Five Top Threats For MSPs To Know In 2025

Threats to IT businesses from North Korean impersonators and highly complex phishing attacks are just two of the more recent threats to pose a risk to MSPs and their customers, as discussed this week at the XChange Security 2025 conference.

The threat landscape continues to evolve in ways that are sometimes familiar—and sometimes less so—to MSPs, according to cybersecurity experts who spoke this week at XChange Security 2025.

While GenAI-powered attacks such as improved phishing emails have received significant attention, there are numerous other new developments that MSPs should be aware of to help protect their clients, experts said.

Hosted by CRN parent The Channel Company, XChange Security 2025 was held this week in Frisco, Texas.

What follows are the key details on five top threats for MSPs to know in 2025.

North Korean Impersonators

As a result of North Korea’s economic isolation, the country’s regime has pursued a deceptive new tactic in recent years for earning revenue in U.S. dollars that MSPs need to be aware of, according to Reagan Roney, chief experience officer and principal at Solvere One, an MSP with offices in Dulles, Va., and Washington, D.C.

The idea in this “laptop farms” scheme is for North Korean workers—operating in friendly regions such as China and Vietnam—to apply for jobs in IT and software development in the U.S. under false identities, Roney told attendees at XChange Security 2025.

Through a scheme that also includes “leasing” identities from U.S. citizens and also paying citizens to set up laptops for them in the country, the workers have often been successful at landing multiple jobs at different companies, which they work for 12 to 16 hours a day in order to earn paychecks in U.S. currency for the North Korean regime, Roney said.

The threat is critical for MSPs to know about “because if your recruiters are out there recruiting people, they have to verify,” he said. “They have to look at everything and turn every stone they possibly can to try to verify. Because this is what's happening—whether they’re just trying to make a dollar, or they’re trying to infiltrate what you do, or infiltrate your clients, there’s a real risk.”

Sophisticated Phishing

At email security vendor Inky, recent phishing scams caught by the company included an attack that was unusually complex and difficult to prevent, according to Inky co-founder and CEO Dave Baggett.

The multistep attack involved two co-conspirators who would work together to dispute a transaction on PayPal, generating a legitimate notification email from PayPal. The threat actor then used an email relay to send the email to one or more victims, which would then appear in victims’ email boxes with every indication that it was a legitimate email from PayPal, Baggett said.

Crucially, the scam also exploited a feature of the PayPal system that allows users to add a large amount of text into the seller name field. In that field, the attacker included a message with a phone number saying that the recipient should call in to dispute the transaction—at which point they would presumably be asked for sensitive information.

Inky was able to catch the phishing attempt in part through the use of GenAI that identified a threatening and urgent tone in the message that was inserted into the name field, Baggett said.

“This is really sophisticated stuff [and] very highly targeted,” he said during a session at XChange Security 2025. But while such attacks show the ways that threat actors are continuing to find ways to exploit legitimate infrastructure, the incident hopefully also demonstrates how defenders can use GenAI to counter the threats, Baggett said.

Evolution Of Ransomware

Ransomware groups continue to evolve their tactics as well, said Michael DePalma, vice president of business development at OpenText, during a session at XChange Security 2025.

Ransomware-as-a-Service—which divides the phases of a ransomware attack among various entities—continues to be a prevalent model that lowers the barrier to entry for groups to get into the cybercrime business, DePalma said.

Many groups have notably taken the additional step of also stealing a victim’s data and then using that as leverage to pressure the victim into paying a ransom, he said.

“We’re seeing a lot of this—they're actually taking the data and holding it hostage, where instead of just encrypting it they will release it on a website if you don’t pay,” DePalma said.

Other Ransomware Tactics

Ransomware groups have also continued to evolve to become closer to professional organizations—for instance with indications that the Qilin ransomware group had begun offering a “call a lawyer” service to its affiliates, according to Jason Clark, senior vice president of global engineering at Sophos.

“They actually have lawyers on staff that will help their affiliates when they’re middle of a ransomware negotiation and they do recommend that their affiliates use ransom negotiations. It increases the price,” Clark said during XChange Security 2025.

Another group, DragonForce, allows attackers to brand their own malware to avoid situations—like that faced by the prolific ransomware gang LockBit—where law enforcement intervention against an affiliate could impact the “head” group, he said.

“It takes the risk away from DragonForce. So we’re going to continue to see these evolve,” Clark said. “We’re not just fighting malware here. We’re fighting a business model.”

Basic Cyberattacks Still A Threat

Across the numerous types of scams that cybercriminals frequently utilize today, many of the attacks are still not very sophisticated from a technical perspective, cybersecurity consultant and author Jeremiah Baker said during XChange Security 2025.

Baker ran through a litany of real-world scams he has known about that have led to significant losses for the victims and several involved an email account takeover, something that is frequently made possible due to accounts that continue to be unprotected by multifactor authentication.

An attack of this type put a small aviation company out of business, he noted. The attack “wasn’t super highly technical, but it was super damaging,” Baker said.