Midyear update to the 2025 Threat Detection Report identifies rapid emergence of new cloud techniques and evolution in phishing tactics
-
Cloud Account detections increased nearly 500%ย compared to the entirety of 2024, driven largely by expanded detection capabilities in identity-based threats.
-
Two new cloud-related techniquesย โ Data from Cloud Storage and Disable or Modify Cloud Firewall โ have broken intoย Red Canary’sย top 10 techniques for the first time.
-
Phishing remains prevalent but nuanced: analysis revealed that only 16% of suspected phishing emails were genuinely malicious.
Red Canary, a Zscaler company, published a midyear update to its annual Threat Detection Report, offering insights into evolving cybersecurity threats based on detections observed in the first half of 2025. The report highlights a dramatic rise in identity threats and the evolving landscape of cloud techniques, driven by increased adoption of identity security measures, generative AI, and enhanced detection capabilities. The analysis emphasizes the need for security strategies to address both clear threats and subtle, risky behaviors that can precede major breaches.
“As organizations increasingly adopt cloud-based identity providers, infrastructure, and applications, our midyear update highlights the impact on threat detection. Security teams are evolving their endpoint-focused strategies to approaches that recognize more nuanced risks across dispersed environments,” saidย Keith McCammon, Co-founder ofย Red Canary. “Unlike endpoint, where most of the data and context required for threat detection and response stems from a single source, identity and cloud threat detection requires visibility and correlation across disparate systems, coupled with a platform and team capable of performing timely investigations.”
Cloud Account detections blur the lines between threat and risk
Red Canaryย observed an almost 500% increase in detections associated with Cloud Accounts during the first half of 2025. This significant rise stems primarily fromย Red Canary’sย expanded identity detection coverage and the implementation of AI agents designed to identify unusual login patterns and suspicious user behaviors. This includes identifying logins from unusual devices, IP addresses, and virtual private networks (VPNs), which significantly increases the detection of risky behaviors.
Also Read:ย CIO Interview with Ramprakash Ramamoorthy, Director of AI Research, ManageEngine
New cloud techniques expose emerging risks
For the first time, two cloud-related techniques โ Data from Cloud Storage and Disable or Modify Cloud Firewall โ enteredย Red Canary’sย top 10 detected techniques. These techniques represent a growing focus not just on explicit threats but on risky behaviors that can be the precursors to potential breaches. Organizations face significant risks from misconfigured AWS S3 storage buckets and open ingress ports, due to both adversaries using harvested credentials to deliberately expose them and legitimate changes by trusted employees.
Phishing emails are not always what they seem
Red Canaryย analyzed tens of thousands of user-reported phishing emails, revealing that only 16% were actual threats. Despite this low percentage, phishing remains a critical attack vector, emphasizing the need for organizations to create feedback loops so that they can continually mature their ability to quickly identify genuine threats. Notably, adversaries are employing increasingly sophisticated techniques, including using legitimate services such as Google Translate to create convincing phishing emails that bypass traditional security measures and obfuscate detection.
Scarlet Goldfinchย evolves with fake CAPTCHA
Scarlet Goldfinch, an established initial access threat known for delivering remote management and monitoring (RMM) tools, made a significant operational shift this year. Previously relying on fake browser updates, the group has pivoted to using fake CAPTCHA paste-and-run techniques to entice victims into executing malicious code. This evolution highlights adversaries’ agility in adapting the latest social engineering tactics to remain effective and evade existing defenses.
Also Read:ย Confidential Computing vs Traditional Encryption: Key Differences Explained
Defending against emerging threats and risks
As threats evolve, organizations must bolster their defenses by implementing the following strategies:
- Identity security controls:ย Enforce multi-factor authentication (MFA) and conditional access policies (CAP) to reduce unauthorized identity usage.
- Cloud misconfiguration management:ย Regularly audit and secure cloud infrastructure configurations, ensuring public access settings and firewall rules adhere to strict policies in line with the principles of zero trust.
- Phishing awareness:ย Implement robust user training to improve identification of sophisticated phishing and social engineering attempts.
- VPN and RMM monitoring:ย Limit and closely monitor VPN usage and remote management tools, using behavioral analytics to detect anomalous activity indicative of malicious intent.
By proactively adopting these measures, organizations can significantly enhance their cybersecurity posture, mitigating the risk and impact of the latest adversary tactics.
[To share your insights with us as part of editorial or sponsored content, please write toย psen@itechseries.com]
