Team
Red Canary, a leader in managed detection and response (MDR), unveiled its seventh annual Threat Detection Report, examining the trends, cyber threats, and adversary techniques that organizations should prioritize in the coming months and years. The report tracks the MITRE ATT&CK® techniques that adversaries abuse most frequently, and this year noted four times as many identity attacks compared to the 2024 edition. After debuting in the top 10 in 2024, cloud-native and identity-enabled techniques surged in this year’s report, with Cloud Accounts, Email Forwarding Rule, and Email Hiding Rules ranking among the top five.
“2024 marked the rise of cloud-native and identity-enabled attacks, with three of the top five techniques we detected falling into these categories. This highlights the immense value adversaries place on identities – compromise one, and they gain access to countless systems,” said co-founder and Chief Security Officer at Red Canary. “Unfortunately, the rise of identity and access management (IAM) and identity providers hasn’t deterred adversaries. Instead, it has made centralized identities even more lucrative targets as once compromised, adversaries can gain access to numerous disparate systems. Organizations must recognize identities as a frontline for defense and strengthen their security posture to stay ahead of adversaries.”
Research highlights major shifts in the threat landscape
The data that powers Red Canary and this report are not mere software signals—this data set is the result of hundreds of thousands of investigations across millions of protected systems and identities. Each of the threats Red Canary detected in 2024 were not prevented by the customers’ expansive security controls. They are the result of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.
Red Canary’s 2025 report provides in-depth analysis of nearly 93,000 threats detected within more than 308 petabytes of security telemetry from customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications over the past year. The total number of threats detected increased by more than a third compared to 2024’s report as a result of not only more customers, but also Red Canary’s expanded visibility into cloud and identity infrastructure.
The analysis shows that while the threat landscape continues to shift and evolve, adversaries’ motivations do not. The tools and techniques they deploy remain consistent, with some notable exceptions. Key findings include:
- Click, paste, compromised – One of the most successful new initial access techniques observed this year was paste and run, also known as “ClickFix” and “fakeCAPTCHA.” In this attack, adversaries socially engineer users into executing malicious scripts under the pretense that doing so will fix something, like providing access to a video or document.
- VPN abuse is rampant and difficult to detect – Adversaries constantly use virtual private networks (VPNs) to conceal their location and bypass network controls, but employees also rely on them for legitimate activity. Strikingly, organizations in the educational services sector accounted for 63 percent of all VPN use – a disproportionately high share given their smaller presence among Red Canary’s data. This highlights that environments from organizations in this sector are a potential hotspot for VPN-related security risks.
- RMM exploitation is on the rise – The use of remote monitoring and management (RMM) tools for command and control and lateral movement is growing, enabling adversaries to drop malicious payloads including ransomware. This year, Red Canary saw malicious use of NetSupport Manager break its yearly top 10, highlighting the popularity of RMM tools amongst adversaries.
- The not-so-helpful IT desk – Phishing remains prevalent in many forms. Email, QR code (aka “quishing”), SMS, and voice phishing attacks all increased in 2024. Often adversaries posed as IT personnel, asking victims to download malicious or remote control software. In 2024, Black Basta paired email bombing with social engineering, posing as IT personnel “helping” with the issue to gain access and install RMM tools.
The rise of LLMJacking to attack cloud infrastructure
While cloud attacks rose overall in 2024, the techniques adversaries abused have largely remained the same as in past years. However, adversaries have shifted more of their efforts to attacking and compromising cloud infrastructure and platforms:
With the rise of LLM usage, cloud services such as AWS Bedrock, Azure OpenAI, and GCP Vertex AI have become prime targets for adversaries in an attack known as “LLMJacking.” Adversaries have reportedly sold access to these hijacked models as part of their own SaaS “business” and passed all LLM usage costs to the victim.
Red Canary observed adversaries attempting to impair defenses inside cloud environments by disabling or modifying firewall rules and logging. Gaining access through compromised cloud accounts or valid credentials, adversaries elevate their privileges by granting the identity additional roles.
