Distributed Denial-of-Service (DDoS) attacks are no longer the concern of just global corporations or tech giants. In 2026, small and mid-sized businesses (SMBs) are increasingly in the crosshairs, often because they lack the layered protections that enterprises deploy. For companies that rely on uptime, online access, or real-time systems, a single DDoS attack can wreak havoc on operations, customer trust, and financial performance.

This article explores the true operational cost of DDoS attacks, the risk landscape for SMBs, and how thoughtful planning around support, continuity, and network security can significantly reduce the impact of an attack. It also highlights the increasing need for leadership to understand where DDoS fits into broader resilience strategies.

What Is a DDoS Attack?

A DDoS (Distributed Denial-of-Service) attack occurs when an attacker floods your network, servers, or applications with traffic from multiple sources, overwhelming the system and rendering it slow or entirely inoperable. Unlike a single-point attack, DDoS leverages a vast network of compromised devices (often called a botnet) to launch its assault.

The intent is simple: make your digital services unavailable, either to disrupt your business or serve as a smokescreen for other malicious activities. These attacks don’t directly steal data—but the damage they cause to your availability, credibility, and operations can be extensive.

Who’s Being Targeted—and Why?

Today’s DDoS attackers target far more than just high-profile companies. Many small and mid-size businesses are targeted because:

• They have fewer defenses and monitoring tools.
• They rely heavily on uptime to generate revenue (e.g., online scheduling, portals, payment systems).
• They’re seen as soft targets in a supply chain attack.

In fact, threat intelligence shows that attacks against businesses with fewer than 500 employees have surged in the past two years. With more businesses moving services online and operating in hybrid environments, their vulnerability is growing.

Operational Impacts of a DDoS Attack

The most immediate effect of a DDoS attack is system unavailability. But the full impact goes far beyond that:

1. Lost Revenue

Whether you operate an e-commerce platform, a client portal, or a real-time service platform, downtime leads to missed transactions, failed appointments, and lost sales. For many businesses, even an hour of unavailability can translate into thousands of dollars in lost revenue.

2. Staff Disruption

IT teams are pulled into emergency mitigation mode, often postponing other essential work. Meanwhile, employees may be locked out of essential platforms, reducing productivity and delaying deliverables.

3. Customer Confidence

If clients or partners cannot access your systems—or experience repeated disruptions—they may begin to question your reliability. This is especially damaging in industries like law, healthcare, and finance, where trust is paramount.

4. Increased Support Load

During and after an attack, customer support volume spikes. Clients call in to report issues, request updates, or demand SLAs be met. Without a robust support infrastructure in place, teams can quickly become overwhelmed.

5. Hidden Security Risks

Sometimes, DDoS is just the beginning. Attackers may use the flood of traffic to distract IT teams while launching more targeted attacks elsewhere—such as credential harvesting, data exfiltration, or malware deployment.

Case Example: The SMB That Lost 3 Days

Consider a regional accounting firm that relies on its client portal for document submission and real-time messaging. A coordinated DDoS attack takes their systems offline during tax season. Over the next three days, the team loses hundreds of client interactions, burns out their internal IT staff, and fields dozens of complaints. Although no data is breached, the loss of productivity and credibility is immense—and several clients leave as a result.

Why SMBs Often Lack DDoS Readiness

Unlike large enterprises, SMBs typically don’t have:

• Dedicated security analysts monitoring traffic patterns
• Cloud-based application firewalls with automatic DDoS mitigation
• Redundant infrastructure that can absorb traffic spikes

Instead, they rely on basic firewall appliances or endpoint protection tools—neither of which are designed for volumetric attacks. As a result, they’re highly vulnerable.

Understanding the Financial Risk

According to the Canadian Centre for Cyber Security, DDoS attacks can cost companies between $20,000 and $100,000 per hour in direct and indirect losses, depending on the size and nature of the organization.

When you account for legal costs, SLA violations, lost business, and reputational damage, the total impact can stretch into the hundreds of thousands. These aren’t hypothetical risks—they’re real-world consequences that affect business performance.

