Huntress 2025 Cyber Threat Report: Key Trends and Industry Impact (Part 2 of 2)

Key Findings from the Huntress 2025 Cyber Threat Report
Part 2: Hacker Activity, Identity Threats, and Phishing Trends

Following our first analysis of the Huntress 2025 Cyber Threat Report, this second installment examines hacker behavior patterns, identity-based attacks, and evolving phishing techniques observed throughout 2024.

 Hacker Activity Analysis

Understanding when and how attackers operate provides crucial insights into defending against them. The Huntress report revealed distinct patterns in attacker behavior, highlighting the increasingly professional nature of cybercrime operations. By analyzing the difference between hands-on-keyboard (HOK) activity and automated attacks, researchers uncovered telling patterns about attacker methodologies and peak operation times.

The report revealed distinct patterns in hands-on-keyboard (HOK) activity versus automated attacks:

• Peak activity periods: February, June, July, and November
• Most active timeframe: 12:00-20:00 UTC ( 7:00 am – 5:00 pm ET – aligning with US East Coast business hours)
• Primary HOK activities:
  • Domain enumeration (18.6%)
  • Lateral movement (17%)
  • Tool execution (14.1%)
  • Credential dumping (8.6%)
  • Data exfiltration (7.1%)

 Identity Threat Landscape

As organizations continue to embrace cloud services and remote work, identity-based attacks have become increasingly sophisticated. Attackers demonstrated remarkable adaptability in 2024, developing new methods to compromise user credentials and manipulate email systems. The report highlights how these threats have evolved beyond simple password theft to include complex token stealing operations and elaborate email rule modifications.

Inbox Rule Modifications:

• Over 50% of malicious inbox rules moved content to RSS Feeds folders
• 35.4% involved moving content to Conversation History folders
• Less common tactics included marking emails as ‘read’ (8%) or ‘read and deleted’ (1.9%)

Token and Credential Theft:

• Token theft detection triggers:
  • OS mismatch (36.1%)
  • VPN inconsistencies (28.9%)
  • Browser mismatches (27.8%)
  • Location discrepancies (7.2%)

 VPN and Proxy Abuse

The rise in remote work has made VPN services an essential tool for legitimate business operations – and an attractive target for attackers. Throughout 2024, cybercriminals showed clear preferences in their choice of VPN services for malicious activities, with some providers becoming notably more popular among threat actors than others. This trend reveals important insights about how attackers attempt to mask their activities.

• NordVPN led attacks (20% of incidents)
• SurfEasy and ExpressVPN combined for 23.6% of incidents
• Emerging threat: Meson Network abuse (3.9% of incidents)
• Declining TOR usage (less than 2% of attacks)

 Phishing Activity Trends

Phishing attacks in 2024 demonstrated remarkable sophistication, moving far beyond traditional email spoofing techniques. Attackers employed a diverse array of methods to bypass security controls and exploit human psychology, combining social engineering with technical innovation. The report identified several key techniques that defined the year’s phishing landscape, showing how threat actors continue to evolve their approaches to target both technology and human vulnerabilities.

The report identified several sophisticated phishing techniques:

E-Signature Impersonation (28.8% of attacks):

• Primary targets: DocuSign and Adobe
• Two main approaches: graphical email spoofing and legitimate service abuse

Image-Based Content (23.9%):

• Entire emails converted to images to bypass text-based filters
• Hyperlinked images leading to malicious landing pages

QR Codes (8.1%):

• Emerging threat vector targeting mobile devices
• Bypassing traditional link scanning security

Living Off Trusted Sites (7%):

• Abuse of legitimate file-sharing platforms
• Exploitation of users’ trust in known services

Voicemail Luring (4.9%):

• Urgency-based social engineering
• Fake voicemail notifications leading to malicious content

Fake Threads/Reply Chains (2.1%):

• Creation of false conversation histories
• Social proof exploitation to increase legitimacy

Brand Impersonation:

• Microsoft (40% of incidents)
• DocuSign (25% of incidents)
• Other targeted brands: Dropbox, ShareFile, Adobe, Paychex, and Apple

 How CinchOps Can Help

As these sophisticated attack methods continue to evolve, CinchOps offers comprehensive protection through:

• Advanced identity threat detection and response
• Real-time monitoring of suspicious inbox rule modifications
• Multi-layered phishing protection
• 24/7 security monitoring aligned with attacker operational timeframes

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Contact CinchOps today to learn how we can help protect your organization against these emerging threats and ensure your security posture stays ahead of evolving attack techniques.

If you would like to review the cyber threat report in full, visit Huntress 2025 Cyber Threat Report.