The education and healthcare industries are most frequently targeted by threat actors, according to Arctic Wolf’s 2025 Security Operations Report

“Both sectors faced persistent phishing campaigns, rising malware infections, and significant operational disruptions due to outdated infrastructure and limited cybersecurity budgets,” says Laura Stratton, Sr. Manager, Tactical Threat Intelligence at Arctic Wolf.

The report, which analyzed more than 330 trillion security observations collected by the Arctic Wolf Aurora Platform, states that:

• 51% of alerts issued occurred outside business hours, with 15% of total alerts taking place on weekends.
• Attackers targeted sectors such as education, healthcare, and manufacturing “due to outdated infrastructure, valuable data, and low tolerance for downtime.”
• Recent attacks, such as those on Fortinet FortiGate firewall devices and SonicWall CVE-2024-40766, showed how “adversaries can exploit identity and VPN weaknesses to escalate privileges and encrypt unmonitored systems in under 90 minutes.”

The company’s research also found that the most common ticketed alerts “stem from routine activity that may also signal serious threat actions,” such as:

• Logins from restricted or unusual locations
• Changes to firewall settings
• Creation of SMTP forward rules

Learn more at Arctic Wolf.