The latest M-Trends 2025 report by Mandiant reveals a stark shift in cyberattack patterns. From insider threats to stolen credentials, attackers are moving faster than defenses can adapt—and they’re now embedding themselves into businesses as state-sponsored IT workers.
Every year, Mandiant’s M-Trends offers frontline insight into the evolving threat landscape, based on hundreds of thousands of hours spent investigating security breaches. But this year, the headline is different: credential theft and insider infiltration have overtaken traditional tactics like phishing, and North Korea is leading the charge.
Why Credential Theft Now Beats Phishing in the Cyber Threat Arsenal
According to M-Trends 2025, the most common entry point for attackers is still software exploits, making up 33% of initial access. However, a big shake-up comes next. Stolen credentials (16%) have now passed phishing emails (14%) as the second most popular way attackers break in.
This shift is no accident. Over time, security tools have gotten better at blocking phishing attacks. Operating systems have tightened defenses. And users are more cautious than ever. So, attackers are turning to what’s easier: stolen login credentials. Infostealers like RedLine, Raccoon, and Vidar are widely used to scoop up login data, which then floods dark web markets. It’s faster and often more effective than baiting someone with a suspicious email.
But phishing isn’t going away—it’s just changing. Rather than being the main method of infection, phishing is now used to support broader attacks, like tricking users into handing over credentials or bypassing multi-factor authentication. This evolution means defenders need to focus less on blocking emails and more on managing passwords, rotating credentials, and enforcing strong MFA.
DPRK Remote Workers: A New Breed of Insider Threat
One of the most striking updates in M-Trends 2025 is the classification of North Korean IT workers as a standalone threat group: UNC5267. This move highlights the growing concern over rogue contractors who appear legitimate but work under state direction.
These workers often secure freelance jobs through intermediaries and quietly infiltrate Western companies. Since internet access in North Korea is tightly controlled, their activities almost certainly have state backing. Once inside, they can earn hard currency for the regime and, more dangerously, steal sensitive data or set up future attacks.
McKenzie of Mandiant likens this to the early days of ransomware. Initially, it seemed like a localized U.S. problem. But before long, it exploded globally. The same could happen here. DPRK operatives, embedded in companies today, might become tomorrow’s advanced persistent threats (APTs)—but without the usual infrastructure that defenders can easily dismantle.
That’s what makes this threat different. These aren’t attackers who can be traced to a server or a malware signature. They’re people on your team, working remotely, doing real jobs—until they’re not.
The Real Message of M-Trends 2025
If there’s one lesson from M-Trends 2025, it’s that cyber threats are not just growing—they’re maturing. Attackers are thinking long-term. They’re patient, stealthy, and increasingly inside the system rather than attacking from the outside.
Security teams can’t just react anymore. They must proactively improve credential hygiene, invest in behavioral monitoring, and stay alert to the risks posed by external contractors or remote hires. Especially now that cybercrime intersects with geopolitics, prevention isn’t just technical—it’s strategic.
M-Trends 2025 doesn’t just outline these shifts. It warns that ignoring them may soon come at a high price.
