasury securities.
Key Treasury Department data is massively underreporting the amount of U.S. government debt held by hedge funds registered and incorporated in the Cayman Islands, and is failing to reflect their heavy reliance on a controversial leveraged trade that has repeatedly alarmed regulators.
In a note released on Wednesday, a team at the Federal Reserve found that U.S. Treasury International Capital data appears to be “severely” undercounting the amount of Treasurys held by those hedge funds, to the tune of about $1.4 trillion as of the end of the 2024. In addition, the Fed team concluded that TIC data is not capturing just how much Cayman-domiciled hedge funds are dominating positions in the so-called basis trade.
Since at least 2018, U.S. regulators have periodically expressed alarm over the possibility that the basis trade could trigger wider financial instability during market downturns. The Treasury Department’s press office did not immediately respond to a request for comment on Thursday. The U.S. government has been in a partial shutdown since Oct. 1.
The basis trade uses leverage to arbitrage the price differences between Treasury futures and cash Treasurys. It involves simultaneously buying a Treasury cash position and selling a Treasury futures position, and financing the trade by borrowing in the repo market to provide leverage. The unwinding of the basis trade was seen as a likely contributor to Treasury-market instability in March 2020, and the risk of a possible repeat following hedge funds’ increased reliance on leverage drew scrutiny from the Fed’s board of governors and the Treasury in 2023.Read: Hedge funds’ use of leveraged Treasury trades needs ‘diligent monitoring,’ Fed paper says
TIC data is the main source of U.S. data on cross-border securities and banking. It is used by policymakers, investors and researchers to understand the catalysts and impacts of cross-border flows and asset allocations among various countries and investor types.
The severe underreporting of Cayman-domiciled funds’ Treasurys holdings presents “a major impediment for researchers, policymakers, and other data users seeking to analyze cross-border flows and their effects on the U.S. economy and financial markets,” according to the note written by Daniel Barth, principal economist for the Federal Reserve Board; Daniel Beltran, a deputy associate director; Maria Perozek, chief of the board’s Flow of Funds section; and others. The authors estimate that holdings of Treasury securities of Cayman-domiciled hedge funds stood at $1.85 trillion by the end of 2024, having climbed by $1 trillion since 2022.
“Our findings suggest that Cayman Islands hedge funds are, increasingly, the marginal foreign buyers of U.S. Treasury notes and bonds,” the authors said. After factoring in an estimated underreporting of roughly $1.4 trillion, they wrote, the Cayman Islands “is in fact the largest foreign holder of U.S. Treasury securities – holding significantly more than China, Japan, and the United Kingdom,” which currently rank as the three largest holders.
Hedge funds domiciled in the Cayman Islands held an estimated $1.85 trillion in Treasurys at the end of 2024, according to a note from the Federal Reserve.
Meanwhile, the gap between what’s being reported in the Treasury Department’s TIC data versus what’s reported to the Securities and Exchange Commission has widened to almost $1.4 trillion as of the end of last year. “TIC data on Cayman Islands holdings of Treasuries do not appear to be picking up the Treasury transactions associated with the basis trade activity” that can be seen on the hedge funds’ filings to the SEC, according to the Fed note.
While this roughly $1.4 trillion gap is not solely attributable to the basis trade, “the puzzling disconnect between the TIC and [SEC’s] Form PF data on Cayman Islands’ holdings of U.S. Treasuries is under active investigation,” Barth and the other authors wrote.
The amount of Treasurys held by hedge funds domiciled in the Cayman Islands is far greater than what is being reported in the Treasury Department’s TIC data, according to a note from the Federal Reserve.
On Thursday, U.S. government debt rallied, sending Treasury yields lower across the board, as investors digested a mix of worries about trade tensions between the U.S. and China, the partial government shutdown, and bad loans in the bank industry. Separately, U.S. stocks DJIA SPX COMP were falling in afternoon trading.
-Vivien Lou Chen
This content was created by MarketWatch, which is operated by Dow Jones & Co. MarketWatch is published independently from Dow Jones Newswires and The Wall Street Journal.
