A report by a cyber firm tracks the MITRE ATT&CK techniques that adversaries abuse most frequently. Cloud-native and identity-enabled techniques have surged, with Cloud Accounts, Email Forwarding Rule, and Email Hiding Rules ranking among the top five, according to Red Canary.
Keith McCammon, co-founder and Chief Security Officer at Red Canary, said that three of the top five techniques the firm has detected fall into the categories of cloud-native and identity-enabled. He said: “This highlights the immense value adversaries place on identities – compromise one, and they gain access to countless systems. Unfortunately, the rise of identity and access management (IAM) and identity providers hasn’t deterred adversaries. Instead, it has made centralized identities even more lucrative targets as once compromised, adversaries can gain access to numerous disparate systems. Organizations must recognize identities as a frontline for defense and strengthen their security posture to stay ahead of adversaries.”
The company says that its 2025 report provides analysis of nearly 93,000 threats detected within more than 308 petabytes of security telemetry from customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications over the past year. The total number of threats detected increased by more than a third compared to 2024’s report; that’s as a result of not only more customers, but also the US company’s expanded visibility into cloud and identity infrastructure.
Findings include:
One of the most successful new initial access techniques observed this year was paste and run, also known as “ClickFix” and “fakeCAPTCHA.” In this attack, adversaries socially engineer users into executing malicious scripts under the pretense that doing so will fix something, like providing access to a video or document. Adversaries constantly use virtual private networks (VPNs) to conceal their location and bypass network controls, but employees also rely on them for legitimate activity. The education sector accounted for 63 percent of all VPN use – a disproportionately high share given their smaller presence among the company’s data.
RMM exploitation
The use of remote monitoring and management (RMM) tools for command and control and lateral movement is growing, enabling adversaries to drop malicious payloads including ransomware. This year, Red Canary saw malicious use of NetSupport Manager break its yearly top ten, suggesting the popularity of RMM tools amongst adversaries. Phishing remains prevalent in many forms. Email, QR code (aka “quishing”), SMS, and voice phishing attacks all increased in 2024. Often adversaries posed as IT personnel, asking victims to download malicious or remote control software. In 2024, Black Basta paired email bombing with social engineering, posing as IT personnel “helping” with the issue to gain access and install RMM tools.
The techniques adversaries abused have largely remained the same as in past years. Adversaries have shifted more of their efforts to attacking and compromising cloud infrastructure and platforms. The company observed adversaries attempting to impair defences inside clouds by disabling or modifying firewall rules and logging. Gaining access through compromised cloud accounts or valid credentials, adversaries elevate their privileges by granting the identity additional roles.
McCammon added: “The sheer accessibility of the tools that adversaries can use to compromise organizations has led to an explosion in attack volume, overwhelming security teams. AI is becoming an essential tool for helping analysts cut through the noise and focus on threats that matter. By streamlining workflows and augmenting human expertise, AI enables security teams to detect and respond to threats faster, preventing adversaries from gaining an advantage.”
Red Canary, which offers managed detection and response (MDR), is holding a 2025 Threat Detection Report webinar on March 26 at 2pm ET – visit: https://redcanary.com/.
