The second quarter of 2025 was not (only) defined by zero days or headline ransomware. It was shaped by quiet persistence. While defenders focused on patching vulnerabilities and chasing big name groups, attackers leaned into techniques that blended into daily operations. These were not exploits that demanded attention. They were behaviors that slipped past controls, lived off the land, and abused the very systems we trust.
This edition highlights the tradecraft we saw most often in real environments. Each of these techniques shows that attackers don’t really need new custom malware if they can weaponize your help desk, hide in your serverless stack, or ride your developers’ tools. These are not IOC driven hunts. They are behavioral hunts that require context, pattern recognition, and a willingness to look where alerts rarely do.
Whether you have already spotted these behaviors or they are still hiding in plain sight, here are the techniques that defined Q2 and will likely stick with us through the end of the year.
Help Desk Social Engineering for MFA Bypass 📞
Attackers did not bother breaking MFA this quarter. They continued convincing your people to do it for them. By targeting IT help desks with voice based social engineering, they turned password resets and MFA enrollments into entry points. What looks like a normal support request on the surface quickly cascades into cloud account compromise, SSO abuse, and persistence through backup accounts.
Tactics: Initial Access, Persistence, Defense Evasion, Credential Access
Techniques:
T1566.004 – Phishing: Spearphishing Voice
Social engineering phone calls to reset credentialsT1078.004 – Valid Accounts: Cloud Accounts
Using reset credentials to access cloud and SaaST1556.006 – Modify Authentication Process: Multi-Factor Authentication
Registering attacker controlled MFA devices or disabling requirementsT1606.002 – Forge Web Credentials: SAML Tokens
Creating tokens after admin access to SSO platformsT1136.003 – Create Account: Cloud Account
Establishing backup accounts for persistence
What You Should Be Looking For:
Help desk anomalies: off hours reset requests, callers failing secondary verification, repeated failed checks followed by approval
Post reset behaviors: first login from a new geography, MFA device enrollment within minutes, access to resources never touched before
Admin patterns: multiple resets by the same agent, emergency accounts created outside change control, modifications to SSO trust or conditional access policies
Identity provider red flags: new MFA devices added without removing old ones, SAML assertion changes, policy exceptions granted for individual users
Data Sources:
Help desk ticketing systems and call recordings
Identity provider audit logs (Azure AD, Okta, Ping)
VoIP and phone system logs
Cloud access logs (AWS CloudTrail, GCP Audit Logs)
HR systems for employee verification data
SIEM correlation of password reset to first authentication
MFA enrollment and device management logs
Resources:
ReliaQuest: Scattered Spider CFO compromise detailed analysis
CrowdStrike: Scattered Spider Q2 2025 targeting aviation, insurance, retail
Scattered Spider targets UK retailers and US insurance companies
Picus Security: Simulating Scattered Spider TTPs for Detection
Serverless Function Persistence in Cloud Environments ☁️
Attackers are taking advantage of one of cloud’s biggest blind spots: serverless functions. What many teams treat as throwaway code has become a long term persistence layer. By abusing serverless deployments, adversaries can run malicious code on demand with no agent, no VM, and often no one noticing until the bill goes up.
Tactics: Persistence, Defense Evasion, Execution, Collection
Techniques:
T1525 – Implant Internal Image
Deploying malicious container images to serverless platformsT1543.004 – Create or Modify System Process: Launch Daemon
Using cloud native scheduling for persistent executionT1078.004 – Valid Accounts: Cloud Accounts
Leveraging service accounts and managed identities for accessT1552.005 – Unsecured Credentials: Cloud Instance Metadata API
Extracting credentials from function runtime environmentsT1059.006 – Command and Scripting Interpreter: Python
Python based Lambda or Cloud Functions for flexibility
What You Should Be Looking For:
Function deployment anomalies: new functions created outside CI/CD, deployments from unknown accounts, suspicious names like “test” or “backup,” maxed out memory or time settings, functions in unused regions
Runtime behavior patterns: odd timers such as every 13 minutes, HTTP triggers from non application sources, cross account API calls, external API or IP communication, repeated failures followed by success
IAM and permission indicators: roles with broad admin rights, cross account role assumptions, service accounts dedicated to functions, functions that can create other functions, access to secrets managers
Code and configuration red flags: environment variables with base64 data, imports of unusual libraries, obfuscated or packed code, functions downloading remote payloads, use of temporary file systems for staging
Data Sources:
Cloud function logs (CloudWatch, Stackdriver, Application Insights)
Deployment events and configuration change logs
IAM role assumption logs
API Gateway or HTTP trigger access logs
Cloud billing anomalies
Source control systems for legitimate deployments
VPC network flow logs from functions
Resources:
Supply Chain Attacks via AI Powered Development Tools 🤖
Last quarter we tracked malicious open source packages. This quarter attackers moved further upstream by targeting the tools developers rely on. Malicious IDE extensions and AI coding assistants are quietly exfiltrating source code, secrets, and credentials under the guise of productivity. Compromising developer workstations does not just hit one system. It poisons the supply chain.
Tactics: Initial Access, Execution, Persistence, Collection
Techniques:
T1195.001 – Supply Chain Compromise: Compromise Software Dependencies
Malicious IDE extensions targeting developersT1059.006 – Command and Scripting Interpreter: Python
Payloads embedded in development environmentsT1005 – Data from Local System
Stealing source code, credentials, and API keys from developer machinesT1213.003 – Data from Information Repositories: Code Repositories
Exfiltrating code from connected repositoriesT1606.001 – Forge Web Credentials: Web Cookies
Stealing session tokens from developer browsers
What You Should Be Looking For:
IDE extension anomalies: suspiciously named extensions, low download but high permission extensions, new publishers, obfuscated JavaScript in manifests
Developer tool behavior: IDE spawning unexpected network connections, extensions calling external APIs, clipboard monitoring, file system scans for sensitive patterns, process injection into IDEs
AI coding assistant abuse: odd prompts sent to AI services, suggestions containing encoded payloads, AI tools accessing files outside project scope, configuration modifications, outbound traffic to non vendor IPs
Credential and secret theft: rapid reads of credential locations, environment variable enumeration, Git config and repo cloning, SSH and GPG key access, cloud CLI credential file reads
Data Sources:
IDE extension marketplace and installation logs
Developer workstation EDR telemetry
Network traffic from developer subnets
Code repository access logs and API calls
CI/CD pipeline logs showing unusual package downloads
Corporate proxy logs for developer tools
AI service API usage logs
Resources:
Datadog Q2 2025: MUT-9332 threat actor targets Solidity developers
CyberNews: Lazarus Group floods npm and PyPI with malicious packages
Conclusion
These are a few of the behaviors we bumped into in Q2. They might have been in a few headlines, but they showed up again and again in real environments. What are you seeing that does not fit the usual patterns? Drop us a comment with the living off the land techniques in your environment and we may feature your idea in the next From the Fire!