CyberCX 2025 Threat Report reveals cyber landscape is changing
Melbourne, Australia – 10 February 2025
CyberCX 2025 Threat Report reveals cyber landscape is changing
- Espionage incidents are going unnoticed for longer, rising to an average time to detect (TTD) of more than 400 days
- Business Emai Compromise (BEC) remained the top incident type in 2024
- 75% of BEC attacks involved attackers bypassing multi-factor authentication (MFA)
- Healthcare was the most impacted sector, followed by financial services
CyberCX, Australia and New Zealand’s leading cyber security provider, has released its annual Threat Report for 2025, revealing that business email compromise (BEC) remained the top incident type responded to by the company’s Digital Forensics and Incident Response team (DFIR) and that espionage-related incidents are taking more than two weeks longer to discover than in 2023.
Using data from a sample of serious incidents CyberCX’s DFIR team responded to in 2024, the report highlights a range of important cyber trends including:
- Espionage incidents are taking longer to detect – the average time-to-detect (TTD), or the number of days between the start of an attack and its discovery, grew to 404 days for espionage incidents, up from 390 in 2023. By comparison, the average TTD for financially motivated cyber attacks was 24 days. About 5% of the incidents that make up this data were espionage related.
- Multi-factor authentication (MFA) is not a silver bullet – session hijacking capable phishing kits (or Adversary-in-the-Middle) are now involved in 75% of BEC attacks, up from 10% in 2022. These attacks allow threat actors to bypass MFA and appear to be a response by attackers to the continued proliferation of MFA as a frontline security tool.
- Healthcare remained the most impacted industry – at 17% of incidents, healthcare was the dominant affected industry in 2024, followed by financial services (11%) and education (8%). The most impacted sectors are all industries that hold significant amounts of sensitive personal data.
- Vast majority of cyber incidents are financially motivated – Financial remained the most common threat actor motivation at 65% of incidents, followed by incidents where the motivation was unknown (27%) and espionage (5%).
- Significant increase in ransomware only attacks – Cyber extortion incidents where the threat actor deployed ransomware but did not steal data made up 38% of incidents in 2024 compared to 13% in 2023. There was a roughly corresponding decrease in data theft extortion only cases in the same period, from 27% in 2023 to 9% in 2024.
- Some stolen data is never advertised on the dark web – About a quarter of data theft victims who did not pay a ransom never had their stolen data advertised on a data leak site (DLS) or forum, indicating that not paying a ransom doesn’t automatically mean their data will be published. This represents a significant portion of data theft victims and it is unknown why attackers do not publish this data or what they do with it.
Hamish Krebs, Executive Director of Digital Forensics and Incident Response at CyberCX said: “Despite the best efforts of defenders over the past 12 months, the global cyber threat landscape has continued to deteriorate as adversaries evolve their tactics and up the tempo of attacks.
“Malicious actors are moving into your cloud infrastructure more than ever before, cyber extortion groups continue to iterate their foul business despite well publicised disruption by global law enforcement, and the widespread deployments of tools like Endpoint Detection and Response (EDR) is driving changes to the way adversaries compromise networks. MFA is not enough, managed Service Providers (MSP) are still a weak point, and legacy infrastructure sticks out like a sore thumb when it comes to an organisation’s security posture.
“The CyberCX 2024 Threat Report reflects the hard-learned insights from incidents we responded to in 2024. Our hope is that what we have seen can help organisations and security teams better understand the threat landscape and bolster their cyber defences by allocating their limited resources to match the changing tactics of attackers.”
You can access the full DFIR Threat Report 2025 here: https://cybercx.com.au/resource/dfir-threat-report-2025/
ENDS
About CyberCX
CyberCX is the leading provider of end-to-end cyber security and cloud services. With a workforce of 1,400 cyber security professionals, CyberCX is a trusted partner to private and public sector organisations, helping customers confidently manage cyber risk, respond to incidents, and build resilience in an increasingly complex and challenging threat environment.
