I Need IT Support Now
Managed It Houston
Shane

Huntress 2025 Cyber Threat Report: Key Trends and Industry Impact (Part 2 of 2)

Inside the Cybercriminal Playbook: Identity Threats and Modern Phishing Tactics

Threat Report
The Attackers in the Huntress Report Kept East Coast Business Hours. And Their Phishing Wore Familiar Logos.

Part 2 of the Huntress 2025 Cyber Threat Report: when hackers work, how they hijack identities and inboxes, and the phishing tricks that defined 2024.

TL;DR
Part 2 of the Huntress 2025 Cyber Threat Report looks at attacker behavior, identity attacks, and phishing across 2024. Hands-on-keyboard activity clustered in 12:00-20:00 UTC - US East Coast business hours - with domain enumeration and lateral movement leading the way. Identity attacks leaned on malicious inbox rules (over half hid mail in RSS Feeds folders) and stolen session tokens flagged by OS, VPN, and browser mismatches. Phishing moved past plain email spoofing into e-signature impersonation (28.8%), image-only emails (23.9%), and QR codes (8.1%), with Microsoft (40%) and DocuSign (25%) the most-impersonated brands. The takeaway for businesses: your defenses need to cover identity and email behavior, not just malware.

Part 2 of the Huntress 2025 report shifts from malware to the human side of attacks - when hackers operate, how they take over identities and inboxes, and how phishing has grown up.

Where Part 1 covered ransomware and malware, this installment digs into behavior. The picture that emerges is of a professional operation: attackers working predictable hours, quietly rewriting inbox rules to hide their tracks, and dressing phishing up as the everyday services your team already trusts. For a small or midsize business, that means the old "block the bad attachment" mindset is no longer enough.

The through-line: 2024's most effective attacks did not break your software - they impersonated your trust. Defending against them means watching identities, sessions, and inbox behavior, not just files.

When and How Hackers Work

Cybercrime increasingly runs like a day job.

Hands-on-keyboard activity peaked between 12:00 and 20:00 UTC - roughly 7 a.m. to 5 p.m. Eastern - so attackers blend into normal US business-hours traffic.

Huntress separated automated attacks from hands-on-keyboard (HOK) activity, where a human operator is actively working inside a network. HOK activity clustered in specific months - February, June, July, and November - and inside the US East Coast workday, letting attackers hide among legitimate logins. Once inside, their actions were consistent and methodical.

HUNTRESS 2025: HOW ATTACKERS OPERATE 12-20 UTC peak US business hours 18.6% domain enumeration 28.8% e-signature phishing 40% impersonate Microsoft
Selected findings from the Huntress 2025 Cyber Threat Report (2024 data).
  • Domain enumeration - 18.6%. Mapping the network to find what is worth taking.
  • Lateral movement - 17%. Hopping between systems to reach higher-value targets.
  • Tool execution - 14.1%. Running attacker utilities once inside.
  • Credential dumping - 8.6%. Harvesting stored passwords and hashes.
  • Data exfiltration - 7.1%. Moving stolen data out of the environment.

Identity and Inbox Attacks

The account, not the endpoint, is now the target.

Attackers stole session tokens to sidestep passwords and MFA, then rewrote inbox rules to quietly hide their activity from the real user.

As businesses moved to cloud services and remote work, identity became the front door. Two patterns stood out. First, malicious inbox rules: after compromising a mailbox, attackers created rules to bury evidence where the owner would not look. Second, token theft - stealing an authenticated session so the attacker never needs the password again. Huntress flagged those stolen sessions by the mismatches they create.

  • Inbox rules that hide mail. Over 50% of malicious rules moved messages to the RSS Feeds folder; 35.4% to Conversation History; smaller shares marked mail read (8%) or read-and-deleted (1.9%).
  • Stolen-token tells. OS mismatch (36.1%), VPN inconsistencies (28.9%), browser mismatches (27.8%), and location discrepancies (7.2%) flagged hijacked sessions.
  • VPNs to mask the source. NordVPN appeared in 20% of incidents, SurfEasy and ExpressVPN together in 23.6%, with Meson Network emerging (3.9%) and TOR fading (under 2%).

