Red Canary Research Reveals Sharp Rise in Cloud and Identity Threats, Exposing Critical Cybersecurity Risks

Rhea-AI Summary

Zscaler's (NYSE:ZS) Red Canary division has released its midyear 2025 Threat Detection Report, revealing significant cybersecurity trends. The report highlights a dramatic 500% increase in Cloud Account detections compared to 2024, driven by expanded identity-based threat detection capabilities.

Key findings include two new cloud techniques entering the top 10 detected threats: Data from Cloud Storage and Disable or Modify Cloud Firewall. Analysis of phishing emails revealed that only 16% of suspected phishing emails were actually malicious. The report also details the evolution of the Scarlet Goldfinch threat group, which has shifted to using fake CAPTCHA paste-and-run techniques.

Positive

• Enhanced detection capabilities with AI agents for identifying unusual login patterns
• Expanded identity detection coverage improving threat identification
• Comprehensive analysis of phishing threats leading to better threat assessment

Negative

• 500% increase in Cloud Account security threats compared to 2024
• Rising risks from misconfigured AWS S3 storage buckets and open ingress ports
• Evolution of sophisticated attack methods using legitimate services to bypass security

Insights

Cybersecurity Analyst

Red Canary's report reveals 500% surge in cloud threats, validating Zscaler's strategic positioning in identity-based security solutions.

The midyear update to Red Canary's 2025 Threat Detection Report reveals dramatic shifts in the cybersecurity landscape that strengthen Zscaler's market position. The nearly 500% increase in Cloud Account detections compared to all of 2024 validates Zscaler's acquisition strategy, as the company had acquired Red Canary to bolster its identity security capabilities.

Two cloud-related techniques have entered Red Canary's top 10 detected techniques for the first time - Data from Cloud Storage and Disable or Modify Cloud Firewall - signaling an evolution in threat vectors that aligns perfectly with Zscaler's zero trust architecture approach. This shift toward identity and cloud-based threats represents a fundamental market transition from traditional endpoint security to more comprehensive cloud security platforms.

The report's findings on phishing attempts are particularly notable for their sophistication: despite only 16% of reported phishing emails being genuinely malicious, adversaries are using increasingly deceptive tactics like leveraging Google Translate to bypass security measures. This evolution in social engineering (illustrated by Scarlet Goldfinch's pivot to fake CAPTCHA techniques) underscores the value of Zscaler's integrated threat intelligence capabilities.

The comprehensive recommendations in the report - from multi-factor authentication to cloud misconfiguration management - mirror Zscaler's product strategy of providing unified security controls across identity, cloud infrastructure, and user behavior. This report effectively serves as market validation for Zscaler's strategic direction in providing integrated cloud security platforms rather than point solutions.

Midyear update to the 2025 Threat Detection Report identifies rapid emergence of new cloud techniques and evolution in phishing tactics

Key Findings:

• Cloud Account detections increased nearly 500% compared to the entirety of 2024, driven largely by expanded detection capabilities in identity-based threats.
• Two new cloud-related techniques – Data from Cloud Storage and Disable or Modify Cloud Firewall – have broken into Red Canary's top 10 techniques for the first time.
• Phishing remains prevalent but nuanced: analysis revealed that only 16% of suspected phishing emails were genuinely malicious.

SAN JOSE, Calif., Aug. 5, 2025 /PRNewswire/ -- Red Canary, a Zscaler company, today published a midyear update to its annual Threat Detection Report, offering insights into evolving cybersecurity threats based on detections observed in the first half of 2025. The report highlights a dramatic rise in identity threats and the evolving landscape of cloud techniques, driven by increased adoption of identity security measures, generative AI, and enhanced detection capabilities. The analysis emphasizes the need for security strategies to address both clear threats and subtle, risky behaviors that can precede major breaches.

"As organizations increasingly adopt cloud-based identity providers, infrastructure, and applications, our midyear update highlights the impact on threat detection. Security teams are evolving their endpoint-focused strategies to approaches that recognize more nuanced risks across dispersed environments," said Keith McCammon, Co-founder of Red Canary. "Unlike endpoint, where most of the data and context required for threat detection and response stems from a single source, identity and cloud threat detection requires visibility and correlation across disparate systems, coupled with a platform and team capable of performing timely investigations."

Cloud Account detections blur the lines between threat and risk

Red Canary observed an almost 500% increase in detections associated with Cloud Accounts during the first half of 2025. This significant rise stems primarily from Red Canary's expanded identity detection coverage and the implementation of AI agents designed to identify unusual login patterns and suspicious user behaviors. This includes identifying logins from unusual devices, IP addresses, and virtual private networks (VPNs), which significantly increases the detection of risky behaviors.