The FDA has granted fast track designation to the novel immunotherapy EO2463 for the treatment of follicular lymphoma, backed by positive interim data from the ongoing phase 2 SIDNEY trial (NCT04669171).1
Under this fast track designation, Enterome, the sponsor, will be eligible for more frequent opportunities for interaction with the FDA, rolling review, and potential eligibility for priority review if criteria are met, in hopes of bringing the therapy to patients sooner.2
“The FDA’s decision is an important validation of the unique potential of Enterome’s OncoMimics™ program,” said Pierre Belichard, chief executive officer of Enterome, in a news release.1 “It will expedite the clinical development and the regulatory pathways for EO2463, which is ready to enter registrational testing as early as next year after this fast track designation and a recent positive type C meeting with the FDA.”
What Is the Unmet Need in Follicular Lymphoma?
Follicular lymphoma, an indolent subtype of non-Hodgkin lymphoma (NHL), is characterized by slow disease progression and few symptoms yet shortened life expectancy, in part due to lack of a cure.
The condition exhibits potential for spontaneous remissions, suggesting the role of the immune system in such cases.3 While this invites an opportunity for treatment through immunotherapies, the disease’s high frequency of relapse necessitates immunotherapies that produce deep, durable antitumor responses.
How Is EO2463 Addressing This Need?
EO2463 is a novel therapeutic vaccine candidate that utilizes Enterome’s proprietary OncoMimics™ platform. Drugs that use this platform are designed using AI and machine learning to mimic tumor-associated antigens or lineage markers, drawing from a database of 23 million commensal bacteria genes to drive strong and lasting immune responses.1 Specifically, EO2463 is a combination of 4 synthetic OncoMimics™ microbial-derived peptides that correspond to 4 B cell markers: CD20, CD22, CD37, and CD268, as well as the CD4 helper-epitope UCP2.3
The nonrandomized, open-label phase 1/2 SIDNEY trial is evaluating the safety and preliminary efficacy of EO2463 monotherapy and in combination with lenalidomide (Revlimid) and/or rituximab (Rituxan) in patients with indolent NHL, including those with follicular lymphoma and marginal zone B-cell lymphoma, with an estimated enrollment of 60 patients across 4 cohorts.4
The primary outcome of phase 2 is objective response rate (ORR). In an early data report, the majority of patients remained on study treatment, with an observed ORR of 46% in the first 13 patients.5 Moreover, data presented at the 2024 American Society of Clinical Oncology (ASCO) Annual Meeting show that EO2463 monotherapy was well tolerated by patients, with no severe adverse events.3
This clinical activity primes EO2463 as a promising alternative treatment option for this patient population who may otherwise go untreated in a standard “watch-and-wait” approach.
REFERENCES:
1. Enterome receives FDA Fast Track designation in follicular lymphoma for lead OncoMimics™ immunotherapy EO2463. News release. BioSpace. October 16, 2025. Accessed October 16, 2025. https://tinyurl.com/4ahshump
2. Fast Track. US Food & Drug Administration. Updated August 13, 2024. Accessed October 16, 2025. https://tinyurl.com/ms2695jn
3. Villasboas JC, Wallace D, Smith SD, et al. Phase 1/2 of EO2463 immunotherapy as monotherapy and in combination with lenalidomide and/or rituximab in indolent NHL (EONHL1-20/SIDNEY). J Clin Oncol. 2024;42(16_suppl):7058-7058. doi:https://doi.org/10.1200/jco.2024.42.16_suppl.7058
4. A Novel Vaccine (EO2463) as Monotherapy and in Combination, for Treatment of Patients With Indolent Non-Hodgkin Lymphoma (SIDNEY). ClinicalTrials.gov. Updated December 13, 2024. Accessed October 16, 2025. https://www.clinicaltrials.gov/study/NCT04669171
5. Enterome’s Immunotherapy EO2463 Shows Early Clinical Response in Newly Diagnosed Follicular Lymphoma Suggesting a Potential Alternative to ‘Watchful Waiting’. News release. Enterome. December 10, 2024. Accessed October 16, 2025. https://www.enterome.com/news-events/enteromes-immunotherapy-eo2463-shows-early-clinical-response-in-newly-diagnosed-follicular-lymphoma-suggesting-a-potential-alternative-to-watchful-waiting/
Qnity, DuPont’s Electronics business, is a premier technology solutions provider across the semiconductor value chain, empowering AI, high performance computing, and advanced connectivity. From groundbreaking solutions for semiconductor chip manufacturing, to enabling high-speed transmission within complex electronic systems, our high-performance materials and integration expertise make tomorrow’s technologies possible. More information about the company, its businesses and solutions can be found at www.qnityelectronics.com. Investors can access the initial Form 10 filing and amendments for Qnity on its investor website.
