Expel Annual Threat Report 2025

Keypoints

• The report is structured into sections such as executive summaries, threat categories (identity, cloud, computer-based, phishing), industry-specific analysis, and future outlooks, providing a detailed overview of attack trends and incident statistics.
• In 2024, identity-based incidents accounted for 68% of all threats, a rise of four percentage points from the previous year, highlighting the persistent importance of credential and identity security.
• Major threat vectors include leaked or stolen credentials, malicious use of phishing-as-a-service platforms, and malware deployment via tactics like infostealers and remote access tools, with noted increases in malware such as infostealers surpassing traditional IATs.
• Cloud infrastructure attacks primarily stem from stolen credentials, with AWS being the most targeted platform; additional techniques include server-side exploitation and SSRF vulnerabilities, emphasizing the need for stringent secret management and vulnerability monitoring.
• Despite comprising only 1% of total incidents, targeted threats remain highly persistent, often involving specific organizations, and pose significant risks due to attacker focus and adaptability.
• Malware trends show a decrease in IATs like Qakbot, replaced by infostealers and RATs, with malware incidents accounting for over 50% of observed threats by late 2024, driven by evolving tactics like fake update websites and ClickFix strategies.
• The report underscores the importance of continuous monitoring, rapid incident response, and layered security controls—such as MFA enforcement, session management, secret scanning, and anomaly detection—to protect against complex, interconnected cyber threats in 2025.