
The latest mid-year data is pretty clear: SMBs are absorbing enterprise-grade attacks at an accelerating – and probably unsustainable rate. In its just-released Mid-Year 2025 SMB Threat Report, Guardz notes that weekly incidents nearly doubled for SMBs in the first half of this year, compared to the same period last year. That increase is driven by three compounding forces:
- Industrialization of the cybercrime economy (e.g., RaaS and “attack-as-a-service”),
- The center-of-gravity shift to identity and cloud, and
- A leap in social-engineering fidelity made possible by generative AI.
What used to be an occasional nuisance has quickly transformed into a real operating risk that touches revenue continuity, contractual viability, and insurability. For owners and operators, the practical message is that resilience can no longer be deferred to “when we’re bigger.” Bad actors don’t care.
Nearly 100 distinct ransomware families were logged among SMBs in H1 2025. What’s even more telling, though, is that double-extortion has become the default, and a growing subset of bad actors are skipping encryption entirely to monetize pure data theft. That shift undermines the somewhat comforting – even if misleading – myth that “good backups” alone neutralize ransom pressure. If sensitive data leaves your environment, you enter an extortion timeline, regardless of restore quality. The business impact is magnified in resource-constrained organizations that haven’t rehearsed crisis response, notification, or legal coordination – or, even worse, haven’t actually developed a crisis response strategy. That’s what attackers count on.
Even more important is the growing popularity of bad actors’ preferred doorway, which is increasingly become identity. Guardz finds that over 80% of breaches involve stolen or misused credentials, spanning password spraying, credential stuffing, MFA bypass, legacy authentication abuse, and full account takeover. Session hijacking and token theft are rising quickly because they neatly sidestep legacy controls and exploit the modern reality of long-lived browser and mobile sessions. Once inside, attackers “live off the land,” blending with sanctioned tools and SaaS. This is why many SMB compromises look quiet until the fraud loss or the exfiltration demand lands. With identity as the breach point, the perimeter has become people, their sessions, and the SaaS control plane. Identity-first security isn’t a buzzword; it’s an absolute necessity.
Email remains the broadest funnel but, like pretty much everything else when it comes to cyber threats, it, too is changing. Phishing and business email compromise (BEC) persist at scale, with the report detailing 1,876 phishing incidents and 1,423 BEC cases. The difference in 2025 is quality and speed; nearly 900 AI-enhanced campaigns and deepfake impersonations increased believability to the point that “gut feeling” training is probably not enough. The old, typo-riddled and easily identifiable scams have been replaced by near-perfect grammar, cloned logos, and even voice-spoofed voicemails.
In practice, this means SMBs must shift weight from awareness alone to technical controls that shoulder more of the burden. Specifically, were talking about advanced email security with behavioral models, strong DMARC enforcement, real-time link and attachment isolation, and identity analytics that treat suspicious OAuth grants and anomalous inbox rules as first-class signals.
The cloud is where attackers cash in. Password attacks against cloud portals spiked 10x, with Microsoft 365 and Google Workspace in the crosshairs. Guardz recorded 3,042 attacks on M365 (with Outlook/Exchange representing about 41%) and 2,335 against Google Workspace, led by phishing (38%) and OAuth app abuse (18%). That means, first, misconfiguration is not an edge case, but an ongoing condition that demands continuous policy enforcement, not periodic audits. It also means that meaningful detection and response must be grounded in identity and API-level telemetry as much as endpoints. When the attack is a malicious consent or token replay, EDR alone won’t save you.
Certainly, there are differences based on vertical. For instance, financial services absorbed roughly a quarter of observed incidents (average severity approx. 4.8/5), followed by healthcare at about 19% (severity 4.7), and manufacturing at about 14% (severity 4.4). Government entities, while suffering a smaller share of incidents, had to deal with the highest average severity approx. 4.9/5).
The reality is, though, whether regulated or not, SMBs now face a range of second-order effects, including supply-chain pressure from customer security questionnaires, tougher cyber-insurance renewals and sub-limits, and reputational drag that shows up in win rates and renewal conversations. The message – and it’s not very subtle – is that resilience is no longer just a security outcome; it’s a commercial prerequisite.
The MSP Opportunity: From Tools to Outcome Contracts
For MSPs, this report should catalyze a decisive pivot from selling tools to operationally owning a few business outcomes that SMB buyers actually feel, like fewer fraudulent payments, less downtime under attack, smoother insurance renewals, and faster third-party risk approvals.
The MSP playbook begins with identity-first controls, such as phishing-resistant MFA for all users, conditional access tied to device posture and risk, and automated suppression of legacy authentication. By also layering in identity threat detection that watches for impossible travel, failed-login spikes, suspicious OAuth consents, token anomalies, and inbox-rule abuse, MSOs can protect at their identity backbone –where real-world risk bends. The bonus is that this approach is scalable, so MSPs can bring their strategy to their entire client roster.
For email and collaboration protection come next, advanced email security with strict DMARC/DKIM/SPF alignment and safe-by-default link/file handling. It’s good to update testing and training to reflect LLM-crafted threats and deepfakes. The key is to also tie these controls to the identity backbone. Successful phishing detection should trigger identity checks, temporary step-up authentication, and automated hunts for illicit mailbox rules or suspicious OAuth grants. That closed loop is how MSPs convert detection into prevention.
When it comes to ransomware, standardize immutable, offline-path backups with periodic, witnessed restores; maintain EDR with rapid isolation; and publish a tenant-specific strategy that client has actually rehearsed. Because a growing share of campaigns monetize data theft without encryption, extend the core to include egress monitoring and lightweight DLP to reduce the extortion blast radius. Then, map the whole stack to common cyber-insurance questionnaires, to reduce renewal surprises.
Finally, understand that the cloud is the front line. Continuous SaaS and M365/Workspace posture management is important and, while it may not be exciting, it’s where the current attack spike is happening.
With that in mind, it also becomes where MSPs can produce visible, repeatable evidence that risk is trending down without throttling productivity. Report a handful of KPIs monthly—mean time to contain, identity risk score trend, phishing click-through delta, percentage of users on phishing-resistant MFA, number of malicious consents blocked—so executives can connect spend to outcomes.
This report send a clear signal that attackers have optimized their cost of attack against the SMB middle, leaning on identity compromise, SaaS missteps, and AI-driven social engineering. It’s no longer about simply increasing tools. MSPs have to focus on an operating model that hardens identity, disciplines cloud posture, rehearses recovery, and proves progress in plain business terms. That is how security becomes an enabler of growth rather than a tax on it.
Edited by
Erik Linask