Building a Practical DDoS Defense Strategy

Most organizations don’t need enterprise-level tools to manage DDoS risk effectively. What they do need is a layered, resilient security strategy—one that includes firewall hardening, real-time traffic monitoring, and an incident response plan that includes communications, escalation paths, and recovery workflows. For companies without internal cybersecurity staff, working with a managed provider that offers services like real-time threat monitoring and adaptive firewall configuration can close those gaps efficiently.

Additionally, implementing a coordinated help desk and IT support strategy ensures that when disruptions occur, users are not left in the dark. Investing in streamlined support processes—such as those offered by Support+—can reduce response time and improve outcomes for both users and IT staff.

Proactive Steps Business Leaders Can Take Today

Executives and IT decision-makers should consider DDoS planning as part of a broader risk management framework. A few tangible actions include:

• Reviewing firewall configurations and thresholds
• Deploying behavior-based monitoring solutions
• Documenting incident response plans for DDoS scenarios
• Training staff to recognize signs of network congestion or disruption
• Ensuring continuity plans address application-layer downtime

These foundational steps not only strengthen resilience against DDoS, but also improve security posture more broadly.

Final Thought: The Cost of Downtime Isn’t Just Technical

While DDoS is a technical attack, its consequences ripple through the business. Lost productivity, missed revenue, stressed employees, and shaken customer confidence all stem from these disruptions. For organizations that view uptime as critical to reputation and performance, DDoS defense should be seen not as a technical investment—but as an operational necessity.

By aligning IT support, infrastructure visibility, and security monitoring—whether internally or through a trusted partner—businesses can stay ahead of threats and maintain continuity when it matters most.

By Thomas McDonald

Citrix NetScaler CVE-2025-6543, a critical vulnerability in NetScaler ADC and Gateway products, is under active exploitation, threatening businesses with network disruptions and potential data breaches. This memory overflow flaw allows attackers to crash systems or gain unauthorized control, impacting organizations that rely on these solutions for secure remote access and application delivery. This article explains the threat, its current status, and practical steps business leaders can take to protect their networks and maintain operational continuity.

What Is CVE-2025-6543 and Why It Matters

Citrix NetScaler ADC and Gateway are widely used to manage secure access to applications and balance network traffic. The CVE-2025-6543 vulnerability, disclosed on June 25, 2025, by Citrix, is a memory overflow issue that can lead to denial-of-service (DoS) attacks or unintended system control. With a CVSS score of 9.2, this flaw is classified as critical due to its potential for remote exploitation without authentication, as noted in the Citrix Security Bulletin.

For businesses, this vulnerability poses serious risks. A successful attack could disrupt remote work environments, halt critical applications, or allow attackers to install malicious software, compromising sensitive data. Organizations in sectors like finance, healthcare, and government, which heavily rely on NetScaler, face heightened exposure.

Current Status: Active Exploitation and Zero-Day Concerns

The Dutch National Cyber Security Centre (NCSC-NL) confirmed on August 12, 2025, that CVE-2025-6543 was exploited as a zero-day since early May 2025, nearly two months before Citrix’s disclosure, as reported by The Hacker News. Attackers targeted critical organizations in the Netherlands, deploying web shells to maintain remote access. These sophisticated actors erased traces of their activity, complicating detection and recovery efforts.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6543 to its Known Exploited Vulnerabilities Catalog on June 30, 2025, signaling active exploitation globally. Over 4,100 unpatched NetScaler devices remain vulnerable, according to Shadowserver data cited by BleepingComputer, increasing the urgency for businesses to act.

How the Vulnerability Works

CVE-2025-6543 affects NetScaler ADC and Gateway when configured as a Gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The memory overflow occurs when attackers send specially crafted network traffic, overwhelming the system’s memory buffers. This can crash the device, causing a DoS condition, or allow attackers to manipulate the system’s control flow, potentially executing malicious code.

