Shifting attack techniques and faster breakout times drive a threefold surge in cybersecurity incidents during the first half of 2025
LevelBlue, a leading provider of managed security services, strategic consulting, and threat intelligence, released the second edition of the LevelBlue Threat Trends Report, “Fool Me Once: How Cybercriminals are Mastering the Art of Deception.” Drawing from real-world incident data analyzed by LevelBlue Security Operations Center (SOC) and LevelBlue Labs teams, this report analyzes cyber threat activity from January 1 through May 31, 2025, revealing a dramatic surge in social engineering attacks and faster breakout times by increasingly sophisticated adversaries.
Also Read: CIO Influence Interview with Josh Kindiger, President and COO at Grokstream
According to the report, the number of cybersecurity incidents observed nearly tripled, with the number of LevelBlue customers experiencing incidents jumping from 6% in the second half of 2024 to 17% in 2025. While business email compromise (BEC) remains the most common method for initial access, non-BEC incidents rose by 214%, highlighting a broader shift in attacker behavior. Once attackers are in, they’re moving at an unprecedented speed, with an average breakout time (or how fast attackers can move laterally after initial access) under 60 minutes, and in some cases, less than 15 minutes.
The LevelBlue Threat Trends Report also found a massive uptick in social engineering attacks, accounting for 39% of initial access incidents observed during the first half of the year. This can be attributed to the increasing number of fake CAPTCHA social engineering attacks, especially ClickFix campaigns, which jumped 1,450% from the second half of 2024 to the first half of 2025. These attacks leverage user trust and urgency to easily gain access into organizations’ networks.
“A striking development in the first half of 2025 is how much more sophisticated threat actors have become at deception,” said Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue. “They’re moving beyond traditional BEC schemes and using targeted social engineering to manipulate users into opening the door. Once inside, they’re deploying remote access trojans and quickly covering their tracks, allowing them to move laterally through networks with alarming speed. This isn’t a one-off trend – we fully expect this shift to continue throughout 2026.”
With social engineering predicted to be the intrusion vector of choice for threat actors for the second half of 2025 and into 2026, LevelBlue recommends the following best practices to help organizations protect against these threats:
- Educate users on fake CAPTCHA attacks like ClickFix and other browser attacks. Consider restricting PowerShell or command prompt use for non-administrator accounts.
- Develop and enforce caller verification protocols and processes, such as multi-factor authentication (MFA), code words or phrases, or identity verification platforms.
- Enforce usage of MFA and certificates for VPN access. Deploy a jump box if RDP must be used from outside the network.
- Remove Quick Assist from all end-user machines unless explicitly required for business and IT services.
- Follow guidance on preventing the download and execution of RMM software. Threat actors will have victims download other tools if Quick Assist is not available during a fake help desk attack.
- Stay up to date on vulnerabilities and patch releases related to applications, software, and hardware. Patch as soon as possible, especially if there is a proof-of-concept exploit released.
The LevelBlue SOC works in close collaboration with LevelBlue Labs threat researchers to share timely insights and methodologies, while engaging in joint research initiatives to combat emerging cybersecurity challenges and bolster the security posture of organizations.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com
