2025 Unit 42 Global Incident Response Report: Social Engineering Edition

Palo Alto Networks’ Unit 42 reports that social engineering dominated initial access vectors between May 2024-2025, evolving into a highly reliable and scalable intrusion method driven by five key factors: consistent bypass of technical controls, rise of high-touch attacks enabling privilege escalation in under 40 minutes, low detection coverage creating exploitable gaps, increasing business disruption with over half leading to data exposure, and AI acceleration of campaign scale and realism. The report identifies two distinct attack models: high-touch compromise targeting specific individuals through real-time manipulation (exemplified by groups like Muddled Libra), and at-scale deception including ClickFix campaigns using fake browser prompts and SEO poisoning that accounted for over 60% of web-initiated attacks. Manufacturing emerged as the most targeted sector for social engineering attacks, with 66% targeting privileged accounts and financial motivation driving 93% of incidents, while traditional phishing represented 65% of social engineering cases despite growing adoption of non-email vectors including voice-based lures and help desk manipulation.​​​​​​​​​​​​​​​​