A new report has highlighted a dramatic rise in identity threats and the evolving landscape of cloud techniques, driven by increased adoption of identity security measures, generative AI, and enhanced detection capabilities.
The analysis by Red Canary emphasises the need for security strategies to address both clear threats and subtle, risky behaviours that can precede major breaches.
At the top line of findings, Red Canary observed an almost 500% increase in detections associated with Cloud Accounts during the first half of 2025.
This significant rise stems primarily from Red Canary’s expanded identity detection coverage and the implementation of AI agents designed to identify unusual login patterns and suspicious user behaviours. This includes identifying logins from unusual devices, IP addresses, and virtual private networks (VPNs), which significantly increases the detection of risky behaviors.
For the first time, two cloud-related techniques – Data from Cloud Storage and Disable or Modify Cloud Firewall – entered Red Canary’s top 10 detected techniques.
These techniques represent a growing focus not just on explicit threats but on risky behaviours that can be the precursors to potential breaches. Organisations face significant risks from misconfigured AWS S3 storage buckets and open ingress ports, due to both adversaries using harvested credentials to deliberately expose them and legitimate changes by trusted employees.
Red Canary analysed ‘tens of thousands’ of user-reported phishing emails, revealing that only 16% were actual threats. Despite this low percentage, phishing remains a critical attack vector, emphasizing the need for organizations to create feedback loops so that they can continually mature their ability to quickly identify genuine threats.
Notably, adversaries are employing increasingly sophisticated techniques, including using legitimate services such as Google Translate to create convincing phishing emails that bypass traditional security measures and obfuscate detection.
Scarlet Goldfinch, an established initial access threat known for delivering remote management and monitoring (RMM) tools, made a significant operational shift this year. Previously relying on fake browser updates, the group has pivoted to using fake CAPTCHA paste-and-run techniques to entice victims into executing malicious code. This evolution highlights adversaries’ agility in adapting the latest social engineering tactics to remain effective and evade existing defences.
As threats evolve, Red Canary says organisations must bolster their defences by implementing the following strategies:
- Identity security controls: Enforce multi-factor authentication (MFA) and conditional access policies (CAP) to reduce unauthorized identity usage.
- Cloud misconfiguration management: Regularly audit and secure cloud infrastructure configurations, ensuring public access settings and firewall rules adhere to strict policies in line with the principles of zero trust.
- Phishing awareness: Implement robust user training to improve identification of sophisticated phishing and social engineering attempts.
- VPN and RMM monitoring: Limit and closely monitor VPN usage and remote management tools, using behavioral analytics to detect anomalous activity indicative of malicious intent.
“As organizations increasingly adopt cloud-based identity providers, infrastructure, and applications, our midyear update highlights the impact on threat detection. Security teams are evolving their endpoint-focused strategies to approaches that recognize more nuanced risks across dispersed environments,” said Keith McCammon, Co-founder of Red Canary. “Unlike endpoint, where most of the data and context required for threat detection and response stems from a single source, identity and cloud threat detection requires visibility and correlation across disparate systems, coupled with a platform and team capable of performing timely investigations.”
Photo by Bernd 📷 Dittrich on Unsplash
