Data & research · 5 MIN READ · AARON WALTON AND BEN NAHORNEY · JUL 22, 2025 · TAGS: Get technical / Guidance
TL;DR
- This is part one of two of our Quarterly Threat Report blog series for Q2 2025
- You can find part two here post-publication
- Part one covers the overall stats regarding incidents our SOC investigated this past quarter
Welcome to the Expel Quarterly Threat Report (QTR) for Q2 2025. Our QTRs summarize the attacks we’re seeing over the quarter and recommend ways you can protect your organization.
To start things off this quarter, we’re summarizing what was seen in the past three months. Then we’ll dive into some of the major threats. Let’s go!
About these reports
The trends in our QTR are based on incidents our security operations center (SOC) identified through investigations into alerts, email submissions, or threat hunting leads in the second quarter (Q2) of 2025. We analyzed incidents across our customer base, which includes organizations of all sizes, in many industries, and with differing security maturity levels. In the process, we’ve identified patterns and attacker tendencies to help guide strategic decision-making and operational processes for your team.
Q2 by the numbers
Incidents encountered by the Expel SOC
First off, let’s talk about what our SOC has seen in the last quarter.
From April to June 2025:
- 67.6% of all incidents we investigated were identity-based attacks
- The rate of identity incidents is consistent with last quarter (66.2%). While we haven’t observed wide-spread innovations in targeting identity, some attackers are pushing the boundaries of how to abuse it. (We talk more about these in our second post.)
- 13.8% of incidents we observed were non-targeted malware attacks
- The prominence of Lumma infostealer declined from 48% of all malware incidents to 8% due to law enforcement action and improved security controls.
- 4.3% of incidents accounted for authorized pen tests, or red and purple team exercises
- 59.7% of these tests focused on endpoint, and 28.3% targeted cloud infrastructure resources.
- 2.5% of total incident volume targeted cloud infrastructure directly (think AWS, Google Cloud, Azure, Oracle Cloud Infrastructure, and Kubernetes)
- This increased from Q1, when cloud infrastructure only made up 1.6% of incident volume.
- The most common cause of cloud infrastructure incidents was misconfigurations.
Identity based attacks continued to be the most predominant threat that our SOC encountered. 67.4% of the incidents we saw included an identity-based component, which is slightly up from the previous quarter.
In the context of this report, we define identity threats as attacker attempts to gain access to a user’s identity to perpetuate fraud. With access to accounts, attackers may attempt to access emails, business applications, corporate devices, or cloud infrastructure.
Cloud-based services
Cloud-based services are apps and services operated and maintained by third parties, and hosted on their infrastructure—communication apps, office suites, design tools, and so on.
There are two main threat types seen in cloud service incidents. Identity and email compromise incidents occur when an attacker has managed to get ahold of a user’s login credentials for apps like their email or identity verification. Compromised credential incidents cover cases where an attacker has obtained credentials, but has been prevented from accessing the account thanks to various controls.
In 47.5% of incidents, attackers were able to get access to accounts after successfully stealing credentials. Since last quarter, we’ve seen more attempts being blocked by existing controls (this is the compromised credentials category we talked about). But the numbers suggest that there’s more to do to block these attacks at the perimeter and to prevent access from falling into the wrong hands.
In years past, MFA was the biggest factor in blocking attacks, but with today’s session theft and phishing platforms it isn’t enough anymore. The most successful organizations block attacks by implementing FIDO keys, passkeys, and restricting logins to managed devices.
Endpoints
The endpoint activity category consists of incidents raised by alerts from EDR and XDR applications, like an end user downloading malware, or an attacker’s hands-on attempt to compromise a network. The category gives us a good idea about the types of attacks bad actors are carrying out against various devices within the network.
The volume of non-targeted malware seen this quarter dropped. Last quarter, this threat accounted for two-thirds of this category; this quarter, it’s roughly half.
This may be the result of multiple factors, such as security controls blocking malware downloads, other tools stopping malware at earlier stages, or international law enforcement action.