New cloud techniques expose emerging risks

For the first time, two cloud-related techniques – Data from Cloud Storage and Disable or Modify Cloud Firewall – entered Red Canary's top 10 detected techniques. These techniques represent a growing focus not just on explicit threats but on risky behaviors that can be the precursors to potential breaches. Organizations face significant risks from misconfigured AWS S3 storage buckets and open ingress ports, due to both adversaries using harvested credentials to deliberately expose them and legitimate changes by trusted employees.

Phishing emails are not always what they seem

Red Canary analyzed tens of thousands of user-reported phishing emails, revealing that only 16% were actual threats. Despite this low percentage, phishing remains a critical attack vector, emphasizing the need for organizations to create feedback loops so that they can continually mature their ability to quickly identify genuine threats. Notably, adversaries are employing increasingly sophisticated techniques, including using legitimate services such as Google Translate to create convincing phishing emails that bypass traditional security measures and obfuscate detection.

Scarlet Goldfinch evolves with fake CAPTCHA

Scarlet Goldfinch, an established initial access threat known for delivering remote management and monitoring (RMM) tools, made a significant operational shift this year. Previously relying on fake browser updates, the group has pivoted to using fake CAPTCHA paste-and-run techniques to entice victims into executing malicious code. This evolution highlights adversaries' agility in adapting the latest social engineering tactics to remain effective and evade existing defenses.

Defending against emerging threats and risks

As threats evolve, organizations must bolster their defenses by implementing the following strategies:

• Identity security controls: Enforce multi-factor authentication (MFA) and conditional access policies (CAP) to reduce unauthorized identity usage.
• Cloud misconfiguration management: Regularly audit and secure cloud infrastructure configurations, ensuring public access settings and firewall rules adhere to strict policies in line with the principles of zero trust.
• Phishing awareness: Implement robust user training to improve identification of sophisticated phishing and social engineering attempts.
• VPN and RMM monitoring: Limit and closely monitor VPN usage and remote management tools, using behavioral analytics to detect anomalous activity indicative of malicious intent.

By proactively adopting these measures, organizations can significantly enhance their cybersecurity posture, mitigating the risk and impact of the latest adversary tactics.

Methodology

The midyear update to the 2025 Threat Detection Report provides in-depth analysis of the confirmed threats detected from the petabytes of telemetry collected from Red Canary customers' endpoints, networks, cloud infrastructure, identities, and SaaS applications in the first six months of 2025.

The Threat Detection Report sets itself apart from other annual reports with its unique data and insights derived from a combination of expansive detection coverage and expert, human-led investigation, and confirmation of threats.

About Red Canary, a Zscaler Company

Red Canary is a leader in managed detection and response (MDR). We serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the security ally for nearly 1,000 organizations, we provide MDR across our customers' cloud workloads, identities, SaaS applications, networks, and endpoints. For more information about Red Canary, visit: https://www.redcanary.com.

About Zscaler

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ platform protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SASE-based Zero Trust Exchange™ is the world's largest in-line cloud security platform.

View original content to download multimedia:https://www.prnewswire.com/news-releases/red-canary-research-reveals-sharp-rise-in-cloud-and-identity-threats-exposing-critical-cybersecurity-risks-302521309.html

SOURCE Red Canary

FAQ

What are the key findings of Zscaler's Red Canary 2025 midyear Threat Detection Report?

The report revealed a 500% increase in Cloud Account detections, two new cloud techniques entering the top 10 threats list, and found that only 16% of suspected phishing emails were actually malicious.

How has cloud security threat detection changed for Zscaler (ZS) in 2025?

Cloud Account detections increased by 500% compared to 2024, with new threats emerging in Data from Cloud Storage and Cloud Firewall modifications, driven by expanded identity-based threat detection capabilities.

What are the main cybersecurity risks identified in the Red Canary 2025 report?

Key risks include misconfigured AWS S3 storage buckets, open ingress ports, sophisticated phishing techniques using legitimate services, and evolving threats like Scarlet Goldfinch's fake CAPTCHA attacks.

What defensive strategies does the Red Canary report recommend for organizations?

The report recommends implementing multi-factor authentication, conditional access policies, regular cloud infrastructure audits, enhanced phishing awareness training, and close monitoring of VPN and remote management tools.

How has the Scarlet Goldfinch threat evolved in 2025 according to Zscaler's report?

Scarlet Goldfinch has evolved from using fake browser updates to employing fake CAPTCHA paste-and-run techniques to trick victims into executing malicious code.