In a cybersecurity landscape increasingly defined by identity-centric threats, attackers are ramping up their efforts to exploit centralized authentication systems. Red Canary’s newly released 2025 Threat Detection Report highlights a staggering fourfold increase in identity-enabled attacks compared to last year, underscoring the escalating risk organizations face in safeguarding their digital identities.
The report, an annual deep dive into adversary techniques based on MITRE ATT&CK® mappings, reveals that cloud-native threats and identity exploitation have skyrocketed in prevalence. Techniques like Cloud Accounts, Email Forwarding Rule Abuse, and Email Hiding Rules cracked the top five most common attack vectors in 2025, signaling a clear shift in attacker priorities.
Identity: The Golden Key for Adversaries
“2024 marked the rise of cloud-native and identity-enabled attacks, with three of the top five techniques we detected falling into these categories. This highlights the immense value adversaries place on identities – compromise one, and they gain access to countless systems,” said Keith McCammon, co-founder and Chief Security Officer at Red Canary.
“Unfortunately, the rise of identity and access management (IAM) and identity providers hasn’t deterred adversaries. Instead, it has made centralized identities even more lucrative targets as once compromised, adversaries can gain access to numerous disparate systems. Organizations must recognize identities as a frontline for defense and strengthen their security posture to stay ahead of adversaries.”
Threats That Bypassed Even the Best Security Stacks
Perhaps most alarmingly, none of the nearly 93,000 detected threats in this year’s report were blocked by customers’ existing security controls—despite widespread deployment of leading endpoint protection (EPP) and identity and access management (IAM) platforms. The data, gathered from 308 petabytes of security telemetry across endpoints, networks, cloud environments, and SaaS platforms, suggests that while security tools are essential, they alone cannot prevent modern identity-based attacks.
Key Attack Trends: What’s New in 2025?
FakeCAPTCHA and Social Engineering Surge
A deceptive technique dubbed “ClickFix” or “fakeCAPTCHA” emerged as one of the most successful new initial access methods. Attackers lure users into executing malicious scripts under the guise of resolving an issue, like unlocking a video or document.
RMM Tools: A New Favorite for Command & Control
Red Canary detected a sharp rise in remote monitoring and management (RMM) tools being co-opted for lateral movement and ransomware deployment. Notably, NetSupport Manager ranked in the top 10 most detected threats for the first time, highlighting its growing abuse.
LLMJacking: The New Face of Cloud Attacks
With enterprises rapidly adopting large language models (LLMs), adversaries have seized the opportunity to hijack cloud AI services, a tactic now known as LLMJacking. Attackers infiltrate platforms like AWS Bedrock, Azure OpenAI, and GCP Vertex AI, often selling illicit access while leaving victims with the bill.
Infostealers Drive Identity-Based Intrusions
LummaC2, a leading malware-as-a-service (MaaS) offering, topped the list of credential theft tools, selling access for as little as $250 per month. Many attackers pair LummaC2 infections with NetSupport Manager to maintain persistent access.
macOS Malware Skyrockets 400%
In a parallel to past Windows-based surges, macOS saw an explosive 400% increase in malware activity. Notorious strains like Atomic, Poseidon, Banshee, and Cuckoo dominated the landscape. However, Apple’s September 2024 patch curbed infection rates significantly by fixing a key Gatekeeper bypass.
Defensive Strategies: How Organizations Can Respond
To counter the evolving threat landscape, Red Canary advises organizations to take the following steps:
Limit unsanctioned VPN usage – Unregulated VPN activity makes it difficult to distinguish legitimate traffic from potential intrusions. Organizations should enforce strict policies to reduce risk.
Harden centralized identity management – IAM platforms are critical, but they also present high-value targets. Security teams must continuously monitor and adjust identity permissions to minimize exposure.
Prioritize patching – The report reaffirms that patching remains one of the most effective defenses against cyber threats. Unpatched vulnerabilities serve as primary attack vectors.
Implement cloud access safeguards – Organizations should regularly review cloud permissions and logging configurations to detect and mitigate unauthorized changes.
Test defenses against top threats – Security teams should assess their ability to detect and respond to the most prevalent attack techniques outlined in Red Canary’s report. The Atomic Red Team testing library offers a free resource for simulating real-world attacks.
The Bottom Line: Identity is the New Perimeter
As adversaries increasingly target identities, cloud platforms, and AI services, security teams must shift their focus from traditional perimeter defenses to identity-first security strategies.
“This year’s report makes clear that the malware-as-a-service ecosystem has fully matured and is operating at a similar level to the legitimate software industry,” added McCammon.
“The sheer accessibility of the tools that adversaries can use to compromise organizations has led to an explosion in attack volume, overwhelming security teams. AI is becoming an essential tool for helping analysts cut through the noise and focus on threats that matter.”
In a world where cybercriminals treat identity as their most prized asset, organizations must adapt—because for attackers, one compromised account is the key to the kingdom.