In a significant shift in cybersecurity trends, the high-tech sector emerged as the most targeted industry for cyber-attacks in 2025, overtaking the financial services sector, which had long held the title as the prime focus for cybercriminals. This revelation comes from Mandiant’s latest incident response data, as detailed in their recently published report, the M-Trends 2026 Report, on March 23, 2026.
The report indicates that high-tech companies constituted 17% of all Mandiant investigations during the past year. This marked a noticeable leap compared to previous years, highlighting the evolving landscape of cyber threats and the strategies employed by threat actors. In stark contrast, financial services—which led in 2023 and 2024—accounted for 14.6% of investigations, underscoring a pivotal change in the cyber threat environment. Notably, other sectors, such as business and professional services, alongside the healthcare industry, also faced significant risks, comprising 13.3% and 11.9% of Mandiant’s investigations, respectively.
A critical metric highlighted in the report is the increase in global median dwell time—the duration an attacker remains undetected within a compromised environment. It rose from 11 days in 2024 to 14 days in 2025, signaling a troubling trend for organizations as they grapple with the effectiveness of their detection and response methods. This extended dwell time can be primarily attributed to cyber espionage campaigns linked to North Korean actors, which had a staggering median dwell time of 122 days. Such prolonged periods of undetected access increase the potential for data breaches and other malicious activities.
Throughout 2025, Mandiant and the Google Threat Intelligence Group (GTIG) investigated 91 incidents that encompassed 83 malicious cyber campaigns and identified eight global cyber events. These coordinated attacks affected organizations across 73 countries, showcasing the far-reaching implications of these threats. Despite the broad spectrum of incidents, Mandiant specifically probed 35 of the campaigns and six of the global cyber events.
Among the notable trends in 2025 was the widespread adoption of the ClickFix social engineering technique, which attackers employed to prompt users into executing potentially harmful system-level commands. By masquerading as legitimate requests to rectify perceived issues, attackers drew in unsuspecting users, making ClickFix a significant threat vector for the year. Various lures, ranging from CAPTCHA verifications to software compliance checks, were leveraged effectively to carry out these attacks. Mandiant and GTIG noted a sharp increase in the number of threat clusters leveraging this technique, emphasizing the need for heightened user awareness and robust training.
In addition, the threat landscape saw an uptick in the tracking of new threat clusters and malware families. Research teams began monitoring 661 new threat clusters and identified 714 new malware families, swelling the total number of tracked clusters to over 5,000 and malware families to beyond 6,000. Investigations unveiled 288 distinct threat groups, of which 205 were newly tracked, although these figures were lower than the previous year’s numbers.
In discussing entry points for these cyber-attacks, Mandiant noted that vulnerability exploits remained the most frequently observed initial infection vector for the sixth consecutive year, accounting for 32% of investigations where an initial vector was identified. Meanwhile, the prevalence of voice phishing, or vishing, surged to 11%, highlighting a notable shift towards more interactive and human-led attack methods. Email phishing saw a decline, dropping sharply from 22% in 2022 to a mere 6% in 2025.
Cyber threat actors have increasingly abused native functionalities in both cloud and on-premises environments to evade detection, a trend that underscores the need for organizations to adopt more vigilant and adaptive cybersecurity measures. Mandiant reported a crucial shift in ransomware operators who appear to have transitioned their primary objective from data theft to outright recovery denial. This strategy involves systematically targeting backup infrastructures and critical identity services to exploit vulnerabilities and complicate recovery efforts.
The landscape of cybersecurity in 2025 paints a concerning picture for organizations across sectors. As the nature of cyber threats morphs, it becomes crucial for entities to fortify their defenses, undergo continuous training, and stay updated on emerging trends to prevent falling prey to sophisticated cyber-attacks.