Huntress 2025 Cyber Threat Report: Key Trends and Industry Impact (Part 2 of 2)
Inside the Cybercriminal Playbook: Identity Threats and Modern Phishing Tactics
Part 2 of the Huntress 2025 Cyber Threat Report: when hackers work, how they hijack identities and inboxes, and the phishing tricks that defined 2024.
Part 2 of the Huntress 2025 report shifts from malware to the human side of attacks - when hackers operate, how they take over identities and inboxes, and how phishing has grown up.
Where Part 1 covered ransomware and malware, this installment digs into behavior. The picture that emerges is of a professional operation: attackers working predictable hours, quietly rewriting inbox rules to hide their tracks, and dressing phishing up as the everyday services your team already trusts. For a small or midsize business, that means the old "block the bad attachment" mindset is no longer enough.
When and How Hackers Work
Cybercrime increasingly runs like a day job.
Hands-on-keyboard activity peaked between 12:00 and 20:00 UTC - roughly 7 a.m. to 5 p.m. Eastern - so attackers blend into normal US business-hours traffic.
Huntress separated automated attacks from hands-on-keyboard (HOK) activity, where a human operator is actively working inside a network. HOK activity clustered in specific months - February, June, July, and November - and inside the US East Coast workday, letting attackers hide among legitimate logins. Once inside, their actions were consistent and methodical.
- Domain enumeration - 18.6%. Mapping the network to find what is worth taking.
- Lateral movement - 17%. Hopping between systems to reach higher-value targets.
- Tool execution - 14.1%. Running attacker utilities once inside.
- Credential dumping - 8.6%. Harvesting stored passwords and hashes.
- Data exfiltration - 7.1%. Moving stolen data out of the environment.
Identity and Inbox Attacks
The account, not the endpoint, is now the target.
Attackers stole session tokens to sidestep passwords and MFA, then rewrote inbox rules to quietly hide their activity from the real user.
As businesses moved to cloud services and remote work, identity became the front door. Two patterns stood out. First, malicious inbox rules: after compromising a mailbox, attackers created rules to bury evidence where the owner would not look. Second, token theft - stealing an authenticated session so the attacker never needs the password again. Huntress flagged those stolen sessions by the mismatches they create.
- Inbox rules that hide mail. Over 50% of malicious rules moved messages to the RSS Feeds folder; 35.4% to Conversation History; smaller shares marked mail read (8%) or read-and-deleted (1.9%).
- Stolen-token tells. OS mismatch (36.1%), VPN inconsistencies (28.9%), browser mismatches (27.8%), and location discrepancies (7.2%) flagged hijacked sessions.
- VPNs to mask the source. NordVPN appeared in 20% of incidents, SurfEasy and ExpressVPN together in 23.6%, with Meson Network emerging (3.9%) and TOR fading (under 2%).
How Phishing Evolved in 2024
Far past the obvious spoofed email.
Phishing leaned on trusted brands and formats - e-signature requests, image-only emails, and QR codes - to slip past filters and human suspicion alike.
Attackers combined social engineering with technical tricks to defeat both software and people. Below are the techniques Huntress saw most, ranked by share of phishing attacks.
| Technique | Share of attacks | How it works |
|---|---|---|
| E-signature impersonation | 28.8% | Fake DocuSign or Adobe requests, via spoofed emails or abuse of the real service |
| Image-based content | 23.9% | Whole email rendered as an image to dodge text-based filters |
| QR codes | 8.1% | Codes push victims to phishing sites on mobile, bypassing link scanners |
| Living off trusted sites | 7% | Abuse of legitimate file-sharing platforms users already trust |
| Voicemail luring | 4.9% | Fake voicemail alerts create urgency to click |
| Fake reply chains | 2.1% | Invented conversation history to fake legitimacy |
Phishing techniques by share of attacks - Huntress 2025 Cyber Threat Report.
The brands attackers hid behind were the ones your team sees daily: Microsoft led at 40% of impersonation incidents, DocuSign at 25%, with Dropbox, ShareFile, Adobe, Paychex, and Apple rounding out the list. Familiarity is the weapon.
Defend Identities and Inboxes, Not Just Endpoints
CinchOps adds identity threat detection, inbox-rule monitoring, and layered phishing protection to catch exactly the attacks in this report - as part of everyday cybersecurity and managed IT.
Explore CinchOps cybersecurity →How CinchOps Helps Secure Your Business
CinchOps is a Katy, Texas managed IT services provider serving businesses across the Houston metro, defending against exactly the identity and phishing tactics this report describes.
- Identity threat detection and response. Spotting hijacked sessions from the OS, VPN, and browser mismatches Huntress describes.
- Inbox-rule monitoring. Real-time alerts on the suspicious mailbox rules attackers use to hide.
- Multi-layered phishing protection. Filtering that accounts for image-only emails, QR codes, and brand impersonation.
- 24/7 security monitoring. Coverage aligned to the business-hours window when hands-on attackers are most active.
Do not let a trusted logo become your weak point. Contact CinchOps to keep your security posture ahead of these tactics.
The most striking thing in this report is not a new exploit - it is how ordinary the attacks look. Business-hours logins, DocuSign requests, Microsoft prompts. Defending a modern business means watching behavior and identity, because the malware is not always the point anymore.
Frequently Asked Questions
What is the Huntress 2025 Cyber Threat Report?
It is Huntress's annual analysis of threats observed across its customer base during 2024. This article covers Part 2 - attacker behavior, identity-based attacks, and phishing trends. Part 1 covers ransomware and malware findings.
When are hackers most active?
According to the report, hands-on-keyboard activity peaked between 12:00 and 20:00 UTC - roughly 7 a.m. to 5 p.m. Eastern - so attacker actions blend into normal US business-hours traffic. Activity also clustered in February, June, July, and November.
What are malicious inbox rules?
After compromising a mailbox, attackers create email rules to hide their activity from the real owner. Over half of the malicious rules Huntress saw moved messages into the RSS Feeds folder, and about a third into Conversation History - places users rarely check.
What phishing techniques were most common in 2024?
E-signature impersonation led at 28.8% (mainly DocuSign and Adobe), followed by image-based emails (23.9%), QR codes (8.1%), abuse of trusted file-sharing sites (7%), voicemail lures (4.9%), and fake reply chains (2.1%). Microsoft and DocuSign were the most-impersonated brands.
How can a business defend against these attacks?
Go beyond antivirus. Add identity threat detection to catch stolen sessions, monitor for suspicious inbox rules, deploy phishing protection that handles image and QR lures, and run 24/7 monitoring. A managed IT and security partner can combine these layers.