Deception is evolving, and security teams need to catch up
Attackers are finding new ways to get inside company systems, and deception is playing a bigger role than ever, according to the latest LevelBlue Threat Trends Report.
Threat actors are leaning on tactics like social engineering and AI tools to move quickly, stay hidden, and then extend their reach once inside. Even experienced users can be tricked into opening the door without realizing until it's too late.
SEE ALSO: Microsoft and KnowBe4 bring real-time security coaching to the browser
This report is based on data collected during the first half of 2025 by LevelBlue's MDR and threat intelligence teams.
One of the most noticeable trends highlighted in the report is the increase in social engineering, especially scams that mimic CAPTCHA prompts, like ClickFix. These attacks rely on creating a sense of urgency and trust, making them hard to spot using traditional defenses.
In fact, social engineering now makes up 39 percent of initial access attempts, a big rise from late 2024.
Business email compromise (BEC) is still one of the top ways that attackers get in, although its share has fallen as new methods become more common.
Tools meant for remote monitoring and management are being repurposed to keep access open, while tunneling techniques allow threat actors to quietly move across systems.
Because these tools are often part of regular IT environments, it can be hard to tell when they’re being used maliciously.
Attackers are also speeding things up. Many are now able to move through a network in under an hour. Some incidents show lateral movement happening in as little as 15 minutes. As a result, defenders are being forced to detect and respond faster than ever.
Detection at the earliest stage is improving, however. In the first half of 2025, 51 percent of incidents were identified during the initial access phase, up from 29 percent at the end of 2024.
That suggests better early-stage defenses, although part of the rise is due to the growing number of access attempts that get spotted before attackers can go further. At the same time, encryption events dropped sharply, likely because faster detection stopped ransomware from fully executing.
Security tips
To stay ahead, the LevelBlue team recommends a focus on layered detection, updated intelligence, and regular employee awareness training. Email filtering, endpoint protection, and strict access controls all play a role in stopping threats before they spread. Knowing what tools are expected in your environment also makes it easier to spot something unusual before it becomes a problem.
The report also looks at the reappearance of Lumma Stealer and a rise in activity from remote access trojans including NetSupport, Remcos, and AsyncRAT. These threats are often tied to advanced groups and are used to steal data quietly once a foothold is established.
LevelBlue’s report shows that deception methods are evolving quickly, and attackers are getting better at using it to their advantage. Defenders must keep pace with faster response, stronger visibility, and smarter training.
You can download the full report from LevelBlue here.
What do you think about the growing use of deception in cyberattacks? Let us know in the comments.
Image Credit: Ahmadrizal7373 / Dreamstime.com