Qnity™, the Qnity Node Logo, and all products, unless otherwise noted, denoted with ™ or ® are trademarks, trade names or registered trademarks of affiliates of Qnity Electronics, Inc.
About DuPont
DuPont (NYSE: DD) is a global innovation leader with technology-based materials and solutions that help transform industries and everyday life. Our employees apply diverse science and expertise to help customers advance their best ideas and deliver essential innovations in key markets, including electronics, transportation, construction, water, healthcare, and worker safety. More information about the company, its businesses, and solutions can be found at www.dupont.com. Investors can access information included on the Investor Relations section of the website at investors.dupont.com.
DuPont™, the DuPont Oval Logo, and all trademarks and service marks denoted with ™, ℠ or ® are owned by affiliates of DuPont de Nemours, Inc. unless otherwise noted.
* On January 15, 2025, DuPont de Nemours, Inc. (“DuPont”) announced it is targeting November 1, 2025 to complete the intended separation of its Electronics business (the “Intended Electronics Separation”) by way of a spin-off transaction, thereby creating Qnity Electronics, Inc., a new independent, publicly traded electronics company. The Intended Electronics Separation will not require a shareholder vote and is subject to satisfaction of customary conditions, including final approval by DuPont’s Board of Directors, receipt of tax opinion from counsel, the completion and effectiveness of a Form 10 registration statement with the U.S. Securities and Exchange Commission, applicable regulatory approvals and satisfactory completion of financing.
This release contains forward-looking statements. Forward-looking statements use words such as “plans”, “expects”, “will”, “would”, “anticipates”, “believes”, “intends”, “seeks”, “projects”, “efforts”, “estimates”, “potential”, “continue”, “intend”, “may”, “could”, “should” and similar expressions, among others, as well as other words or expressions referencing future events, conditions or circumstances. Statements that describe or relate to DuPont’s or Qnity’s plans, goals, intentions, strategies, DuPont’s or Qnity’s expectations regarding the Spin-Off, and statements that do not relate to historical or current fact, are examples of forward-looking statements. Forward-looking statements are based on our current beliefs, expectations and assumptions, which may not prove to be accurate, and involve a number of known and unknown risks and uncertainties, many of which are out of DuPont’s and Qnity’s control. Forward-looking statements are not guarantees of future performance, and there are a number of important factors that could cause actual outcomes and results to differ materially from the results contemplated by such forward-looking statements. Additional information concerning these and other factors can be found in DuPont’s and Qnity’s filings with the U.S. Securities and Exchange Commission, including DuPont’s most recent annual report on Form 10-K, most recent quarterly report on Form 10-Q and current reports on Form 8-K and Qnity’s registration statement on Form 10. Any forward-looking statement speaks only as of the date on which it is made. Neither DuPont nor Qnity undertake any obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by applicable law.
U.S. cybersecurity company F5 fell 12% on Thursday after disclosing a system breach in which a “highly sophisticated nation-state threat actor” gained long-term access to some systems.
F5 shares were pacing for the worst day since April 27, 2022, when the stock fell 12.8%.
The company disclosed the breach in a Securities and Exchange Commission filing on Wednesday and said the hack affected its BIG-IP product development environment. F5 said the attacker infiltrated files containing some source code and information on “undisclosed vulnerabilities” in BIG-IP.
The breach was later attributed to state-backed hackers from China, Bloomberg reported, citing people familiar with the matter.
F5, which was made aware of the attack in August, said they have not seen evidence of any new unauthorized activity.
“We have no knowledge of undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” F5 said in a statement.
