LevelBlue: VPN Gateways, Social Engineering Drove 2025 Attacks

Network devices and VPN gateways were the most commonly exploited attack surfaces in 2025, as threat actors increasingly bypassed authentication by manipulating employees into granting access, according to LevelBlue SpiderLabs’ 2025 Threat Trends Analysis.

Multi-stage attacks blend phishing, voice calls, and extortion

According to the report, threat actors in 2025 increasingly bypassed defenses by convincing employees to grant access themselves, often without triggering traditional security alerts.

In particular, LevelBlue’s Incident Readiness and Response team highlighted three major campaigns and trends that in 2025:

• A surge in multi-stage social engineering campaigns that escalate from phishing or phone calls into data theft and extortion
• Widespread abuse of legitimate remote access and collaboration tools, helping attackers blend into normal enterprise activity
• Increased use of psychological manipulation paired with technical exploitation by threat groups such as Luna Moth and Akira

Luna Moth targets law firms and financial institutions through fake IT support

Threat group Luna Moth was linked to numerous incidents involving data theft and extortion, with professional services organizations, including law firms and financial institutions, among its primary targets.

LevelBlue observed that the group’s operations often begin with a phishing email that impersonates a member of an organization’s internal IT or security team.

Victims are then directed to call a fake helpdesk number, where the threat actor convinces them to install or authorize remote access tools such as Zoho Assist or Atera. Once access is established, the group pivots to data exfiltration from the compromised device.

Following exfiltration, Luna Moth reportedly harasses and pressures victim organizations into paying a ransom.

Exploiting VPN vulnerabilities and SEO poisoning

The cybersecurity company also found that the Akira threat group was exploiting two vulnerabilities in SonicWall firewalls to gain initial access to organizations’ environments and then carry out follow-on attacks.

The report highlighted CVE-2024-40766 and CVE-2024-53704, both of which enabled cybercriminals to establish an initial foothold in targeted environments.

In addition, LevelBlue pointed to incidents of SEO poisoning, in which attackers planted spoofed domains in search engine results and used them to trick victims into installing a malicious version of RVTools.

Once the installer was executed, the Bumblebee malware was deployed, enabling attackers to move laterally, harvest credentials, and install persistent remote access tools.

Microsoft Quick Assist and Teams used to deliver ransomware

Finally, LevelBlue observed threat actors using Microsoft Quick Assist to conduct social engineering campaigns that ultimately led to ransomware deployment.

These attacks began with voice calls or Microsoft Teams messages from an external account, convincing victims that they were receiving technical support from their internal IT or security team.

During the interaction, the attacker persuaded the victim to launch Quick Assist and share access to their device. Because Quick Assist runs in the context of the logged-in user, granting access gave the attacker the same privileges as the victim.

From there, the threat actor executed malicious commands and deployed multiple persistence mechanisms on the compromised system.

LevelBlue urges defenders to prioritize behavioral detection

In light of these trends, LevelBlue expects attackers to continue leaning on social engineering to advance their campaigns, urging defenders to adapt by protecting against human-focused threats rather than relying solely on traditional defenses.

“While traditional threats, such as phishing and vulnerability exploitation, [persist], attackers increasingly rely on impersonation to achieve their goals,” LevelBlue said.

“Placing greater emphasis on focused behavioral detection rather than heuristics is necessary to remain vigilant and ahead of threat actors.”

Last year, we spoke with LevelBlue CIO Maria Cardow, who underscored the importance of recognizing people as a significant attack surface in modern cybersecurity strategies. Read more about her insights on how organizations can refocus on the human element to strengthen defenses and reduce risk.