An IT analyst was rushing to meet a deadline, trying to access a critical vendor’s portal. When the login page lagged, they re-entered their credentials. What they didn’t know was that a sophisticated phishing attempt, which appeared urgent and referenced specific internal projects, had already harvested their login details. They had just walked into a cybercriminal’s trap.
This scenario highlights the evolving reality detailed in the “2025 Threat Actor Tradecraft” report from the Public Safety Threat Alliance (PSTA). The PSTA threat intelligence team actively monitors and evaluates cyber threats to public safety agencies and mission-critical systems, including 911 call handling, Computer-Aided Dispatch (CAD) and radio communications.
Their work provides actionable, no-cost cyber threat intelligence to help agencies protect their critical infrastructure against evolving threats. The report confirms that in 2025, adversaries have adopted more effective and efficient techniques, requiring an immediate adjustment in defensive priorities.
Phishing takes the lead in initial access
A core shift identified in the 2025 report is how threat actors gain initial access to victim networks. The PSTA analyst team has observed sophisticated phishing scams as the leading initial access attack vector used against public safety agencies, overtaking valid account abuse.
Phishing accounted for 26 percent of total observed initial access tradecraft in 2025. This represents an 18 percent increase in successful phishing attempts compared to 2024. These campaigns are designed to trick users into revealing their personal information or credentials.
AI paves the way for more sophisticated attacks
This growth is directly tied to threat actors’ integration of generative AI tools. These tools allow attackers to craft compelling phishing emails and even fraudulent text message communications. These AI-enhanced social engineering campaigns are often grammatically flawless, context-specific and scalable. This allows them to blend seamlessly with the victim’s organization and sometimes evade traditional spam filters.
Threat actors rely on these phishing campaigns not only for initial compromise but also reconnaissance. They use them to gather sensitive information, such as credentials and multi-factor authentication processes, before they have fully gained access to the network.
The enduring threat of valid accounts
Valid accounts (legitimate usernames and passwords) were used less for initial access this year, dropping to 21 percent, a 17 percent decrease from 2024. However, they remain the top techniques used in later attack stages: persistence, privilege escalation and defense evasion. The use of valid accounts was the primary evasion technique, accounting for 11 percent of the tactics, techniques and procedures observed.
Adversaries favor valid accounts because they can mimic activity that closely resembles legitimate user actions, bypassing traditional detection systems that focus on identifying malicious binaries or anomalies. This makes valid accounts a reliable means of maintaining undetected access, which can eventually lead to a significant data breach or devastating ransomware attacks.
Alongside valid accounts, threat actors are increasingly leveraging “living off the land” (LoTL) strategies, utilizing existing system tools and utilities already present on victim systems to evade detection. Prominent LoTL techniques observed included process injection, registry modification and the use of built-in utilities such as PowerShell to quietly extract data without introducing external malware. These methods are frequently used by advanced persistent threats (APTs), including those sponsored by nation-states, to remain hidden for long periods.
Cloud is the new default for exfiltration
Exfiltration techniques (the unauthorized removal or transfer of data from a network) also underwent a significant shift in 2025. Adversaries transitioned \from traditional command-and-control (C2) exfiltration to favor cloud and web service channels. This shift occurred because traditional C2, in which attackers used dedicated, malicious servers to steal data, became easier for cybersecurity defenses and law enforcement to identify and block. Attackers now prefer using legitimate cloud platforms such as Google Drive, Dropbox and OneDrive to steal information. This is a more effective method because data transfers blend seamlessly with regular business activity, making them much more challenging to detect and block. This stolen information from public agencies can then be found for sale on the dark web.
Exfiltration over web services and cloud accounts accounted for 58 percent of the total exfiltration tradecraft observed in 2025. The use of web services for staging or exfiltrating data increased by 25 percent in tradecraft.
This trend highlights that attackers are leveraging legitimate cloud platforms to blend their data theft traffic into regular organizational activity, making detection more difficult. For security professionals, this means they cannot rely solely on blocking malicious activity; they must implement robust security measures and diligently monitor real-time abnormal egress traffic (outbound network traffic from an internal system or network).
Strengthening public safety defenses together
The 2025 threat landscape reveals adversaries relying on straightforward, repeatable and scalable methods to execute cyber attacks. They often exploit known vulnerabilities in employee security knowledge, account controls and cloud governance. To effectively counter the full range of these evolving tactics, public safety organizations must prioritize behavioral analytics, account protection and enhanced endpoint visibility.
This Cybersecurity Awareness Month, we invite you to deepen your understanding of these threat actor techniques by joining the PSTA. The PSTA is an Information Sharing and Analysis Organization (ISAO) recognized by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that provides actionable, no-cost intelligence to public safety agencies to help them defend against cyber threats. Combining intelligence from its own research and from public and private sector partners, the PSTA offers members resources such as threat analysis, dark web monitoring and monthly analyst calls to improve their cybersecurity posture.
