In my 2024 article, Cyber Security 2024: Key Trends Beyond the Hype, I aimed to stay rational and avoid hype—especially around AI—and pointed out that most real-world attacks still involved unpatched systems, weak credentials, and social engineering. Over the past year, that has largely remained true.
Now, as we move into 2025, I’m revisiting those same areas with updated examples. Supply chain attacks remain a key concern—especially for identity providers and open-source libraries. Token and cloud API abuse hasn’t slowed down, and attackers keep finding ways to bypass or disable EDR solutions, often hiding behind legitimate software. Meanwhile, basic security missteps still leave many organizations open to recurring threats.
Although I was skeptical about AI-based attacks last year, we do see attackers using AI to automate tasks like scripting or generating phishing emails. There’s still no proof of a fully AI-driven breach from start to finish—it’s more of an efficiency boost than a total game-changer. My goal here is to remain as sober and factual as possible, highlighting what’s genuinely evolving in these trends and where we should pay close attention going into 2025.

1. Supply Chain Attacks
Supply chain attacks continue to pose a serious threat to organizations of all sizes, even those with sophisticated security measures. While these attacks often target software providers or trusted third-party vendors, recent events show that Identity and Access Management (IAM) service providers themselves can become single points of failure. A single breach at a major identity platform can compromise thousands of companies at once, exposing credentials, tokens, and other valuable data.
Okta: A Breach That Shook Customer Trust
Okta’s late-2023 breach is a prime example of how quickly an incident can escalate. Initially, the company reported that only 1% of customers were affected. Weeks later, it revealed that its entire customer base was impacted. To an outside observer, it seems Okta was overwhelmed by the attack’s sophistication and remained cautious in what it disclosed. As more details emerged, the root cause turned out to be surprisingly mundane – an Okta employee logged into a personal Google account on a corporate laptop, opening the door for a massive data exposure. For organizations depending on IAM services, it’s a stark reminder that even top-tier providers have blind spots, and if they’re compromised, the implications can be extremely severe.
Microsoft: The Underrated Damage of a Compromised Key
Shortly after the Okta breach, another incident at Microsoft highlighted just how powerful stolen signing keys can be. In an attack attributed to a Chinese threat actor (Storm-0558), a private encryption key for Microsoft’s identity services was taken.
While Microsoft initially stated the attack impacted only Outlook.com and Exchange Online, independent research suggests the key could have theoretically been used to forge tokens for services like SharePoint, OneDrive, Teams, or even third-party apps using “Login with Microsoft.” Because identity provider keys can grant access to a huge number of services, this breach may be more significant than Microsoft’s public statements suggest.
In reality, organizations have little direct control over how a major cloud provider safeguards its signing keys, so transparency from the provider after any compromise is crucial. Without clear information about the nature and scope of a breach, customers can’t accurately assess their exposure or respond effectively.
Open Source Supply Chain Risks
Open source ecosystems also continue to be a prime target. Malicious actors tamper with NPM packages, PyPi modules, GitHub repositories, or other code libraries, embedding backdoors in widely used dependencies. A notable example involves XZ Utils, a Linux compression library, which was briefly taken over by a suspicious contributor who shipped malicious updates aimed at undermining SSH authentication. Luckily, the rogue versions (5.6.0 and 5.6.1) weren’t widely adopted, limiting real-world impact. However, if they had been broadly deployed—especially in embedded or firmware environments—the fallout could have been much worse. As the reliance on open source only grows, so does the importance of continuous monitoring, code signing, and stricter vendor risk assessment.
These incidents show how quickly a single supplier or identity service compromise can affect thousands of organizations. Sometimes, more details only emerge after weeks, revealing a bigger problem than originally reported. When widely used vendors or open-source libraries are attacked, the damage often extends far beyond one victim. Because so many companies rely on the same tools and providers, supply chain attacks remain one of the most serious threats in cybersecurity today.

