What's in store for 2025? No one knows for sure, but experts at Okta have made some educated guesses, especially as they relate to the company's core business of identity management and protection.
"We can't anticipate every malicious tactic," says Okta Regional CSO Brett Winterford, Director of Threat Analysis and Research Tim Peel, and Senior Manager of Identity Threat Research Moussa Diallo in a company blog post. But, they add, "we can identify some of the troubling security trends most likely to continue and expand in 2025."
Here's what they predict, plus some ways to mitigate these anticipated threats.
1. Craftier phishing kits.
Pre-packaged bundles of software designed to help you cajole individuals out of their usernames and passwords have been around for many years, with some being freely available to anyone in the name of threat prevention.
More recently, however, we've seen the emergence of phishing-as-a-service (PhaaS), including paid services like ONNX and FishXProxy that are designed to target organizations as well as individuals, and often provide full support to wanna-be cybercriminals who lack the skills (or perhaps the patience) to configure and deploy a phishing kit.
Some of these phishing kits can even defeat "impossible travel" detection by spoofing or proxying Internet Protocol addresses near the targeted individual's known location, negating a powerful weapon in the fraud detector's arsenal.
There's also a broad trend of attackers turning legitimate protection services against their users. Phishers are no exception, and they've learned to hijack the anti-phishing URL protection services used by many organizations, corrupting the "sanitized" links these services create to replace suspicious links. It's like having your security guards replaced by crooks in uniform.
And of course, there's AI. A recent study found that three-quarters of phishing kits offered in online criminal forums touted some sort of AI capability, and more than 80% said they could "deepfake" certain features.
To mitigate the anticipated improvements in phishing kits, Okta recommends that organizations implement phishing-resistant forms of authentication, such as passkeys, number-matching push notifications, hardware keys like Yubikeys and Okta's own FastPass system.
The company also suggests blocking IP-anonymizing services like Tor and residential-network proxy services. And it's never a bad idea to give your employees additional awareness training on how to spot and defeat phishing attempts.
2. The return of device-based attacks.
As phishing-resistant forms of multi-factor authentication become more commonplace, and as communications are more strongly encrypted, it's getting harder to steal credentials by fooling users into handing them over or intercepting them in transit.
Okta foresees a further uptick in device-based attacks that don't depend on fake websites or cracked messages to steal information but can instead grab credentials directly from the endpoint devices' user interfaces.
"When persistent attackers can no longer rely on phishing as a tactic, they'll pivot to something else," write Diallo, Peel and Winterford.
Android users are already familiar with spyware apps, especially those from "off-road" app stores, that can take screenshots of passwords as they're being entered or of one-time passcodes as they're displayed.
Web browsers on Windows, MacOS and Linux can be compromised by extensions and add-ons that steal credentials and session cookies, often permitting account hijacking "post-authentication," after the user has logged in.
In the near future, we might see sophisticated attacks against smartphone- and laptop-based passkeys. The private-key components of passkeys are meant to be unique and stored only in secure enclaves in individual devices.
But for the sake of user convenience, these private keys are often transmitted to other devices through Microsoft and Google password managers and Apple Keychain, creating potential avenues of interception and attack.
We could also see greater usage of router-based attacks. Too many small-office and home-office routers are already susceptible to attack, especially if they've reached end-of-life or never had their default admin passwords changed. Once an attacker controls a router, they can draft it into a proxy botnet to anonymize criminal activity (see above), change its DNS settings so that users redirect to phishing sites, and log all URL requests.
Okta recommends that organizations mandate employee usage of managed devices, including conducting business only on managed Macs or PCs and demanding mobile device management (MBM) implementation on user-owned smartphones if those phones access company resources.
All devices should have endpoint detection and response (EDR) or antivirus software installed. Organizations should also manage browsers and consider implementing a secure enterprise browser.
3. Business processes will become targets.
Much as attackers have learned to "live off the land" by maliciously using Microsoft Windows' own tools, such as PowerShell and the Windows Registry, Okta predicts that the next step is to compromise businesses by exploiting flaws in how they conduct day-to-day business.
"Not all security threats to your business will involve vulnerabilities in your tech stack," say Diallo, Peel and Winterford. "Instead, some clever attackers will look to exploit weaknesses in your business processes."
For example, the Okta bloggers point out, an attacker may conduct reconnaissance by posing as a new employee and calling a company helpdesk technician to ask for help with software and onboarding procedures.
Likewise, a couple of hours on LinkedIn can give an attacker many details about a company's internal hierarchy as well as the names of actual employees. An hour or two on Facebook will tell the attacker if any employees are on vacation and may plausibly need to unexpectedly log in from a tropical beach.
Help desks are already prime targets for social engineering, as the MGM Entertainment attack in August 2023 demonstrated. More recently, we've seen a leading access-management provider compromised by a state-sponsored attacker as part of a campaign against U.S. government systems.
To thwart such threats, Okta suggests implementing robust employee-verification methods, both during the hiring and onboarding process and whenever an employee contacts the help desk. Such steps can be as simple as the helpdesk taking a message, which can be passed on to an IT staffer who calls back the employee on a known telephone number.
4. Expanded downgrade attacks.
Mobile-device security experts are familiar with downgrade attacks, such as when an attacker-controlled cell tower forces nearby phones to "downgrade" from 5G or 4G communications to less secure 3G or 2G.
There are several similar attacks involving web pages. For example, a malicious web server might force a requesting client to downgrade to a less secure form of TLS/SSL, or even turn off secure communications altogether.
More recently, it's been demonstrated that Windows Update itself can be exploited to secretly force PCs to revert to less secure builds of Windows. Wi-Fi network names can be spoofed to force devices to connect to hotspots using less secure protocols.
Okta thinks that we'll see more downgrade attacks involving social engineering. A bogus helpdesk technician might instruct employees of a targeted organization to disable phishing-resistant MFA or to stop using hardware authentication keys.
Downgrade attacks based on outdated network protocols can be prevented by disabling backward compatibility. But socially engineered attacks aren't as simple to defeat. Okta recommends forbidding fallbacks to phishing-susceptible authentication factors, e.g. one-time passcodes transmitted via SMS. It also advises educating employees about such attempts.
5. AI everywhere.
Believe the hype — generative artificial intelligence makes phishing, deepfakes and other forms of social engineering much easier. Okta expects more outrageous stories along the lines of the Hong Kong employee who was fooled into transferring $25 million by a conference call in which all of his "colleagues" were in fact animated deepfakes generated by AI.
Rigging the live deepfake conference call likely took quite a bit of time and money, but ChatGPT and other large-language models are inexpensive. In early 2024, Microsoft and OpenAI disclosed that Russian, Chinese, North Korean and Iranian state-sponsored attackers were using ChatGPT; in August, a study found that 40% of business email compromise attacks used AI.
As AI built into operating systems, such as Microsoft Copilot, becomes more commonplace, expect malware to use those features to "live off the land" and improve its attacks.
AI can also automate the creation and delivery of spear-phishing emails, from gathering data about potential targets to maintaining conversational message threads once the targets are on the hook. And as technology improves, creating convincing deepfakes, especially purely audio ones, will be more accessible to even low-level crooks.
"Given the staggering rate of innovation in this space, it would be wise to expect to see deepfakes go real time in 2025 and to start thinking about ways to mitigate that threat," write Diallo, Peel and Winterford. "Companies should create a culture where the workforce feels empowered to push back when they feel like leaders are making unreasonable, potentially suspicious requests."
