Social engineering becomes more interactive: While exploits remain the leading initial infection vector at 32%, the report underscores a shift toward more adaptive social engineering. Voice phishing has risen sharply, while email phishing continues to decline, signaling a move away from high-volume campaigns toward real-time interaction.Mandiant’s data shows that email phishing dropped to just 6% of intrusions in 2025. In its place, adversaries have pivoted to highly interactive, voice-based social engineering.Attackers are also using messaging platforms and social media to engage targets directly, often bypassing technical controls by manipulating help desk processes or identity verification workflows. The report highlights how attackers are exploiting SaaS environments, harvesting tokens and credentials to move laterally across organizations and their partners.
AI accelerates early-stage attacks, not outcomes: Artificial intelligence is contributing to these changes, but not as a primary driver of successful breaches. The report indicates that attackers are using large language models to improve phishing, reconnaissance, and evasion, increasing the efficiency of early-stage operations.At the same time, the underlying causes of successful intrusions remain unchanged. “The vast majority of successful intrusions still stem from fundamental human and systemic failures,” Kutscher writes.AI is accelerating existing attack methods rather than replacing them, reinforcing the need for CISOs to address persistent gaps in patching, identity security, and visibility.
Ransomware shifts toward recovery denial: Ransomware tactics are evolving. While encryption and data theft remain central, attackers are increasingly focused on undermining an organization’s ability to recover. In 2025, Mandiant observed a systemic shift in which ransomware operators actively targeted backup infrastructure, identity services, and virtualization management planes.This shift toward recovery denial changes the dynamics of extortion. By compromising or destroying recovery capabilities, attackers increase the likelihood that victims will pay, even when backups exist. “Modern ransomware is now a fundamental resilience problem, forcing organizations into a choice: pay or rebuild,” Kutscher writes.
Dwell time increases as persistence improves: The increase in median dwell time reflects a broader trend toward persistence, particularly in espionage operations and activity linked to North Korean IT worker schemes. In those cases, median dwell time reached 122 days, illustrating how some attackers are optimizing for long-term access rather than immediate impact.Attackers are also exploiting gaps in monitoring infrastructure. The report notes that some threats achieve dwell times of nearly 400 days, highlighting persistent visibility challenges tied to limited log retention and monitoring of edge devices.
Detection improves, but gaps remain: Mandiant’s research indicates that 52% of organizations detected intrusions internally in 2025, up from 43% the previous year. External notifications accounted for 34% of detections, while the attacker first disclosed 14% of incidents.Although internal detection is improving, reliance on external parties and adversary disclosure highlights ongoing visibility gaps, particularly in hybrid and cloud environments.
What CISOs should prioritize: Mandiant’s recommendations reflect a shift away from static defenses toward faster, more adaptive response models.One key recommendation is that security teams need to rethink alert triage. With hand-off times now measured in seconds, low-level detections can no longer be treated as routine noise. What appears to be an isolated alert may signal the start of a secondary intrusion, requiring immediate action before attackers move to hands-on-keyboard activity.Organizations also need to treat core infrastructure”, identity systems, backup environments, and virtualization platforms”, as critical control planes. These are now primary targets for attackers seeking to undermine recovery and must be isolated, tightly controlled, and protected as Tier-0 assets.Identity is becoming a central battleground. As interactive social engineering bypasses traditional MFA, organizations need continuous identity verification, stricter privilege controls, and tighter governance over SaaS integrations.Detection strategies must also evolve as attackers rely more on legitimate tools and in-memory malware. Static indicators are less effective, requiring a shift to behavioral detection that flags anomalies such as unusual access patterns, suspicious API activity, or misuse of authentication tokens.Finally, visibility gaps remain a persistent problem. Extending log retention and centralizing telemetry across network, cloud, and virtualization environments are critical to detecting long-running intrusions and understanding their full scope.
Dwell time increases as persistence improves: The increase in median dwell time reflects a broader trend toward persistence, particularly in espionage operations and activity linked to North Korean IT worker schemes. In those cases, median dwell time reached 122 days, illustrating how some attackers are optimizing for long-term access rather than immediate impact.Attackers are also exploiting gaps in monitoring infrastructure. The report notes that some threats achieve dwell times of nearly 400 days, highlighting persistent visibility challenges tied to limited log retention and monitoring of edge devices.
Detection improves, but gaps remain: Mandiant’s research indicates that 52% of organizations detected intrusions internally in 2025, up from 43% the previous year. External notifications accounted for 34% of detections, while the attacker first disclosed 14% of incidents.Although internal detection is improving, reliance on external parties and adversary disclosure highlights ongoing visibility gaps, particularly in hybrid and cloud environments.
What CISOs should prioritize: Mandiant’s recommendations reflect a shift away from static defenses toward faster, more adaptive response models.One key recommendation is that security teams need to rethink alert triage. With hand-off times now measured in seconds, low-level detections can no longer be treated as routine noise. What appears to be an isolated alert may signal the start of a secondary intrusion, requiring immediate action before attackers move to hands-on-keyboard activity.Organizations also need to treat core infrastructure”, identity systems, backup environments, and virtualization platforms”, as critical control planes. These are now primary targets for attackers seeking to undermine recovery and must be isolated, tightly controlled, and protected as Tier-0 assets.Identity is becoming a central battleground. As interactive social engineering bypasses traditional MFA, organizations need continuous identity verification, stricter privilege controls, and tighter governance over SaaS integrations.Detection strategies must also evolve as attackers rely more on legitimate tools and in-memory malware. Static indicators are less effective, requiring a shift to behavioral detection that flags anomalies such as unusual access patterns, suspicious API activity, or misuse of authentication tokens.Finally, visibility gaps remain a persistent problem. Extending log retention and centralizing telemetry across network, cloud, and virtualization environments are critical to detecting long-running intrusions and understanding their full scope.
What CISOs should prioritize: Mandiant’s recommendations reflect a shift away from static defenses toward faster, more adaptive response models.One key recommendation is that security teams need to rethink alert triage. With hand-off times now measured in seconds, low-level detections can no longer be treated as routine noise. What appears to be an isolated alert may signal the start of a secondary intrusion, requiring immediate action before attackers move to hands-on-keyboard activity.Organizations also need to treat core infrastructure”, identity systems, backup environments, and virtualization platforms”, as critical control planes. These are now primary targets for attackers seeking to undermine recovery and must be isolated, tightly controlled, and protected as Tier-0 assets.Identity is becoming a central battleground. As interactive social engineering bypasses traditional MFA, organizations need continuous identity verification, stricter privilege controls, and tighter governance over SaaS integrations.Detection strategies must also evolve as attackers rely more on legitimate tools and in-memory malware. Static indicators are less effective, requiring a shift to behavioral detection that flags anomalies such as unusual access patterns, suspicious API activity, or misuse of authentication tokens.Finally, visibility gaps remain a persistent problem. Extending log retention and centralizing telemetry across network, cloud, and virtualization environments are critical to detecting long-running intrusions and understanding their full scope.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4148705/faster-attacks-and-recovery-denial-ransomware-reshape-threat-landscape.html
