Data and Trends
M-Trends 2025 data is based on more than 450,000 hours of Mandiant Consulting investigations. The metrics are based on investigations of targeted attack activity conducted between Jan. 1, 2024 and Dec. 31, 2024. Key findings in M-Trends 2025 include:
-
55% of threat groups active in 2024 were financially motivated, which marks a steady increase, and 8% of threat groups were motivated by espionage.
-
Exploits continue to be the most common initial infection vector (33%), and for the first time stolen credentials rose to the second most common in 2024 (16%).
-
The top targeted industries include financial (17.4%), business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%).
-
Global median dwell time rose to 11 days from 10 days in 2023. Global median dwell time was 26 days when external entities notified, 5 days when adversaries notified (notably in ransomware cases), and 10 days when organizations discovered malicious activity internally.
M-Trends 2025 dives deep into the aforementioned infostealer, cloud, and unsecured data repository trends, and several other topics, including:
-
Democratic People’s Republic of Korea deploying citizens as remote IT contractors, using false identities to generate revenue and fund national interests.
-
Iran-nexus threat actors ramping up cyber operations in 2024, notably targeting Israeli entities and using a variety of methods to improve intrusion success.
-
Attackers targeting cloud-based stores of centralized authority, such as single sign-on portals, to gain broad access.
-
Increased targeting of Web3 technologies such as cryptocurrencies and blockchains for theft, money laundering, and financing illicit activities.
Recommendations for Organizations
Each article in M-Trends 2025 offers critical recommendations for organizations to enhance their cybersecurity postures, with several of them being applicable to multiple trends. We advise that organizations:
-
Implement a layered security approach that emphasizes sound fundamentals such as vulnerability management, least privilege, and hardening.
-
Enforce FIDO2-compliant multi-factor authentication across all user accounts, especially privileged accounts.
-
Invest in advanced detection technologies and develop robust incident response plans.
-
Improve logging and monitoring practices to identify suspicious activity and reduce dwell time.
-
Consider threat hunting exercises to proactively search for indicators of compromise.
-
Implement strong security controls for cloud migrations and deployments.
-
Regularly assess and audit cloud environments for vulnerabilities and misconfigurations.
-
Mitigate insider risk by practicing thorough vetting processes for employees (especially remote workers), monitoring for suspicious activity, and enforcing strict access controls.
-
Keep up-to-date with the latest threat intelligence, adapt security strategies accordingly, and regularly review and update security policies and procedures to address evolving threats.
Be Ready to Respond
The M-Trends mission has always been to equip security professionals with frontline insights into the latest evolving cyberattacks and to provide practical and actionable learnings for better organizational security.
Read the full M-Trends 2025 report today, and register for our M-Trends 2025 webinar series for a more in-depth look at the data, topics, and recommendations discussed in the report. The M-Trends 2025 Executive Edition is also available, featuring a high-level look at the data and trends, along with key recommendations.