How Phishing Evolved in 2024

Far past the obvious spoofed email.

Phishing leaned on trusted brands and formats - e-signature requests, image-only emails, and QR codes - to slip past filters and human suspicion alike.

Attackers combined social engineering with technical tricks to defeat both software and people. Below are the techniques Huntress saw most, ranked by share of phishing attacks.

TechniqueShare of attacksHow it works
E-signature impersonation28.8%Fake DocuSign or Adobe requests, via spoofed emails or abuse of the real service
Image-based content23.9%Whole email rendered as an image to dodge text-based filters
QR codes8.1%Codes push victims to phishing sites on mobile, bypassing link scanners
Living off trusted sites7%Abuse of legitimate file-sharing platforms users already trust
Voicemail luring4.9%Fake voicemail alerts create urgency to click
Fake reply chains2.1%Invented conversation history to fake legitimacy

Phishing techniques by share of attacks - Huntress 2025 Cyber Threat Report.

The brands attackers hid behind were the ones your team sees daily: Microsoft led at 40% of impersonation incidents, DocuSign at 25%, with Dropbox, ShareFile, Adobe, Paychex, and Apple rounding out the list. Familiarity is the weapon.

Defend Identities and Inboxes, Not Just Endpoints

CinchOps adds identity threat detection, inbox-rule monitoring, and layered phishing protection to catch exactly the attacks in this report - as part of everyday cybersecurity and managed IT.

Explore CinchOps cybersecurity →

How CinchOps Helps Secure Your Business

CinchOps is a Katy, Texas managed IT services provider serving businesses across the Houston metro, defending against exactly the identity and phishing tactics this report describes.

  • Identity threat detection and response. Spotting hijacked sessions from the OS, VPN, and browser mismatches Huntress describes.
  • Inbox-rule monitoring. Real-time alerts on the suspicious mailbox rules attackers use to hide.
  • Multi-layered phishing protection. Filtering that accounts for image-only emails, QR codes, and brand impersonation.
  • 24/7 security monitoring. Coverage aligned to the business-hours window when hands-on attackers are most active.

Do not let a trusted logo become your weak point. Contact CinchOps to keep your security posture ahead of these tactics.

CinchOps cybersecurity for small and midsize businesses.
The most striking thing in this report is not a new exploit - it is how ordinary the attacks look. Business-hours logins, DocuSign requests, Microsoft prompts. Defending a modern business means watching behavior and identity, because the malware is not always the point anymore.
Shane Stevens, CEO, CinchOps - LinkedIn

Frequently Asked Questions

What is the Huntress 2025 Cyber Threat Report?

It is Huntress's annual analysis of threats observed across its customer base during 2024. This article covers Part 2 - attacker behavior, identity-based attacks, and phishing trends. Part 1 covers ransomware and malware findings.

When are hackers most active?

According to the report, hands-on-keyboard activity peaked between 12:00 and 20:00 UTC - roughly 7 a.m. to 5 p.m. Eastern - so attacker actions blend into normal US business-hours traffic. Activity also clustered in February, June, July, and November.

What are malicious inbox rules?

After compromising a mailbox, attackers create email rules to hide their activity from the real owner. Over half of the malicious rules Huntress saw moved messages into the RSS Feeds folder, and about a third into Conversation History - places users rarely check.

What phishing techniques were most common in 2024?

E-signature impersonation led at 28.8% (mainly DocuSign and Adobe), followed by image-based emails (23.9%), QR codes (8.1%), abuse of trusted file-sharing sites (7%), voicemail lures (4.9%), and fake reply chains (2.1%). Microsoft and DocuSign were the most-impersonated brands.

How can a business defend against these attacks?

Go beyond antivirus. Add identity threat detection to catch stolen sessions, monitor for suspicious inbox rules, deploy phishing protection that handles image and QR lures, and run 24/7 monitoring. A managed IT and security partner can combine these layers.

100% Free

Free Cybersecurity Assessment

Want to know if your business is exposed to the identity and phishing tactics in this report? Get a FREE assessment of your email, identity, and endpoint defenses.

Get Your Free Assessment

Take Your IT to the Next Level!

Book A Consultation for a Free Managed IT Quote

281-269-6506