The group is believed to have carried out a series of successful intrusions between April 2025 and July 2025, including a prominent attack on British retailer Marks & Spencer. Microsoft says the shift in targets is consistent with Octo Tempest’s pattern of focusing on a single sector before moving on to another.
The group has been under close watch by Microsoft’s cybersecurity researchers, including teams based in Israel. U.S. authorities are also tracking the group’s activities. In late June, the FBI issued a formal alert warning of its operations.
Octo Tempest is known for using social engineering techniques to gain initial access to networks. Attackers often impersonate employees or third-party vendors to trick IT support teams into disabling security measures such as two-factor authentication. Once inside, they connect unauthorized devices, steal data and deploy ransomware to extort victims.
According to the report, the group has recently deployed DragonForce ransomware with a particular focus on VMware-based virtual environments. Researchers also observed a shift in its strategy. Instead of beginning with cloud services and working inward, Octo Tempest now starts with on-premises systems and expands from there.
Microsoft says automated defenses can sometimes identify and contain breaches in real time, but emphasizes that ultimate responsibility for incident response lies with organizational security teams. Proper investigation, recovery and remediation are essential to ensure threats are fully eliminated.
The company warns that Octo Tempest’s evolving tactics and ability to pivot between industries make it one of the most serious cybersecurity threats today.