2. Token and Cloud API Abuse
Session tokens have become a critical part of modern authentication flows. They let users stay logged in to web apps, cloud consoles, and enterprise services without repeatedly entering credentials. While this feels convenient, it also introduces new ways for attackers to slip through defenses—even in setups that use multi-factor authentication (MFA). If a token is stolen or forged, someone with malicious intent can bypass many security checks and move laterally with little friction.
Below are some practical points worth highlighting:
Token Forging (Lessons from High-Profile Breaches)
The Microsoft Storm-0558 incident showed that losing control of a signing key can be more damaging than a typical credential leak. If attackers can forge their own tokens, they’re suddenly able to impersonate users in multiple cloud services. For any organization relying on a major cloud or identity provider, it’s important to understand how those critical signing keys are protected—because if they’re compromised, you’ll want to detect and respond immediately.
Third-Party Integrations and Code Repositories
Many organizations rely on services like Slack, Teams, or analytics platforms, which connect via tokens or API keys. These secrets often end up in code repositories, config files, or logs. Attackers systematically comb through public GitHub repos to find them. Integrating scanning tools (e.g., GitGuardian or truffleHog) into your CI/CD pipeline can help detect these tokens before they become a liability.
Beyond Web Browsers
Token theft isn’t limited to standard web sessions. Many Office 365–integrated apps, mobile apps, backend microservices, or serverless functions rely on tokens that can offer broader network access than a local user account. Although LSASS (Local Security Authority Subsystem Service) is also a user-mode process, it often has stronger protections (for example, Credential Guard or Protected Process Light) that make direct memory access more difficult. In contrast, Office 365–integrated apps and other cloud-connected processes may not have those same security measures, which can make token extraction easier. Worse yet, these tokens can have privileges that extend into various cloud services, potentially causing greater damage than a compromised local account.
At a minimum, turning on logging or anomaly detection for internal API calls can help reveal suspicious token usage—meaning you’d track typical patterns of API calls (who calls what, how often, at what times, etc.) and flag any outliers. For instance, if a token with standard user permissions starts performing admin-like actions on backend systems, or if an unusual volume of calls occurs outside normal work hours, that could trigger an alert for further investigation.
Zero Trust Increases Token Value
In a zero-trust setup, every request is authenticated—usually via a token. When those tokens become the primary way of granting access, attackers will prioritize stealing or forging them. Requiring continuous validation, checking for abnormal IP addresses or login times, and limiting privileges to the bare essentials can mitigate some of these risks.
User Education & MFA
Even robust technical defenses can fail if employees share their tokens or accept rogue MFA prompts. Attackers keep finding new ways to trick users into handing over access, including real-time phishing tactics that intercept session cookies. Regularly updating security training—and emphasizing the changing face of phishing—is crucial.
By keeping an eye on token usage, scanning for accidental leaks, and teaching employees to question unusual login prompts, organizations can make token abuse more difficult for attackers. It’s not an all-encompassing fix, but it helps curb the most common ways threat actors leverage stolen or forged tokens.

3. Evading EDR in Heavily Monitored Environments
As Endpoint Detection and Response (EDR) solutions become more common on workstations and servers, attackers have adapted. Instead of dropping obvious malware onto well-monitored endpoints, they’ll often store malicious tools on older or unmonitored systems (e.g., network appliances, print servers, exotic systems, outdated embedded devices) and later pivot into the EDR-guarded zone. However, not all attackers stop there—some actively disable EDR agents on highly monitored endpoints to move about undetected.
Below are some recurring tactics we’re observing:
Relying on Legitimate Accounts
Attackers often hijack compromised user or admin accounts to access files, internal apps, or cloud services. Because these actions seem normal on the surface, they frequently slip past rule-based detections. Baselines of typical user behavior or alerting on suspicious account usage can help spot these scenarios.
Direct Attacks on EDR Agents
Some adversaries go beyond evasion and deliberately disable the EDR’s visibility on a targeted system. They may load a known vulnerable driver, gaining kernel privileges to unhook or kill the security agent altogether. Once the agent is neutralized, attackers can deploy tools or tamper with the OS without detection.
Minimizing Additional Tools
Rather than dropping custom executables (which EDR might flag), attackers use existing OS utilities (e.g., PowerShell, WMI) to escalate privileges, move laterally, or exfiltrate data. These “living off the land” techniques leave fewer artifacts and require closer scrutiny of standard processes to detect anomalies.
Staging Tools on Under-Protected Systems
Attackers often target devices that aren’t covered by modern EDR solutions—like older servers, virtual appliances, or networking appliances from vendors such as Fortinet, Ivanti, and Cisco. These devices not only suffer from recurring critical vulnerabilities but also offer limited logging and a restricted shell, making them hard to investigate thoroughly. By focusing on these “blind spots,” attackers can store malicious tools, launch deeper intrusions, and exfiltrate data without triggering the usual EDR alarms. If these systems aren’t regularly patched and closely watched, they remain a constant weak point in the network.
Layered Social Engineering
Gaining higher privileges often starts with subtle phishing or manipulation tactics. By impersonating help desk personnel, building rapport with employees, or sprinkling in accurate technical details, attackers trick people into revealing credentials. Once they have elevated access, they keep their actions low-key to avoid raising alarms.
Reconnaissance for Weak Spots
Attackers frequently scope out which endpoints are guarded by EDR or similar monitoring tools. They might read internal documentation or test quiet scans to see what triggers alerts. This reconnaissance phase is marked by caution—any loud move could blow their cover.
Stealthy Persistence
To avoid leaving clear IOCs, attackers combine Windows Registry modifications, scheduled tasks, or WMI event subscriptions with stolen tokens from valid sessions. A valid token may allow them to continuously re-authenticate without dropping any new binaries. In a large environment, this can linger for weeks if there are no specific checks for reused or anomalous tokens. Organizations need continuous, behavior-based monitoring to detect unexpected processes, modified configurations, and suspicious token usage.

