Netskope named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge. Get the report

  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,000 customers worldwide including more than 25 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

Still Highest in Execution.
Still Furthest in Vision.

Learn why 2024 Gartner® Magic Quadrant™ named Netskope a Leader for Security Service Edge the third consecutive year.

Get the report
Netskope Named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge graphic for menu
We help our customers to be Ready for Anything

See our customers
Woman smiling with glasses looking out window
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

How to Use a Magic Quadrant and Other Industry Research
In this episode Max Havey, Steve Riley and Mona Faulkner dissect the intricate process of creating a Magic Quadrant and why it's much more than just a chart.

Play the podcast
How to Use a Magic Quadrant and Other Industry Research podcast
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn about Security Service Edge
Four-way roundabout
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working

Cloud and Threat Report: Top Adversary Tactics and Techniques

light blue plus
This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023, with Wizard Spider targeting more organizations than any other group.
Dark cloud over the sunset
17 min read

Report Highlights link link

test answer
  • Spearphishing links and attachments are the top initial access techniques tracked by Netskope Threat Labs this year, with adversaries successfully tricking victims into opening the links and attachments via email, voice, text, social media, and search engines.
  • User execution is the top execution technique, with adversaries having the highest rate of success in tricking their victims into downloading Trojans when they host them using popular cloud apps.
  • For command and control and data exfiltration, adversaries are heavily favoring the use of HTTP and HTTPS to fly under the radar and blend in with benign traffic.
  • The majority of adversary activity on the Netskope Security Cloud platform comes from criminal adversaries, with the most activity attributable to Wizard Spider, a Russian group responsible for creating the TrickBot malware.
  • The financial services and healthcare industry verticals have the highest percentage of activity attributable to geopolitical adversary groups on the Netskope Security Cloud platform.


Executive Summary link link


Cybersecurity is a battle between two opponents: Defenders who seek to protect their users, their data, and their systems, and adversaries, who seek to harm and exploit them. The defender’s most valuable tool is their knowledge of the adversary. As defenders, we seek to understand the adversary’s motivations and objectives, as well as the tactics and techniques they use to achieve those objectives. We then design our systems to be resilient to those tactics and techniques and implement controls to detect adversary activity.

This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023. To facilitate more efficient communication and understanding, we present this report in terms of the MITRE ATT&CK framework. The framework provides comprehensive categorization of adversary tactics and techniques as well as grouping and naming of adversaries.

Globally, Netskope customers were most commonly targeted by criminal adversaries, with Wizard Spider targeting more organizations than any other group. Information stealers and ransomware remained popular tools employed by financially motivated adversaries. Less-common were geopolitically motivated adversaries, whose most popular tools were remote access Trojans that create backdoors into the organizations they target.

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle tactics and techniques with minimal customization. We round out this report by exploring which are the most active adversaries in multiple industry verticals and geographic regions.


Top Techniques link link

This section explores the most common tactics and techniques used by adversaries to gain access to their targets’ systems, execute malicious code, and communicate with compromised systems. We highlight four tactics where the Netskope Security Cloud platform provides visibility, and highlight the six most commonly observed techniques within those tactics:

  • Initial Access The techniques adversaries use to get into their targets’ systems.
  • Execution The techniques adversaries use to run malicious code.
  • Command and Control The techniques adversaries use to communicate with compromised systems.
  • Exfiltration The techniques adversaries use to steal information from their victims.


Initial Access: Spearphishing

When remote access to a system is locked down and the system is patched against known security vulnerabilities, the easiest way for an adversary to access that system is often through its users. For that reason, social engineering techniques have continued to be a mainstay of the adversary playbook. For example, initial access during the September 2023 MGM hack was achieved through vishing (voice phishing) by calling the victim’s helpdesk. Among the various Phishing techniques, Spearphishing Links and Spearphishing Attachments are two of the most popular on the Netskope Security Cloud Platform in 2023.

Analyzing the phishing links victims clicked on can provide insights into where adversaries are having the most success targeting their victims. By a large margin, users most frequently clicked phishing links targeted cloud apps, with one-third of those phishing links targeting Microsoft products. This is not surprising, as Microsoft OneDrive is the single most popular cloud app in the enterprise by a large margin, alongside other Microsoft products including SharePoint, Outlook, and Teams.

Top Phishing Targets by Links Clicked

Top Cloud Phishing Targets by Links Clicked

How are adversaries tricking their victims into clicking on phishing links? While email continues to be a very common channel, the success rate there is fairly low for multiple reasons. First, organizations tend to employ sophisticated anti-phishing filters to block phishing emails from ever reaching their victims. Second, organizations typically train their users to be able to recognize phishing emails. In response, attackers are using a variety of other tactics to reach their victims:

Search engine optimization (SEO) – Adversaries create web pages that employ SEO techniques to ensure they are listed on popular search engines, including Bing and Google. The pages are typically crafted around data voids–specific sets of keywords that don’t have many results–and are targeted toward specific demographics.

Social media and messaging apps – Adversaries abuse popular social media apps (like Facebook) and messaging apps (like WhatsApp) to reach their victims using a variety of different baits.

Voice and text messages – Mobile devices often lack the security controls present on more traditional devices like laptops, making them a popular target for phishing attacks. Calling or texting victims are becoming increasingly popular methods to spread phishing links.

Personal email accounts – Personal email accounts tend to have less strict anti-phishing controls, so more phishing emails are able to reach their victims. Because personal email accounts are often used on the same systems the victims use for work, phishing for access to sensitive organization-managed assets via personal email accounts can be a highly successful strategy for adversaries.

