As per CrowdStrike’s Global Threat Report for 2025, phishing has become less prevalent compared to previous years. Threat actors are now inclining towards infiltrating genuine accounts using social engineering tactics like vishing (voice phishing), callback phishing, and help desk social engineering techniques.
We are currently amidst the era referred to by cybersecurity firm CrowdStrike as “the enterprising adversary,” where malware-as-a-service and criminal ecosystems have taken the place of the traditional concept of individual threat actors. Attackers are now opting for legitimate remote management and monitoring tools instead of conventional malware.
Exploitation of Generative AI by Threat Actors
Threat actors have begun leveraging generative AI to construct phishing emails and execute various social engineering attacks. CrowdStrike’s investigation revealed threat actors utilizing generative AI for multiple purposes:
- Developing fictitious LinkedIn profiles in hiring-related schemes similar to those carried out by North Korea.
- Producing deepfake video and voice doppelgangers to perpetrate fraud.
- Propagating misinformation on social media platforms.
- Running mass spam email campaigns.
- Scripting code and shell commands.
- Crafting exploits.
Some threat actors were specifically focused on breaching LLMs, especially models hosted on Amazon Bedrock.
Nation-State Actors Linked to China and North Korea Highlighted by CrowdStrike
China continues to be a significant nation-state of interest, with emerging China-related groups in 2025 and a 150% surge in cyberespionage activities. Industries under highly targeted attacks, such as financial services, media, manufacturing, and engineering, saw spikes of up to 300%. Chinese adversaries escalated their activities in 2024 compared to the previous year, as reported by CrowdStrike.
North Korean threat actors conducted prominent operations, including IT personnel scams aimed at fundraising.
Preference of Threat Actors for Legitimate-Looking Entry Points
According to CrowdStrike, 79% of attacks do not require malware; instead, identity or access theft attacks exploit legitimate accounts to infiltrate their targets.
Valid accounts were the primary gateway for attackers to initiate cloud intrusions in 2024; in fact, valid accounts served as the initial route for 35% of cloud incidents in the first half of the year.
An uptrend is observed in interactive intrusion, a tactic where attackers mimic or socially engineer individuals into executing seemingly legitimate keyboard actions. Attackers might deceive genuine users through phone-based social engineering, like impersonating IT help desk personnel (often spoofing Microsoft) or demanding fake fees or overdue payments.
CrowdStrike advised the following measures to counter help desk social engineering:
- Mandate video authentication along with government identification for employees calling for self-service password resets.
- Train help desk staff to be vigilant when handling password and MFA reset requests made outside regular business hours or during a sudden surge in requests.
- Implement non-push-based authentication factors like FIDO2 to bolster account security.
- Monitor instances where multiple users register the same device or phone number for MFA.
SEE: Merely 6% of security researchers and practitioners surveyed by CrowdStrike in December 2024 actively engaged with generative AI.
Data disclosure can be a two-edged weapon: Some attackers utilized “publicly accessible vulnerability research — such as disclosures, technical blogs, and proof-of-concept (POC) exploits — to further their malevolent activities,” noted CrowdStrike.
The past year witnessed a surge in access brokers specializing in vending breached access to ransomware creators or other threat actors. The promotion of accesses escalated nearly 50% compared to 2023.
Recommendations for Securing Your Organization
CrowdStrike recommended organizations to:
- Ensure comprehensive coverage of their identity system with phishing-resistant MFA solutions.
- Acknowledge the cloud as fundamental infrastructure and fortify its defenses accordingly.
- Implement contemporary detection and response strategies.
- Routinely update or patch critical systems.
About Author