In real-world attacks, adversaries have planted web shells—malicious scripts that grant remote access—on compromised devices. These shells enable attackers to maintain control even after patches are applied, making immediate action critical. The NCSC-NL noted that attackers often cover their tracks, making it hard to detect breaches without thorough investigation.

Business Impact of CVE-2025-6543 Exploits

A successful exploit could disrupt business operations, especially for organizations dependent on NetScaler for remote access or application delivery. For example, a DoS attack could disable employee access to critical systems, halting productivity. More concerning, unauthorized access could lead to data theft, ransomware deployment, or supply chain attacks, as seen in past Citrix vulnerabilities like CitrixBleed in 2023. Regulatory fines and reputational damage further amplify the stakes, particularly for industries handling sensitive data.

The Dutch Public Prosecution Service reported a breach on July 18, 2025, linked to this vulnerability, which disrupted operations for nearly a week, per BetterWorld Technology. Such incidents highlight the real-world consequences for unprepared organizations.

Practical Steps to Mitigate CVE-2025-6543

Business leaders must act swiftly to protect their networks. Here are actionable steps to mitigate the risks of Citrix NetScaler CVE-2025-6543:

1. Apply Patches Immediately

Upgrade to the patched versions released by Citrix: NetScaler ADC and Gateway 14.1-47.46 or later, 13.1-59.19 or later, and 13.1-FIPS/NDcPP 13.1-37.236 or later. End-of-life versions (12.1 and 13.0) are unsupported, so upgrade to a supported version. Check the Citrix Security Bulletin for detailed instructions. Apply patches within 24–48 hours to minimize exposure.

2. Terminate Active Sessions

Patching alone doesn’t remove existing compromises, such as web shells. Run the following commands to terminate active sessions, as recommended by NCSC-NL:

• kill icaconnection -all
• kill pcoipConnection -all
• kill aaa session -all
• kill rdp connection -all
• clear lb persistentSessions

Contact Citrix Support at Citrix Support for assistance with FIPS/NDcPP builds.

3. Scan for Indicators of Compromise

Use the NCSC-NL’s GitHub script to detect malicious web shells or unusual files (e.g., unexpected .php files or duplicate filenames). Monitor for newly created accounts with elevated privileges. If suspicious activity is found, contact your national cyber incident response team, such as CISA at CISA’s incident reporting page.

4. Enhance Network Monitoring

Deploy tools to detect unauthorized access or abnormal traffic. Segment your network to limit the spread of an attack. Regularly audit configurations to ensure no missteps expose your systems. CISA’s Shields Up initiative provides free tools and guidance for improving network security.

5. Train Staff on Cyber Hygiene

Educate employees to avoid phishing attempts, which attackers may use to gain initial access before exploiting CVE-2025-6543. Use resources from the National Institute of Standards and Technology (NIST) at NIST’s cybersecurity training page to build awareness.

Next Steps for Business Leaders

Convene your IT and leadership teams to assess your NetScaler deployment. Verify that all systems are patched and sessions are terminated. Allocate resources for ongoing monitoring and staff training to prevent future vulnerabilities. If your organization lacks in-house expertise, consider partnering with a managed security provider to ensure robust defenses.

Stay informed by monitoring updates from Citrix, CISA, and NCSC-NL. The active exploitation of CVE-2025-6543 underscores the need for vigilance. By acting now, you can safeguard your network gateways and protect your business from costly disruptions.

The Scattered Spider hacking group, a notorious cybercriminal collective, is intensifying its attacks on businesses in 2025 with sophisticated social engineering tactics. Known for targeting industries like retail, insurance, and aviation, this group tricks employees into handing over credentials or installing malicious tools, leading to data theft and ransomware attacks. This article explains how Scattered Spider operates, their recent activities, and practical steps your business can take to stay safe.

What Is the Scattered Spider Hacking Group?

Scattered Spider, also tracked as UNC3944, Muddled Libra, or Octo Tempest, is a decentralized group of cybercriminals, primarily young English-speaking operatives from the US and UK. Unlike traditional hacking groups, they operate like a tech startup, recruiting skilled hackers and collaborating with ransomware groups like DragonForce. Their attacks focus on financial gain through data extortion and system encryption, causing millions in losses for victims like MGM Resorts and Marks & Spencer.