The cybersecurity giant told customers that hackers were in the network for at least 12 months and that the breach used a malware called Brickstorm, according to Bloomberg.
F5 would not confirm the information.
Brickstorm is attributed to a suspected China-nexus threat dubbed UNC5221, Google Threat Intelligence Group said in a blog post. The malware is used for maintaining “long-term stealthy access” and can remain undetected in victim systems for an average of 393 days, according to Mandiant.
The attack prompted an emergency directive from the Cybersecurity and Infrastructure Security Agency on Wednesday, telling all agencies using F5 software or products to apply the latest update.
“The alarming ease with which these vulnerabilities can be exploited by malicious actors demands immediate and decisive action from all federal agencies,” CISA Acting Director Madhu Gottumukkala said. “These same risks extend to any organization using this technology, potentially leading to a catastrophic compromise of critical information systems.”
The UK’s National Cyber Security Centre also issued guidance for the F5 attack, advising customers to install security updates and continue monitoring for threats.
Simply sign up to the US banks myFT Digest — delivered directly to your inbox.
Shares in US regional banks fell on Thursday after two lenders disclosed that they were exposed to alleged fraud by borrowers, raising broader concerns about the health of bank loan portfolios.
The disclosures by Western Alliance Bank and Zions Bank follow the recent failures by car parts maker First Brands and auto lender Tricolor, which have left credit investors nursing losses and are under scrutiny from the US Department of Justice.
The KBW regional banking index, which comprises 50 smaller banks, fell more than 5.8 per cent on Thursday, on course for its lowest closing level since June. Shares in Zions had dropped 12 per cent and Western Alliance was down by more than 10 per cent. The two are members of the KBW bank index, which comprises 24 of the country’s leading lenders and was 3.3 per cent lower.
“When credit risk is rising, you just sell off the entire group and you get answers to your questions later,” said Timur Braziler, mid-cap bank analyst at Wells Fargo.
The drop in regional bank stocks helped prompt a move in the wider US stock market, with financials dragging the S&P 500 0.9 per cent lower.
In response to these regional bank worries — as well as the escalation in trade tensions between China and the US — the two-year Treasury yield sank to its lowest level since September 2022. The two-year yield, which moves with interest rate expectations, fell by as much as 0.09 percentage points to a low of 3.41 per cent.
“There was no single obvious catalysing incident [for the two-year move]. There are a variety of different factors that are interrelated that prompted it,” said Jonathan Hill, head of US inflation market strategy at Barclays.
“Part of it has to do with some weakness in regional banks, part of it has to do with trade tensions between the US and China, and part of it has to do with worries about stress in the funding market,” he said.
Utah-based Zions Bank — which has about $89bn in assets — on Wednesday said in regulatory filings that it would take a $60mn provision after it had “identified what it believes to be apparent misrepresentations and contractual default” on “two related commercial and industrial loans” affiliated with two borrowers.
The bank also said it had found “other irregularities with respect to the loans and collateral” and that it had commenced a lawsuit in California against the borrowers.
Separately, Western Alliance disclosed in regulatory filings on Thursday that it had initiated a lawsuit alleging fraud by a borrower “in failing to provide collateral loans in first position, among other claims”.
It is seeking to recover approximately $100mn, according to analysts at Citi.
The bank said on Thursday that it had “evaluated the existing collateral” and believed it covered the obligation. It also said it had “a limited guarantee and full guarantee from two ultra-high net worth individuals under certain circumstances, such as fraud”.
Western Alliance, which has about $87bn in assets, said that its “total criticised assets” — loans that show early signs of weakness — were “lower than they were on June 30, 2025” and affirmed its existing guidance and outlook for the year.
Analysts at Jefferies said the stock market reaction was “overdone” given the exposures of Western Alliance and Zions Bank represented 1.6 per cent and 1.1 per cent of their tangible common equity, respectively.
Shares in Banc of California fell by 8 per cent. The lender, with total assets of $34bn, has minimal exposure to the borrowers in question, according to a review of court documents by Jefferies analysts. They estimate that it will not incur any losses on this due to its senior position in the credit facility.
