Marks & Spencer Cyberattack: A Stark Warning on Third-Party Risk and Phishing Threats
In April 2025, Marks & Spencer (M&S), one of the UK’s most prominent retailers, fell victim to a high-impact cyberattack that exploited a vulnerability through a third-party contractor. This breach disrupted operations, compromised sensitive data, and triggered a projected £300 million loss in operating profits. It also serves as a stark reminder of the critical need for strong defenses against phishing attacks and third-party supply chain vulnerabilities.
The Attack: Phishing as the Entry Point
The attack began with a targeted phishing campaign against a third-party contractor working with M&S. Cybercriminals sent carefully crafted emails to trick employees into revealing their login credentials — a classic social engineering tactic. Once access was gained, attackers pivoted through the contractor’s network into M&S’s internal environment.
This bypassed traditional perimeter defenses and exploited trust relationships between M&S and its suppliers. The attackers then exfiltrated sensitive files, including the NTDS.dit file — a database that stores Active Directory credentials in hashed form. This gave them the ability to crack passwords offline and escalate privileges within the network.
These techniques are increasingly common in phishing-driven breaches, where attackers combine email deception with supply chain gaps to achieve deep access and control.
Impact: Business Disruption and Financial Losses
The effects were wide-ranging:
Operating Losses: M&S anticipates a £300 million reduction in profit. Recovery costs, reputational damage, and lost business have been substantial.
Online Business Outage: The retailer’s clothing site went offline for more than three weeks.
Supply Chain Disruption: Food deliveries were affected, with empty shelves across many stores.
Customer Data Exposure: Names, emails, phone numbers, home addresses, dates of birth, and order histories were accessed — though no payment card data was stolen.
Market Cap Erosion: The company lost around £750 million in market value shortly after the breach was made public.
Lessons Learned: Combating Phishing and Vendor Risk
This attack offers crucial takeaways for all businesses:
Phishing Defense is Essential
Email remains the #1 attack vector. Organizations must invest in user education, phishing-resistant MFA (e.g., FIDO2), and proactive detection tools.Third-Party Risk Management
Vendors and suppliers can become backdoors into critical systems. Regular security audits, strict access controls, and contractual cybersecurity standards are vital.Credential Protection
Tools like LAPS, tiered admin accounts, and encrypted password vaults can reduce the risk of credential compromise.Incident Response Readiness
A robust, rehearsed plan can save millions in the event of a breach.
Response and Remediation
In response to the breach, M&S took swift action:
Cybersecurity Overhaul: The company is accelerating its IT upgrade — condensing a two-year plan into six months to fortify systems.
Customer Alerts: Affected customers have been notified and prompted to change passwords and remain vigilant against further phishing attempts.
Forensic Investigation: Working with national authorities, including the UK’s National Cyber Security Centre (NCSC), M&S is investigating the full scope of the breach.
Developed by Email Security Professionals and Data scientists with decades of experience to make life easier for customers and MSPs alike, Sabiki Email Security is a cloud-native 'built-for Microsoft 365' SaaS solution that protects your organization from Phishing, Spam and targeted scams using the power of a dynamic AI feedback loop engine. Powered by a 'Dynamic' Machine Learning engine in combination with next-generation contextual and behavioral analysis capabilities, Sabiki Email Security provides an incredible level of granularity in engine customization with seamless onboarding and operation.