Red Canary, a Zscaler company, has released a midyear update to its 2025 Threat Detection Report, shedding light on the rapidly evolving cybersecurity landscape. The report, based on extensive telemetry from customer environments, highlights a dramatic surge in cloud and identity-based threats, driven by advanced detection capabilities and adversaries’ innovative tactics.
Cloud Account detections spiked nearly 500% in H1 2025.
New cloud techniques rank in Red Canary’s top 10 threats.
Only 16% of reported phishing emails are genuinely malicious.
Scarlet Goldfinch uses fake CAPTCHA for social engineering.
Identity and cloud security require robust, correlated detection.
MFA and cloud audits are critical to counter emerging risks.
The first half of 2025 saw a nearly 500% increase in Cloud Account detections, fueled by Red Canary’s enhanced identity security measures and AI-driven detection of unusual login patterns. These include logins from unrecognized devices, IP addresses, or VPNs, signaling risky behaviors that could precede breaches. "As organizations increasingly adopt cloud-based identity providers, infrastructure, and applications, our midyear update highlights the impact on threat detection," said Keith McCammon, Co-founder of Red Canary.
Two new cloud-related techniques—Data from Cloud Storage and Disable or Modify Cloud Firewall—have entered Red Canary’s top 10 detected techniques. Misconfigured AWS S3 buckets and open ingress ports pose significant risks, whether exploited by adversaries using stolen credentials or inadvertently exposed by legitimate users. These findings underscore the need for vigilant cloud configuration management to prevent potential breaches.
While phishing remains a critical threat vector, only 16% of user-reported phishing emails were confirmed malicious. Adversaries are leveraging legitimate services like Google Translate to craft convincing emails that evade traditional defenses. This sophistication highlights the importance of continuous user training and feedback loops to enhance phishing detection and response.
The Scarlet Goldfinch group, known for delivering malicious remote management tools, has shifted from fake browser updates to fake CAPTCHA paste-and-run techniques. This adaptation demonstrates adversaries’ ability to refine social engineering methods, making it critical for organizations to monitor and limit the use of remote management tools.
To counter these evolving threats, organizations should prioritize identity security with multi-factor authentication and conditional access policies. Regular audits of cloud infrastructure, robust phishing awareness programs, and behavioral analytics for VPN and RMM tools are essential to mitigate risks and enhance overall security posture.
The findings from Red Canary’s midyear update emphasize the need for adaptive, comprehensive cybersecurity strategies. By addressing both explicit threats and subtle risky behaviors, organizations can better protect their cloud and identity environments from sophisticated adversaries.
Red Canary is a leader in managed detection and response (MDR). We serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the security ally for nearly 1,000 organizations, we provide MDR across our customers' cloud workloads, identities, SaaS applications, networks, and endpoints.
Zscaler accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ platform protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SASE-based Zero Trust Exchange™ is the world's largest in-line cloud security platform.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.