“The whole industry is being painted by the same brush,” said Catherine Mealor, head of small and mid-cap bank research coverage at KBW. “We are going to have pockets of credit stress as we move into this normalisation period. And so how does that impact the overall multiple that we put on the group?”
While Wall Street banks’ third-quarter results have shown resilient credit quality overall, the collapses of First Brands and Tricolor have raised concerns about lending standards.
“Historically fraud has been very idiosyncratic, very one off,” Braziler said. “And what if we are getting into an environment where more of these nefarious characters bubbled up to the top and fraud becomes a larger part of the conversation? I think that’s really the question at heart here and what investors are trying to figure out.”
Shares in Jefferies, which has exposure to First Brands, were down by more than 9 per cent on Thursday.
Western Alliance declined to comment beyond their filing. Zions did not immediately respond to a request for comment.
By Amy Hogan-Burney, Corporate Vice President, Customer Security & Trust
In the first half of 2025, Microsoft data showed Canada ranked 6th globally among countries where customers were most frequently impacted by cyber activity.
In the first half of 2025, Microsoft data showed Canada ranked second among countries where customers were most frequently impacted by cyber activity in the Americas (inclusive of North and South America).
In the first half of 2025, Microsoft data showed Canada accounted for approximately 7.9% of customers impacted by cyber activity in the Americas (inclusive of North and South America).
In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering. According to the latest Microsoft Digital Defense Report, written with our Chief Information Security Officer Igor Tsyganskiy, over half of cyberattacks with known motives were driven by extortion or ransomware. That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%. Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit.
Every day, Microsoft processes more than 100 trillion signals, blocks approximately 4.5 million new malware attempts, analyzes 38 million identity risk detections, and screens 5 billion emails for malware and phishing. Advances in automation and readily available off-the-shelf tools have enabled cybercriminals—even those with limited technical expertise—to expand their operations significantly. The use of AI has further added to this trend with cybercriminals accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks. As a result, opportunistic malicious actors now target everyone—big or small—making cybercrime a universal, ever-present threat that spills into our daily lives.
In this environment, organizational leaders must treat cybersecurity as a core strategic priority—not just an IT issue—and build resilience into their technology and operations from the ground up. In our sixth annual Microsoft Digital Defense Report, which covers trends from July 2024 through June 2025, we highlight that legacy security measures are no longer enough; we need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat. For individuals, simple steps like using strong security tools—especially phishing-resistant multifactor authentication (MFA)—makes a big difference, as MFA can block over 99% of identity-based attacks. Below are some of the key findings.
Critical services are prime targets with a real-world impact
Malicious actors remain focused on attacking critical public services—targets that, when compromised, can have a direct and immediate impact on people’s lives. Hospitals and local governments, for example, are all targets because they store sensitive data or have tight cybersecurity budgets with limited incident response capabilities, often resulting in outdated software. In the past year, cyberattacks on these sectors had real-world consequences, including delayed emergency medical care, disrupted emergency services, canceled school classes, and halted transportation systems.
Ransomware actors in particular focus on these critical sectors because of the targets’ limited options. For example, a hospital must quickly resolve its encrypted systems, or patients could die, potentially leaving no other recourse but to pay. Additionally, governments, hospitals, and research institutions store sensitive data that criminals can steal and monetize through illicit marketplaces on the dark web, fueling downstream criminal activity. Government and industry can collaborate to strengthen cybersecurity in these sectors—particularly for the most vulnerable. These efforts are critical to protecting communities and ensuring continuity of care, education, and emergency response.
Nation-state actors are expanding operations
While cybercriminals are the biggest cyber threat by volume, nation-state actors still target key industries and regions, expanding their focus on espionage and, in some cases, on financial gain. Geopolitical objectives continue to drive a surge in state-sponsored cyber activity, with a notable expansion in targeting communications, research, and academia.
Key insights:
China is continuing its broad push across industries to conduct espionage and steal sensitive data. State-affiliated actors are increasingly attacking non-governmental organizations (NGOs) to expand their insights and are using covert networks and vulnerable internet-facing devices to gain entry and avoid detection. They have also become faster at operationalizing newly disclosed vulnerabilities.