How Scattered Spider Attacks Work

Scattered Spider’s primary weapon is social engineering, manipulating human behavior to gain network access. Their tactics include:

• Vishing (Voice Phishing): Posing as IT staff or trusted entities, they call employees to trick them into sharing login details or resetting passwords. Recent reports suggest they may use AI voice cloning to enhance credibility.
• Phishing Campaigns: They send fake emails mimicking legitimate services, using domains like “targetsname-helpdesk.com” to steal credentials.
• MFA Fatigue Attacks: Bombarding users with multi-factor authentication (MFA) prompts until they accept one, bypassing security.
• SIM Swapping: Convincing phone carriers to transfer a victim’s phone number to a hacker-controlled SIM, intercepting MFA codes.
• IT Impersonation: Pretending to be helpdesk staff to reset credentials or install remote access tools like AnyDesk or TeamViewer.

Once inside, they use tools like Mimikatz to harvest credentials and deploy ransomware like DragonForce, encrypting systems and demanding payment. They also infiltrate platforms like Slack or Microsoft Teams to eavesdrop on security response calls, adapting their methods to evade detection.

Recent Activity and Business Impact

As of July 29, 2025, the FBI and CISA reported a surge in Scattered Spider attacks, targeting sectors like retail, insurance, and aviation. High-profile victims include Marks & Spencer, Hawaiian Airlines, and United Natural Foods, with losses reaching hundreds of millions. The group’s collaboration with DragonForce and their use of new phishing domains signal a shift to more targeted attacks. For businesses, these attacks mean downtime, data leaks, and reputational damage, especially if sensitive customer data is exposed.

A notable evolution is their targeting of third-party IT vendors, exploiting trusted relationships to access corporate networks. The 2024 Snowflake breach, affecting 165 companies like AT&T and Ticketmaster, highlights their ability to exploit cloud platforms for massive data theft.

Why Scattered Spider Is a Growing Threat

Scattered Spider’s strength lies in its adaptability. They pivot industries quickly, moving from retail to insurance to aviation, making it hard to predict their next target. Their use of legitimate tools like AnyDesk and living-off-the-land techniques (using built-in system tools like PowerShell) makes detection challenging. Recent arrests in the UK and US have slowed their activity, but the group remains active, with other threat actors adopting their social engineering methods.

Practical Defense Strategies for Businesses

Protecting your business from Scattered Spider requires a multi-layered approach focusing on employee awareness, robust security settings, and proactive monitoring. Here are actionable steps:

1. Strengthen Employee Training

Train employees, especially helpdesk and IT staff, to recognize social engineering tactics. Teach them to verify caller identities through separate channels and avoid sharing credentials. Regular phishing simulations can build resilience. CISA emphasizes employee awareness as a critical defense.

2. Implement Phishing-Resistant MFA

SMS-based MFA is vulnerable to SIM swapping. Switch to app-based or hardware token MFA, like authenticator apps or YubiKeys, which are harder to bypass. Snowflake’s August 2025 mandate for MFA on all accounts sets a good example.

3. Enhance Helpdesk Verification

Establish strict protocols for password resets and MFA changes. Require secondary verification via email or in-person checks. Never rush credential resets based on urgent phone requests, as Scattered Spider exploits time pressure.

4. Monitor and Restrict Remote Access Tools

Limit the use of remote access tools like TeamViewer or AnyDesk. Implement application controls to block unauthorized software. Monitor network traffic for unusual activity, as Scattered Spider often uses legitimate tools to blend in.

5. Secure Third-Party Vendors

Evaluate your supply chain’s cybersecurity. Ensure vendors use strong MFA and have incident response plans. The Snowflake breach showed how third-party weaknesses can lead to major breaches.

