Phishing was no longer as common in 2024 as before, according to CrowdStrike’s 2025 Global Threat Report. Threat actors trend toward accessing legitimate accounts through social engineering techniques like voice phishing (vishing), callback phishing, and help desk social engineering attacks.
We’re well within the era of what cybersecurity technology CrowdStrike called “the enterprising adversary,” with malware-as-a-service and criminal ecosystems replacing the old-fashioned image of the lone threat actor. Attackers are also using legitimate remote management and monitoring tools where they might once have chosen malware.
Threat actors take advantage of generative AI
Threat actors are using generative AI to craft phishing emails and carry out other social engineering attacks. CrowdStrike found threat actors using generative AI to:
- Create fictitious LinkedIn profiles in hiring schemes such as those carried out by North Korea.
- Create deepfake video and voice clones to commit fraud.
- Spread disinformation on social media.
- Create spam email campaigns.
- Write code and shell commands.
- Write exploits.
Some threat actors pursued gaining access to the LLMs themselves, particularly models hosted on Amazon Bedrock.
CrowdStrike highlighted nation-state actors associated with China and North Korea
China remains the nation-state to watch, with even new China-nexus groups emerging in 2025 and a 150% increase in cyberespionage operations. Highly targeted industries including financial services, media, manufacturing and engineering saw increases of up to 300%. Chinese adversaries increased their tempo in 2024 compared to 2023, CrowdStrike said.
North Korean threat actors conducted high-profile activities, including IT worker scams intended to raise money.
Threat actors favor points of entry that look like legitimate behavior
Malware isn’t necessary for 79% of attacks, CrowdStrike said; instead, identity or access theft attacks use legitimate accounts to compromise their targets.
Valid accounts were a primary means for attackers to launch cloud intrusions in 2024; in fact, valid accounts were the initial vector for 35% of cloud incidents in the first half of the year.
Interactive intrusion, an attack technique in which an attacker mimics or social engineers a person into performing legitimate-looking keyboard inputs, is on the rise. Attackers might trick legitimate users through social engineering performed over the phone, such as posting as IT help desk staff (often spoofing Microsoft) or asking for a fake fee or overdue payment.
CrowdStrike recommended the following in order to prevent help desk social engineering:
- Require video authentication with government identification for employees who call to request self-service password resets.
- Train help desk employees to exercise caution when taking password and MFA reset request phone calls made outside of business hours, or when they receive a high number of requests in a short time frame.
- Use non-push-based authentication factors such as FIDO2 to prevent account compromise.
- Monitor for more than one user registering the same device or phone number for MFA.
SEE: Only 6% of security researchers and practitioners surveyed by CrowdStrike in December 2024 actively used generative AI.
Information disclosure can be a double-edged sword: Some attackers researched “publicly available vulnerability research — such as disclosures, technical blogs, and proof-of-concept (POC) exploits — to aid their malicious activity,” CrowdStrike wrote.
Last year, there was a rise in access brokers, who specialize in selling breached access to ransomware makers or other threat actors. Advertised accesses increased by almost 50% compared to 2023.
Tips for securing your organization
CrowdStrike said organizations should:
- Be sure their entire identity system is covered under phishing-resistant MFA solutions.
- Remember the cloud is core infrastructure, and defend it as such.
- Deploy modern detection and response strategies.
- Regularly patch or upgrade critical systems.