Iran is going after a wider range of targets than ever before, from the Middle East to North America, as part of broadening espionage operations. Recently, three Iranian state-affiliated actors attacked shipping and logistics firms in Europe and the Persian Gulf to gain ongoing access to sensitive commercial data, raising the possibility that Iran may be pre-positioning to have the ability to interfere with commercial shipping operations.
Russia, while still focused on the war in Ukraine, has expanded its targets. For example, Microsoft has observed Russian state-affiliated actors targeting small businesses in countries supporting Ukraine. In fact, outside of Ukraine, the top ten countries most affected by Russian cyber activity all belong to the North Atlantic Treaty Organization (NATO)—a 25% increase compared to last year. Russian actors may view these smaller companies as possibly less resource-intensive pivot points they can use to access larger organizations. These actors are also increasingly leveraging the cybercriminal ecosystem for their attacks.
North Korea remains focused on revenue generation and espionage. In a trend that has gained significant attention, thousands of state-affiliated North Korean remote IT workers have applied for jobs with companies around the world, sending their salaries back to the government as remittances. When discovered, some of these workers have turned to extortion as another approach to bringing in money for the regime.
The cyber threats posed by nation-states are becoming more expansive and unpredictable. In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated. This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors.
2025 saw an escalation in the use of AI by both attackers and defenders
Over the past year, both attackers and defenders harnessed the power of generative AI. Threat actors are using AI to boost their attacks by automating phishing, scaling social engineering, creating synthetic media, finding vulnerabilities faster, and creating malware that can adapt itself. Nation-state actors, too, have continued to incorporate AI into their cyber influence operations. This activity has picked up in the past six months as actors use the technology to make their efforts more advanced, scalable, and targeted.
For defenders, AI is also proving to be a valuable tool. Microsoft, for example, uses AI to spot threats, close detection gaps, catch phishing attempts, and protect vulnerable users. As both the risks and opportunities of AI rapidly evolve, organizations must prioritize securing their AI tools and training their teams. Everyone—from industry to government—must be proactive to keep pace with increasingly sophisticated attackers and to ensure that defenders keep ahead of adversaries.
Adversaries aren’t breaking in; they’re signing in
Amid the growing sophistication of cyber threats, one statistic stands out: more than 97% of identity attacks are password attacks. In the first half of 2025 alone, identity-based attacks surged by 32%. That means the vast majority of malicious sign-in attempts an organization might receive are via large-scale password guessing attempts. Attackers get usernames and passwords (“credentials”) for these bulk attacks largely from credential leaks.
However, credential leaks aren’t the only place where attackers can obtain credentials. This year, we saw a surge in the use of infostealer malware by cybercriminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale. Cybercriminals can then buy this stolen information on cybercrime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware.
Luckily, the solution to identity compromise is simple. The implementation of phishing-resistant multifactor authentication (MFA) can stop over 99% of this type of attack even if the attacker has the correct username and password combination. To target the malicious supply chain, Microsoft’s Digital Crimes Unit (DCU) is fighting back against the cybercriminal use of infostealers. In May, the DCU disrupted the most popular infostealer—Lumma Stealer—alongside the US Department of Justice and Europol.
Moving forward: Cybersecurity is a shared defensive priority
As threat actors grow more sophisticated, persistent, and opportunistic, organizations must stay vigilant, continually updating their defenses and sharing intelligence. Microsoft remains committed to doing its part to strengthen our products and services via our Secure Future Initiative. We also continue to collaborate with others to track threats, alert targeted customers, and share insights with the broader public when appropriate.
However, security is not only a technical challenge but a governance imperative. Defensive measures alone are not enough to deter nation-state adversaries. Governments must build frameworks that signal credible and proportionate consequences for malicious activity that violates international rules. Encouragingly, governments are increasingly attributing cyberattacks to foreign actors and imposing consequences such as indictments and sanctions. This growing transparency and accountability are important steps toward building collective deterrence. As digital transformation accelerates—amplified by the rise of AI—cyber threats pose risks to economic stability, governance, and personal safety. Addressing these challenges requires not only technical innovation but coordinated societal action.