6. Maintain Offline Backups

Regularly back up critical data offline, disconnected from your network. Test these backups to ensure quick recovery from ransomware. CISA recommends offline backups as a key defense against data extortion.

7. Update and Patch Systems

Keep all systems, especially cloud platforms like Snowflake, updated with the latest security patches. Scattered Spider exploits outdated software to gain access.

8. Develop an Incident Response Plan

Create and test a ransomware response plan. Include steps for isolating affected systems, notifying authorities, and communicating with stakeholders. A prepared plan can minimize downtime and losses.

Stay Ahead of Scattered Spider

Scattered Spider’s evolving tactics make them a persistent threat, but businesses can stay safe with vigilance and preparation. By focusing on employee training, robust MFA, and proactive monitoring, you can reduce the risk of falling victim to their social engineering schemes. Stay informed through trusted sources like CISA and the FBI for the latest advisories on Scattered Spider’s tactics.

For more details on Scattered Spider’s methods and mitigation strategies, check the CISA and FBI joint advisory from July 29, 2025.

Threat actors are now abusing a legitimate feature of Microsoft 365 known as Direct Send phishing to deliver fraudulent emails that appear to come from internal users. This attack method bypasses traditional email defenses by exploiting a trusted mail flow configuration, making it especially dangerous in enterprise environments. In this article, we break down how this attack works, what makes it effective, and how to defend against it using Microsoft best practices and layered security controls.

Understanding Direct Send in Microsoft 365

Microsoft 365 offers three ways to send mail from devices and applications: SMTP AUTH client submission, Microsoft 365 or Office 365 SMTP relay, and Direct Send. The Direct Send method allows email to be transmitted from an application or device (like a printer, scanner, or third-party app) directly to Microsoft 365 without authentication, as long as the IP is allowed and the domain is valid. According to Microsoft, this method supports internal email routing without needing user credentials. You can read more in their official documentation here.

How Attackers Are Exploiting Direct Send

By impersonating legitimate applications and spoofing trusted IPs, attackers can send phishing emails through Direct Send that appear to come from verified internal addresses. These emails often bypass SPF, DKIM, and DMARC checks because they technically originate from within the organization’s domain and IP allowances.

This tactic gives attackers a powerful advantage: the messages don’t look suspicious to email security filters or to users. Targets are more likely to engage with a message if it appears to come from a known colleague or internal system—especially when the content mimics invoice alerts, password change requests, or file-sharing notifications.

Why This Threat Is So Effective

Unlike typical phishing campaigns that rely on misspelled sender names or domain lookalikes, Direct Send phishing creates emails that pass as entirely legitimate in both metadata and presentation. That means:

• The sender appears internal and familiar
• Email filters may not flag the message as suspicious
• End users are less likely to report the message
• Security logs may not show obvious red flags

This creates a perfect storm of risk: high trust, low detection, and quick impact.

Recommended Mitigations and Best Practices

To protect against this type of abuse, organizations should follow Microsoft’s updated guidance on Direct Send configuration, outlined in their official documentation here.

Microsoft emphasizes several key safeguards:

• Restrict the accepted IP addresses in the mail flow rule to only known and documented devices.
• Disable Direct Send unless it’s absolutely necessary for business functions.
• Use SMTP authentication with strong credentials and MFA whenever possible instead of unauthenticated Direct Send.
• Monitor email headers and audit logs for unexpected traffic from non-mailbox sources.

Additionally, your organization should conduct regular phishing simulations to educate users on identifying unusual requests—even when they appear internal.

How Cost+ Helps Secure Your Microsoft 365 Environment

At Cost+, we proactively defend Microsoft 365 environments through a combination of prevention, monitoring, and response services. Our Security+ offering includes email threat detection, 24/7 monitoring, and hardening of misconfigured or vulnerable Microsoft 365 settings. We also assist with:

• Configuring secure mail flow and anti-spoofing policies
• Disabling unused protocols and reducing attack surface
• Alerting on abnormal internal email behavior

For organizations that rely heavily on application-based email—such as CRMs, scanners, or cloud apps—we provide auditing and remediation through our Support+ team to ensure your Direct Send configuration doesn’t become an open door for attackers.

