Cloud accounts come under attack as identity threats rise


The latest Threat Detection Report update from Red Canary shows a rise of almost 500 percent in detections associated with cloud accounts during the first half of 2025.
This significant rise stems primarily from Red Canary’s expanded identity detection coverage and the implementation of AI agents designed to identify unusual login patterns and suspicious user behaviors. This includes identifying logins from unusual devices, IP addresses, and virtual private networks (VPNs), which significantly increases the detection of risky behaviors.
Two new cloud-related techniques -- Data from Cloud Storage and Disable or Modify Cloud Firewall -- have also entered the top 10 detected techniques. These represent a growing focus not just on explicit threats but on risky behaviors that can be the precursors to potential breaches.
“As organizations increasingly adopt cloud-based identity providers, infrastructure, and applications, our midyear update highlights the impact on threat detection. Security teams are evolving their endpoint-focused strategies to approaches that recognize more nuanced risks across dispersed environments," says Keith McCammon, co-founder of Red Canary. "Unlike endpoint, where most of the data and context required for threat detection and response stems from a single source, identity and cloud threat detection requires visibility and correlation across disparate systems, coupled with a platform and team capable of performing timely investigations."
Red Canary’s analysis of tens of thousands of user-reported phishing emails finds that only 16 percent were actual threats. But despite this low percentage, phishing remains a critical attack vector, emphasizing the need for organizations to create feedback loops so that they can continually mature their ability to quickly identify genuine threats when they arise.
The report also reveals that the Scarlet Goldfinch threat, that previously relied on fake browser updates, has pivoted to using fake CAPTCHA paste-and-run techniques to entice victims into executing malicious code.
You can find out more in the full report, available from the Red Canary site.
Image credit: achirathep.gmail.com/depositphotos.com