Last quarter, Lumma infostealer made up 48% of all malware incidents across our customer base, but due to law enforcement actions and improved security controls within our customer base, it made up only 8% of incidents. Similarly, we observed a decline in successful attacks using the ClickFix tactic, going from 51% to 30.5% of all malware incidents.
The second largest category of endpoint incidents were non-targeted attacks, which grew from 19% last quarter to 35.5% this quarter. This category consists of activity such as web server compromise, access to networks due to compromised edge devices, and incidents we triage as part of our incident response (IR) partnerships.
Our IR partnerships allow us to come alongside an organization who has an active cyber incident and provide 24×7 SOC monitoring while the bad guys are being kicked out (and it lets us get additional insights into these broader cyber attacks).
Cloud infrastructure
Cloud infrastructure experiences its own unique threats. This category contains more red team activity—as opposed to attacker activity—than any other specific category. This is due to a relatively low amount of cyberattacks against this attack surface and proactive auditing by security teams. Attacker-driven activities were most frequently the result of misconfigurations, secret key exposure, and server side vulnerabilities.
In the graph above, 48.3% of attacks fell into a category we call unauthorized access. In these instances, an attacker can access an asset and is detected while doing so. Most of these instances were the result of misconfiguration—such as using default credentials.
A tale of attack surfaces
The key takeaway here? Attack surfaces are distinct, and so are the attacker techniques for each. With cloud-based services, attackers either use previously stolen credentials or phishing campaigns to gain access. For endpoint, attackers are usually more traditional in their tactics, and focus on malware, compromising public-facing resources, and utilizing removable media (like USB drives) to compromise devices. Meanwhile, cloud infrastructure—a relatively new attack surface—requires continuous learning from both attackers and defenders to know how to compromise and protect.
These diverse attack surfaces require security teams to draft completely different defensive plans for each front, which is why it’s critical to analyze incident data by more than just volume.
Now that we’ve covered reviewed incidents by volume and attack surface type, let’s break it down by industry.
Industry incident types
Because Expel protects a vast variety of industries, we only highlight the top ten industries with the most incidents each quarter to shed light on malicious activity. This gives us a broad view of industry trends, and can help identify what’s most active in your industry, letting you plan accordingly.
This quarter, those top ten industries from most to least incidents were:
- Financial services
- Manufacturing
- Healthcare
- Technology
- Entertainment
- Retail
- Education
- Pharmaceutical & chemical
- Hospitality
- Legal services
Based on our industry knowledge and public intel, the vast majority of incidents this quarter stemmed from broad attacks—that is, these attacks weren’t targeting a specific organization or industry. While we observed some attacks specifically targeting some organizations, these were rare—only making up 0.2% of the total incidents we saw.
Here’s a few more industry-specific takeaways from Q2 2025:
- The financial services industry saw the most incidents overall this quarter, accounting for 12.6% of all incidents. This industry saw significant Lumma infostealer activity before the Lumma infrastructure was disrupted in May, where it comprised a quarter of the malware encountered in this industry.
- The healthcare industry saw the highest volume of non-targeted malware. In particular, this industry was heavily impacted by the PDFast Trojan. Users downloaded the malware when attempting to find a PDF editor. This serves as a reminder—not only to healthcare companies, but others too—that if PDF editors and similar tools aren’t readily available, workers often go out and try to download it themselves, leaving them open to these types of attacks. Of the incidents seen by this industry, 26.4% of them involved drive-by malware delivery.
- The manufacturing industry saw the highest volume of identity attacks—three out of every four incidents involved them. While not as high in overall volume, the industry that saw the greatest proportion of identity attacks was the pharmaceutical and chemical industry. Close to 90% of the incidents seen in this industry involved compromised credentials or email compromise.
That’s it for our Q1 2025 summary. Next up, we’re recapping the main takeaways from the threat intel we shared this past quarter. And if you have any questions or just want to chat about anything you see here, don’t hesitate to drop us a line.