Next Steps for Security and IT Teams

If your organization uses Direct Send—or isn’t sure how it’s configured—it’s critical to perform an immediate review. Start by inventorying every device or application that’s allowed to send mail using this method. Then verify:

• Each sending IP is expected and documented
• No new mail flow rules have been added or modified unexpectedly
• End user reports of “weird” internal messages are followed up with proper investigation

You should also configure alerts for any unusual spikes in email volume from IPs tied to Direct Send or apps using SMTP relay. These patterns often precede broader phishing campaigns.

Final Thoughts

Direct Send phishing is a reminder that even legitimate tools can become threat vectors when not properly governed. Microsoft’s built-in mail delivery flexibility helps businesses function efficiently—but it also creates opportunities for abuse if not configured securely.

By following Microsoft’s published best practices and layering your security defenses, you can reduce risk while preserving business continuity. Cost+ is here to help you close these gaps before they become exploited entry points.

Get in touch with us to schedule a review of your Microsoft 365 security posture—including Direct Send risk assessments and remediation planning.

By Thomas McDonald
Vice President

Business Email Compromise (BEC) is one of the most syndicate-driven cyber threats facing organizations today—and it’s growing more sophisticated than ever. Modern business email compromise schemes often use compromised email accounts, deepfake AI tools, or domain spoofing to trick employees into approving fraudulent payments.

How BEC Has Evolved

Earlier BEC scams relied on spoofed domains or fake invoices. Today, attackers often hijack real email accounts or use AI-generated mimicry to craft convincing messages. According to the FBI, more than $26 billion has been lost to BEC scams in recent years, including incidents where large firms fell victim to fake invoice fraud.

Common Modern BEC Scenarios

• CEO or executive impersonation: Attackers send urgent payment requests appearing to come from a trusted executive.
• Account takeover: Hackers gain access to a legitimate business email account and send fraudulent requests from it.
• Vendor invoice fraud: Fake invoice emails mimic real vendors and arrive just before payment cycles to avoid scrutiny.
• AI-enhanced impersonation: Deepfake voices or synthetic emails make spoofed communication even harder to detect.

Red Flags to Watch For

• Urgent or secretive tone
• Requests outside normal payment processes
• Slightly altered domain names or unfamiliar email addresses
• Instructions to change banking information or bypass verification

How to Protect Your Business

1. Verify Via a Second Channel

Always confirm payment requests using an independent method—such as a direct phone call—not via the same email thread. This simple step can stop most fraud attempts.

2. Enable Email Authentication

Implement SPF, DKIM, and DMARC email protocols. These protect your domain from being spoofed and help email recipients trust your communications. Learn more about DMARC from CISA.gov.

3. Enforce MFA and Role-Based Access

Multi-factor authentication (MFA) prevents attackers from logging into email accounts even if they’ve obtained a password. Combine this with least-privilege access policies to limit who can approve payments.

4. Train Employees on BEC Awareness

Provide practical training on how to spot suspicious emails, spoofed domains, and signs of social engineering. Simulated attacks and phishing tests improve awareness across departments.

5. Use Dual Authorization for Payments

For larger transactions, require at least two people to approve before payment is released. This makes it harder for one compromised account to result in financial loss.

6. Deploy Threat Detection Tools

Secure email gateways and threat detection tools can catch impersonation attempts, monitor for abnormal behavior, and block messages from known malicious IPs or domains. Consider a solution that includes anomaly detection and adaptive controls.

Where Cost+ Comes In

Our Security+ service helps organizations prevent business email compromise with layered protection, DMARC enforcement, staff training, and payment workflow consulting.

Bottom Line

Today’s business email compromise threats go far beyond basic phishing. Attackers are well-organized, use advanced impersonation tactics, and exploit trust in your vendors and executives. With the right training, technology, and financial safeguards, you can reduce your exposure and avoid costly mistakes.

By Thomas McDonald
Vice President