The DFIR 2025 Threat Report from CyberCX offers a firsthand view of how cyber adversaries adapted and accelerated their tactics in 2024. Covering incidents across Australia, New Zealand, North America, and Europe, the report delivers insights rooted in active response to breaches spanning industries such as healthcare, education, telecommunications, and finance.
Rising Threats: Cloud Infrastructure Under Siege
A defining feature of the threat landscape is the pivot toward cloud-based attacks. Cyber adversaries increasingly leveraged legitimate tools and services to maintain persistence and evade detection, exploiting gaps in remote monitoring and endpoint defenses. The failure of Endpoint Detection and Response (EDR) systems—either through misconfiguration, incomplete deployment, or lack of monitoring—was highlighted as a critical weakness in about a third of cyber extortion cases.
Espionage Threats: The Long Game of Cyber Intrusions
State-sponsored cyber espionage incidents continued to challenge traditional security measures. According to the report, espionage attacks in 2024 remained undetected for an average of 403.8 days, a figure significantly longer than the 23.7-day average detection time for financially motivated breaches.
These operations often involved sophisticated credential harvesting tactics such as modifying web login pages or sideloading malicious payloads through signed legitimate binaries. In some cases, malicious webshells remained dormant on servers for years before detection, revealing systemic issues in network monitoring and vulnerability management.
Cyber Extortion: Evolving Beyond Double Extortion
Cyber extortion remained a persistent risk, though its methods diversified. While data theft extortion cases declined compared to 2023, likely due to fewer mass exploitation events, ransomware-only attacks surged. The report noted that 24 percent of victims who refused ransom payments never had their data published, complicating risk calculations for breach response teams.
New trends included the use of custom PowerShell uploader scripts across multiple ransomware groups and a marked increase in the use of cloud storage services like Mega for exfiltration activities. The decreased reliance on traditional Command and Control frameworks like Cobalt Strike further reflects an environment where attackers favor living-off-the-land tactics and legitimate administrative tools.
Business Email Compromise: Phishing Kits Fuel MFA Bypass
Business Email Compromise (BEC) was the leading type of cyber incident, accounting for 28 percent of cases investigated. Alarmingly, 75 percent of BEC attacks involved session hijacking to bypass multi-factor authentication, a steep rise from 38.5 percent in 2023.
This increase is attributed to the spread of sophisticated Phishing-as-a-Service (PhaaS) kits such as EvilProxy, Tycoon, and Rockstar. These kits lowered the technical barrier for attackers, enabling widespread credential theft, even against organizations with advanced defenses like Conditional Access policies and VPN MFA enforcement.
Compromised email accounts were typically leveraged either to launch additional phishing campaigns or to facilitate fraudulent invoice transactions, exposing victims and their clients to substantial financial risks. Average detection time for BEC attacks rose back to 19.36 days, reflecting the stealthier techniques now in play.
Third-Party Breaches: Supply Chain Risks Grow
Third-party compromises continued to plague organizations in 2024, often in ways that left them with limited control or visibility. Cases documented in the report ranged from deleted AWS production databases by former service providers to malware introduced through infected USB devices handled by third-party technicians.
Managed service providers (MSPs) and poorly governed SaaS environments emerged as particularly vulnerable points of entry, underlining the need for rigorous vendor management, continuous access reviews, and segmented network architectures.
Sector Impacts: Healthcare at the Epicenter
The healthcare sector topped the list of targeted industries, accounting for 17 percent of incidents. Financial services and education followed closely. Sensitive data exposure and the operational criticality of healthcare services made organizations in this sector particularly attractive to both extortion groups and espionage actors.
In one case, the Sphinx ransomware group not only exfiltrated healthcare data but also launched direct extortion attempts against both staff and patients after failing to secure a ransom from the victim organization—a troubling evolution in post-breach adversary behavior.
Moving Forward: Building Resilience Against Evolving Threats
The CyberCX report closes with clear recommendations for building better defenses. Application control measures, beyond simply deploying EDR, are emphasized as essential for restricting attacker movement within compromised environments. Hardware-based phishing-resistant MFA is recommended to counter the rising tide of session hijacking attacks.
Strategic Threat Assessments, Red Team engagements, and Dark Web Monitoring are among the strategies urged for organizations serious about countering modern threat actor tradecraft. For legal teams and compliance professionals, the findings reinforce the importance of breach readiness, incident response planning, and updated third-party risk governance.
The threat environment of 2024 showed that detection times remain dangerously long, critical controls are too often misconfigured, and threat actors are adept at exploiting organizational blind spots.
As 2025 unfolds, organizations must realize that stopping session hijacking is not just a technical battle—it’s a readiness imperative. Attackers have adapted. The question now is whether defenders are willing to evolve faster than the threats they face.
News Sources
- CyberCX. (2025). Digital Forensics and Incident Response 2025 Threat Report. CyberCX. Retrieved from CyberCX.com
- CyberCX 2025 Threat Report | CyberCX
Assisted by GAI and LLM Technologies
Source: HaystackID published with permission of ComplexDiscovery OÜ
