Cybersecurity threat intelligence

Insights from Mandiant M-Trends 2025 Threat Report

Hero image for Insights from Mandiant M-Trends 2025 Threat Report

Insights from Mandiant M-Trends 2025 Threat Report

TLDR

  • Exploits remain the top initial infection vector, with stolen credentials rising sharply to second place, fuelled by infostealers.
  • Cloud compromises are rising, frequently exploiting weak identity controls, MFA gaps, and insecure on-prem integrations.
  • Unsecured internal data repositories (e.g., SharePoint, code repos) represent a key, often overlooked risk, exploited for credentials and lateral movement.
  • DPRK IT workers posing as employees emerged as a notable insider threat, accounting for 5% of identified initial infection vectors.

Exploits and Entry Points

The latest Mandiant M-Trends 2025 report highlights something that’s always been true in cybersecurity: attackers are quick to seize any opportunity. Whether it’s jumping on newly discovered vulnerabilities, using credentials leaked on the dark web, or capitalising on overlooked security gaps in cloud migrations and internal data stores, threat actors continue to adapt and strike. This adaptability is reflected in the industries most frequently investigated by Mandiant in 2024: The top targeted industries included financial services (17.4%), business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%).

Initial Access Is Evolving

For years, phishing was the go-to method for initial access, but the M-Trends 2025 report points to a clear shift. Stolen credentials have overtaken phishing as the second most common way in, rising to 16% from 10% the year before. This jump is closely tied to the rise of infostealer malware, which quietly harvests user data - including corporate credentials - from personal or contractor devices that often sit outside the organisation’s defences. These credentials are then traded on underground markets, giving attackers a much simpler way in.

Exploitation, while slightly down from 38% to 33% of initial access vectors, remains dominant. Attackers frequently target edge devices, with vulnerabilities in platforms like Palo Alto Networks PAN-OS, Ivanti Connect Secure VPN, and Fortinet FortiClient EMS being among the most exploited in 2024. Many of these were exploited as zero-days, showcasing the speed and sophistication of attackers, including suspected state-sponsored groups from Russia and China.

Perhaps one of the most startling trends is the emergence of insider threats as a significant initial vector, accounting for 5% of identified cases. This is almost entirely driven by the sophisticated campaign involving North Korean (DPRK) IT workers who use stolen or fabricated identities to gain employment, funnelling earnings back to the regime and embedding a potential high-privilege threat within organisations.

How Attackers Are Targeting Cloud Environments

As organisations accelerate cloud adoption, attackers are adapting their tactics accordingly. Cloud environments featured in more breaches investigated by Mandiant in 2024 than ever before. While cloud platforms offer strong security controls, attackers are skilled at exploiting weaknesses, especially around identity and access management (IAM) and integrations with on-prem systems.

Initial access into cloud environments often mirrors broader trends, with phishing (39%) and stolen credentials (35%) being the most common vectors observed in cloud compromises. Attackers target federated identity providers and SSO portals, recognising them as centralised points of access. Compromising an on-premises directory service used to manage cloud identities, for example, can provide a direct pathway into the cloud.

Weak identity practices are frequently abused. This includes insufficient MFA protection on privileged accounts, easily bypassed MFA methods (like SMS or push notifications susceptible to AiTM attacks or MFA fatigue), and insecure self-service password reset portals. Threat actors like UNC3944 exemplify this, using social engineering to compromise accounts, manipulate SSO solutions to gain broad access, and ultimately deploy ransomware or exfiltrate data from cloud resources. Improperly secured integrations between cloud and on-prem systems also create pivot points for attackers, allowing them to traverse environments by abusing trusted service infrastructure or network connections.

The Persistent Problem of Unsecured Data Repositories

While organisations focus on perimeter defence and sophisticated threats, a fundamental vulnerability often goes overlooked: unsecured internal data repositories. Platforms like SharePoint, Confluence, Jira, and internal code repositories frequently become dumping grounds for sensitive information, including credentials, API keys, private keys, intellectual property, and PII, often accessible with standard employee privileges.

Attackers, from financially motivated groups like FIN11 and UNC3944 to espionage actors like APT29, actively target these repositories to steal valuable data for extortion or intelligence gathering, or simply to find network diagrams and documentation to facilitate their intrusion. This underscores the urgent need for a shift towards data-centric security, focusing on inventory, classification, access control, and lifecycle management for internal data stores.

Ransomware & Extortion Evolves

Ransomware and extortion remain dominant forces, involved in 21% of Mandiant investigations in 2024. The tactics continue to evolve, with a clear trend towards multifaceted extortion – stealing sensitive data before deploying ransomware to increase leverage during negotiations. The ransomware landscape itself saw shifts, with the RANSOMHUB RaaS operation becoming highly prolific, taking over the top spot from LockBit following law enforcement disruption efforts. RANSOMHUB was also tied for the most frequently observed ransomware in Mandiant’s 2024 investigations.

Defending Against the Opportunistic Attacker

The M-Trends 2025 report paints a picture of an adaptive and opportunistic adversary. Defending against these threats requires a multi-layered, proactive approach. Key recommendations echo throughout the report:

Key Security Recommendations

  • Strengthen Identity Security: Strong identity verification and access control is key. Implement phishing-resistant MFA (like FIDO2) universally, especially for privileged accounts. Secure MFA registration processes, limit session durations, and use conditional access policies. Protect against credential reuse and integrate threat intelligence for compromised credential detection.
  • Secure Cloud and Hybrid Environments: Isolate privileged cloud accounts from on-prem directories (and vice-versa). Segment networks (microsegmentation) and strictly control access to/from trusted service infrastructure. Adopt zero-trust principles.
  • Enhance Visibility: Ensure comprehensive logging across cloud and on-prem environments, focusing on identity, data access, network flow, and administrative actions. Centralise logs and use them for proactive threat hunting.
  • Adopt Data-Centric Security: Inventory and classify sensitive data, implement robust, least-privilege access controls, encrypt data at rest and in transit, audit repositories regularly, and manage the data lifecycle to remove unnecessary information. Consider DLP solutions.
  • Maintain Foundational Hygiene: Continue rigorous vulnerability management, system hardening, regular security assessments, threat modeling and comprehensive employee awareness training.

Attackers will always seek the path of least resistance. By understanding the trends highlighted in the M-Trends 2025 report and implementing robust, layered defences focused on identity, data, and visibility across the entire hybrid environment, organisations can significantly raise the bar and reduce the opportunities for attackers to succeed.

← Back to Blog Contact Us →