|
 |
2025 Unit 42 Global Incident Response Report: Social Engineering Edition
An introductory overlook of Unit 42's recent report
|
| |||||||||||||||
Recently, along with a wealth of other industry-critical information and resources, Palo Alto’s Unit 42 published their incident response report concerning social engineering. As an area of practice that has always fascinated me—as more art than science—this immediately grabbed my attention and almost forced me to start taking notes. With this in mind, we as a team are heading out over the next few weeks to dig deeper into social engineering and help you discern the golden kernels that you need to access.
The report argues that social engineering has matured into one of the most reliable and high-impact vectors for intrusion. Rather than relying solely on zero-days or novel exploits, attackers are increasingly targeting identity systems, human workflows and trust relationships. In many of the incidents analyzed, social engineering served as the initial access vector, and success hinged more on process and control gaps than on advanced technical sophistication.
The authors contend that defenders must shift their mindset: social engineering should be treated as a systemic, identity-centric threat, not merely a user-education problem. Detection, identity controls, conditional access, and behavioral analytics are central to the response posture.
Key Findings & Trends
Prevalence of Social Engineering as Initial Access
Social engineering was the root cause in 36 % of all incident response engagements during the covered period. While phishing remains a dominant mechanism, a significant proportion of attacks now employ non-phishing methods, including SEO poisoning, fake system prompts and direct manipulation of help desks.
High-Touch Attacks Escalating Privilege Quickly
In “high-touch” campaigns, adversaries impersonate internal staff, exploit help desk processes or use voice lures to bypass MFA or identity verification procedures. The report cites cases in which attackers escalated from initial compromise to domain administrator in under 40 minutes, using only built-in tools and social pretexts. Threat groups such as Muddled Libra, state-aligned actors (e.g. Agent Serpens), and synthetic insider campaigns from North Korean actors are highlighted.
Rise of At-Scale (Low-Touch) Deception Campaigns
Beyond targeted attacks, social engineering is increasingly automated and scalable. The “ClickFix” model illustrates this: adversaries use fake browser or system prompts, SEO-boosted malicious landing pages, malvertising, or spoofed update alerts to induce users to self-initiate compromise.
ClickFix campaigns often begin with credential harvesting or information-stealers, then escalate via loaders or remote access tools.
Telemetry & Attribution Insights
In social engineering–originated incidents, 66 % targeted privileged accounts, and 45 % used internal impersonation. Voice-based or callback methods were employed in around 23 % of these cases.
Overall, the motive in nearly all social engineering cases (93 %) was financial gain. The rate of data exposure following a social engineering incident was 60 %—significantly higher than the baseline across all intrusion types.
Control Gaps & Detection Deficiencies
The success of these attacks is tied less to extreme sophistication and more to gaps in process, tooling and human response. Key issues include alert fatigue, misclassification of anomalous behaviour, over-permissioned access, and weak identity recovery procedures.
Many organizations lacked mature Identity Threat Detection and Response (ITDR) or User and Entity Behavior Analytics (UEBA) capabilities, reducing their ability to detect lateral movement or post-compromise escalation.
Recommendations for Defenders
To mitigate evolving social engineering risks, Unit 42 offers a set of prescriptive countermeasures:...
