Red Canary has published its mid-year update to the 2025 Threat Detection Report, and the message is that threat actors are shifting tactics, and identity is the new battleground.
Based on detections gathered in the first half of the year, the update shows a marked rise in cloud and identity threats, along with troubling signs that even subtle user behaviour may now signal larger risks ahead.
Some threats are obvious. Others creep in, masked as routine.
Among the most striking findings is a 500% surge in Cloud Account detections compared to all of 2024.
According to Red Canary, much of the increase can be attributed to broader detection coverage and the use of AI agents tuned to spot suspicious logins and behavioural anomalies.
The shift is a reflection of how deeply cloud and identity-based infrastructure has become woven into business operations, and how adversaries are adapting in kind.
Unlike endpoint, where most of the data and context comes from a single source, cloud and identity threats demand correlation across fragmented systems, said Red Canary co-founder Keith McCammon. Security teams must move beyond endpoints, and toward platforms built for speed, scale, and nuance.
Cloud Techniques Crack the Top 10
Two new techniques, “Data from Cloud Storage” and “Disable or Modify Cloud Firewall”, have entered Red Canary’s list of the top 10 detected threats for the first time. Both indicate a rising focus on the grey zone between misconfiguration and malice.
Poorly secured AWS S3 buckets and open firewall rules continue to expose sensitive systems. In some cases, attackers used stolen credentials to manipulate settings. In others, it was human error, employees adjusting rules without fully understanding the implications.
In both cases, the result is the same: increased exposure, often without immediate detection.
Phishing: Low Yield, High Risk
Phishing remains a stubborn and evolving threat. But here, too, nuance plays a role. Of the tens of thousands of emails flagged as suspicious by users, only 16% turned out to be truly malicious. Still, Red Canary warns that this does not make phishing less dangerous, only more difficult to catch.
Attackers are growing more subtle. They now use tools like Google Translate to obscure content and trick filters. Convincing copy, legitimate-looking domains, and benign payloads mask the true intent: credential harvesting, access escalation, and network footholds.
The takeaway? Organisations must refine their ability to separate signal from noise. A false positive may be harmless. A missed one may be catastrophic.
Scarlet Goldfinch Takes Flight Again
Among other threats, Scarlet Goldfinch stands out. Where previously it snuck remote monitoring and management (RMM) tools onto victims’ machines, it has switched tactics. It used to lean on fake browser updates, but now uses fake CAPTCHA prompts to trick users into copying and pasting malicious code.
The tactic is simple, and the effect, devastating. It’s clear that bad actors are adjusting faster than defenders, and that social engineering remains their tool of choice.
Security, Reimagined
Red Canary’s midyear findings come with advice.
To combat the shifting threat landscape, the company recommends several key strategies:
- Enforce identity controls: Multi-factor authentication (MFA) and conditional access policies (CAP) help reduce unauthorised use of credentials.
- Harden cloud configurations: Regular audits, coupled with a zero-trust mindset, help ensure that storage and firewall settings do not expose internal assets.
- Improve user vigilance: Regular training can help users spot advanced phishing and social engineering tactics.
- Monitor VPNs and RMMs: Limiting these tools, and closely watching for anomalous usage patterns, helps catch lateral movement early.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.