Midyear update to the 2025 Threat Detection Report identifies rapid emergence of new cloud techniques and evolution in phishing tactics
Key Findings:
- Cloud Account detections increased nearly 500% compared to the entirety of 2024, driven largely by expanded detection capabilities in identity-based threats.
- Two new cloud-related techniques – Data from Cloud Storage and Disable or Modify Cloud Firewall – have broken into Red Canary’s top 10 techniques for the first time.
- Phishing remains prevalent but nuanced: analysis revealed that only 16% of suspected phishing emails were genuinely malicious.
SAN JOSE, Calif., Aug. 5, 2025 /PRNewswire/ — Red Canary, a Zscaler company, today published a midyear update to its annual Threat Detection Report, offering insights into evolving cybersecurity threats based on detections observed in the first half of 2025. The report highlights a dramatic rise in identity threats and the evolving landscape of cloud techniques, driven by increased adoption of identity security measures, generative AI, and enhanced detection capabilities. The analysis emphasizes the need for security strategies to address both clear threats and subtle, risky behaviors that can precede major breaches.
“As organizations increasingly adopt cloud-based identity providers, infrastructure, and applications, our midyear update highlights the impact on threat detection. Security teams are evolving their endpoint-focused strategies to approaches that recognize more nuanced risks across dispersed environments,” said Keith McCammon, Co-founder of Red Canary. “Unlike endpoint, where most of the data and context required for threat detection and response stems from a single source, identity and cloud threat detection requires visibility and correlation across disparate systems, coupled with a platform and team capable of performing timely investigations.”
Cloud Account detections blur the lines between threat and risk
Red Canary observed an almost 500% increase in detections associated with Cloud Accounts during the first half of 2025. This significant rise stems primarily from Red Canary’s expanded identity detection coverage and the implementation of AI agents designed to identify unusual login patterns and suspicious user behaviors. This includes identifying logins from unusual devices, IP addresses, and virtual private networks (VPNs), which significantly increases the detection of risky behaviors.
New cloud techniques expose emerging risks
For the first time, two cloud-related techniques – Data from Cloud Storage and Disable or Modify Cloud Firewall – entered Red Canary’s top 10 detected techniques. These techniques represent a growing focus not just on explicit threats but on risky behaviors that can be the precursors to potential breaches. Organizations face significant risks from misconfigured AWS S3 storage buckets and open ingress ports, due to both adversaries using harvested credentials to deliberately expose them and legitimate changes by trusted employees.
Phishing emails are not always what they seem
Red Canary analyzed tens of thousands of user-reported phishing emails, revealing that only 16% were actual threats. Despite this low percentage, phishing remains a critical attack vector, emphasizing the need for organizations to create feedback loops so that they can continually mature their ability to quickly identify genuine threats. Notably, adversaries are employing increasingly sophisticated techniques, including using legitimate services such as Google Translate to create convincing phishing emails that bypass traditional security measures and obfuscate detection.
Scarlet Goldfinch evolves with fake CAPTCHA
Scarlet Goldfinch, an established initial access threat known for delivering remote management and monitoring (RMM) tools, made a significant operational shift this year. Previously relying on fake browser updates, the group has pivoted to using fake CAPTCHA paste-and-run techniques to entice victims into executing malicious code. This evolution highlights adversaries’ agility in adapting the latest social engineering tactics to remain effective and evade existing defenses.
Defending against emerging threats and risks
As threats evolve, organizations must bolster their defenses by implementing the following strategies:
- Identity security controls: Enforce multi-factor authentication (MFA) and conditional access policies (CAP) to reduce unauthorized identity usage.
- Cloud misconfiguration management: Regularly audit and secure cloud infrastructure configurations, ensuring public access settings and firewall rules adhere to strict policies in line with the principles of zero trust.
- Phishing awareness: Implement robust user training to improve identification of sophisticated phishing and social engineering attempts.
- VPN and RMM monitoring: Limit and closely monitor VPN usage and remote management tools, using behavioral analytics to detect anomalous activity indicative of malicious intent.
By proactively adopting these measures, organizations can significantly enhance their cybersecurity posture, mitigating the risk and impact of the latest adversary tactics.
Methodology
The midyear update to the 2025 Threat Detection Report provides in-depth analysis of the confirmed threats detected from the petabytes of telemetry collected from Red Canary customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications in the first six months of 2025.
The Threat Detection Report sets itself apart from other annual reports with its unique data and insights derived from a combination of expansive detection coverage and expert, human-led investigation, and confirmation of threats.
About Red Canary, a Zscaler Company
Red Canary is a leader in managed detection and response (MDR). We serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the security ally for nearly 1,000 organizations, we provide MDR across our customers’ cloud workloads, identities, SaaS applications, networks, and endpoints. For more information about Red Canary, visit: https://www.redcanary.com.
About Zscaler
Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ platform protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SASE-based Zero Trust Exchange™ is the world’s largest in-line cloud security platform.
View original content to download multimedia:https://www.prnewswire.com/news-releases/red-canary-research-reveals-sharp-rise-in-cloud-and-identity-threats-exposing-critical-cybersecurity-risks-302521309.html
SOURCE Red Canary