4. Abuse of Legitimate Software
Attackers are increasingly swapping out traditional malware for legitimate software to evade detection. Whereas classic remote access trojans (RATs) often trigger antivirus and EDR alerts, legitimate tools like ConnectWise Control, Anydesk, NetSupport, TeamViewer, Atera, LogMeIn, or Splashtop usually fly under the radar because they’re widely used by IT teams. The same goes for built-in utilities and common third-party applications that aren’t inherently malicious. When adversaries exploit these, it’s harder for security products to flag the activity as unusual – especially in large organizations.
For a comprehensive list of remote monitoring and management (RMM) software that can be abused, check out LOLRMM.io. It’s a curated catalog of legitimate RMM tools that threat actors might leverage. Use it to inform your threat hunting, detection rules, and policy creation.

Here are some key trends we’re seeing:
Persistence Without Malware
Instead of deploying custom binaries, attackers install legitimate remote access software with benign-sounding names. Because these tools aren’t flagged as malicious, they help attackers remain on the network longer without triggering the usual alarms.
Lateral Movement with Built-in Tools
Beyond remote access, attackers also rely on built-in OS utilities (like net.exe, sc.exe, WMI, or even scheduled tasks) to explore and pivot across the environment. This strategy further masks their presence since they’re only using functionality that system administrators use daily.
Hiding in Plain Sight
Many threat actors register or reuse official-looking certificates and domain names (for example, connecting to “support.yourcompany.com”) to blend into real admin traffic. Security teams might notice some suspicious command sequences if they’re watching closely, but the software itself often goes unnoticed.
Configuration Backdoors
Some attackers don’t even need to run a process continuously. They alter configurations or schedules in existing tools. For instance, a legitimate remote management solution might be set to launch after hours, connecting back to an attacker-controlled server. Without a baseline of normal usage, it can be tough to see these modifications.
“Malware-less” Attacks
Because this approach doesn’t rely on a discrete piece of malware, it sidesteps many classic detection methods. Alerting on suspicious behaviors or unexpected connections becomes essential. Tools and processes that appear valid at first glance can still be used to exfiltrate data or execute commands silently.

5. AI-Aided Attacks – What’s Really Happening
For years, experts have debated the potential for game-changing AI-driven cyberattacks. While AI can streamline malicious operations, we’re not yet seeing radically new exploits. Instead, threat actors mostly use AI to speed up or automate tasks they already do—like writing scripts, debugging code, or crafting phishing lures.
Our findings align with recent analysis by the Google Threat Intelligence Group, who break down AI misuse into four broad categories:
Research & Reconnaissance
Attackers use AI to gather intelligence on target organizations, look up vulnerabilities, and sift through large data sets or open-source reports. This makes it easier for them to pinpoint weak spots and refine future exploits without manually combing through dense documentation.
Phishing & Social Engineering
AI-driven text generation helps create believable phishing messages in any language and can even spin up fake personas for social engineering or disinformation campaigns. The grammar is better, and the phrasing can be tailored to specific targets, reducing red flags.
Malware Development & Scripting
From coding new tools to obfuscating existing scripts, AI can automate much of the grunt work. Attackers—especially those with limited coding skills—gain the ability to produce or refine malicious software more quickly and with fewer errors.
Automation & Evasion
AI can assist with scripting tasks that bypass security measures, escalate privileges, and evade detection. It also lets attackers rapidly generate variants of known attacks, forcing defenders to react faster and update signatures or detections more often.
No Revolutionary Shift—Yet
Even with these AI-enabled efficiencies, there’s no sign of “AI-only” attacks or groundbreaking new exploits driven purely by machine learning. Most of the advantage lies in speed and scale: Threat actors spend less time writing or localizing content and more time on actual infiltration. The real concern going forward is the proliferation of powerful open-source AI models with minimal guardrails, which could further accelerate malicious automation and make these categories of misuse more accessible to a wider range of adversaries.
Conclusion
From supply chain attacks and token abuse to advanced evasion and the misuse of legitimate software, attackers are still relying on familiar methods—just with new twists and a growing interest in AI. Despite these evolving trends, unpatched appliances and missing MFA remain the most common pathways into an organization. While AI speeds up certain steps for attackers, it doesn’t turn breaches into an entirely new game. Instead, it’s an additional tool that defenders also need to adopt—otherwise, they risk falling behind.

Nextron’s Approach to Advanced Threat Detection
Nextron provides specialized digital forensics solutions designed to detect threats that traditional security tools often overlook. Our technology identifies unusual system behavior, hidden malicious activity, and sophisticated attacks that evade conventional antivirus and EDR products.
Our comprehensive signature set detects a broad spectrum of threats, including attacker toolkits, forensic traces, abuse of legitimate applications, and supply chain-based compromises. This extends to identifying “malware-free” intrusions, where adversaries operate without deploying conventional malware, making them difficult to detect.
Additionally, Nextron’s solutions support flexible scanning for unsupported or legacy systems that standard EDR platforms cannot monitor. This allows organizations to expand their detection coverage, ensuring a more comprehensive and actionable security posture across their entire environment.