Spearphishing attachments are a special type of phishing where the adversary uses attachments both to create an air of legitimacy–typically these attachments look like professional invoices–and also to bypass security controls that don’t inspect attachments. While there is some variety in the types of files adversaries use for phishing attachments–Microsoft Excel spreadsheets, ZIP files, etc.–most of these file types are rare. A staggering 90% of phishing attachments are PDFs designed to entice victims into clicking on a phishing link.

Top Phishing Attachment Types

Similar to phishing links, adversaries spread phishing attachments over multiple channels, including personal email. The number of phishing attachments downloaded by victims spiked to more than triple its baseline level in August as adversaries began having more success by sending their baits to their victim’s personal Microsoft Live email accounts. Over the past nine months, there were 16 times as many users who downloaded a phishing attachment from a personal webmail app compared to users downloading phishing attachments from managed organization webmail apps.

Phishing Attachment Download Volume Over Time


Execution: User Execution

Social engineering isn’t limited to initial access. Adversaries also depend on users to execute malicious payloads that provide clandestine remote access, steal sensitive information, or deploy ransomware. Convincing a target user to execute a malicious payload often requires the user to click a Malicious Link or otherwise download and execute a Malicious File. Adversaries are constantly trying new ways to trick victims into doing so, and Netskope Threat Labs tracks those changes in our monthly reports. There are two overarching themes that have dominated 2023. First, adversaries are most successful in convincing their victims to download malicious files when those files are delivered via cloud apps. So far this year, an average of 55% of the malware that users attempted to download was delivered via cloud apps.

Malware Delivery, Cloud vs. Web

Second, the apps where the highest number of malware downloads were attempted were also some of the most popular cloud apps in use in the enterprise. Microsoft OneDrive, the most popular cloud app in the enterprise, took the top spot with more than one-quarter of all cloud malware downloads. In total, adversaries were successful in enticing users to download malware for execution from 477 distinct cloud apps so far this year.

Top Apps for Malware Downloads


Command and Control and Exfiltration

After an adversary has successfully executed a malicious payload in a victim’s environment, they often need to establish a channel to communicate with the compromised system, which is where command and control comes into play. The most common command and control technique adversaries used in 2023 was Application Layer Protocol: Web Protocols, which was often coupled with Exfiltration over C2 Channel. Adversaries have multiple options for creating command and control channels, including using a C2 framework like CobaltStrike, abusing a popular cloud app, or creating their own custom implementation.

Stealth is an important feature of a command and control channel. Not only does the adversary need to communicate with the compromised system, they also need to avoid detection when doing so. For this reason, adversaries are increasingly using HTTP and HTTPS over ports 80 and 443 as their primary C2 communication channels. HTTP and HTTPS traffic is highly likely to be allowed from an infected system and will blend in with the abundance of HTTP and HTTPS traffic already on the network. Contrast this approach with malware that communicate over rarely used ports or protocols, such as IRC or FTP. Such communication would be comparatively easy to detect and easy to block, even with a layer-3 firewall and especially with a layer-7 firewall. Based on an analysis of tens of thousands of malware samples detected in 2023, HTTP (80) and HTTPS (443) were the favorite C2 and data exfiltration protocols by a large margin, used by more than two-thirds of malware samples. The next most popular protocol was DNS, followed by a variety of other rarely used ports and protocols.

Top Malware Communication Ports


Adversary Analysis link link

Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques. We then leverage that information to help our customers defend their systems against those adversaries. The adversaries that Netskope Threat Labs tracks generally fall into two categories, based on their motivations.

The primary objective of criminal adversary groups is financial gain, and their toolset typically includes information stealers and ransomware. Extortion has been an extremely profitable business for cybercriminals for the past several years, with an estimated $457 million in ransom payments made in 2022. Most criminal adversaries have diversified their operations to use both ransomware and infostealers to increase the odds of a victim paying up. If encrypting their systems with ransomware wasn’t enough to convince them to pay, perhaps the public release of sensitive information stolen from the organization would help. Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.

Geopolitical adversary groups are motivated by geopolitical issues. They are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. For example, Russian adversary groups launched cyberattacks against Ukraine that coincided with their invasion of that country. Geopolitical groups typically engage in cyber operations against other nation-states, and such operations have become a critical component of modern international relations. The lines between geopolitical and criminal adversaries sometimes blur, with some geopolitical groups also engaging in financially motivated activities. For example, the current North Korean regime funds development of its missile program via cybercrime. The specific cyber-operations undertaken by geopolitical adversaries vary, including cyber-espionage against government and non-government organizations and sabotaging critical infrastructure to destabilize an adversary. Geopolitical adversaries also engage in information warfare, spreading propaganda, manipulating public opinion, and influencing popular elections.

Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same exact tooling or even share infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. For these reasons, adversary attributions are fuzzy and subject to change and evolve as new information comes to light. In the remainder of this report, we present stats about the adversary activities observed on the Netskope Security Cloud platform and the groups most likely responsible for those activities.


Top Adversary Groups

The top adversary group targeting users of the Netskope Security Cloud platform was Wizard Spider (a.k.a. UNC1878, TEMP.MixMaster, Grim Spider), a Russia-based criminal adversary credited with creating the TrickBot malware. The TrickBot malware was originally created as a banking Trojan, but has since evolved into a complex malware platform containing information stealing, lateral movement, command and control, and data exfiltration components. As is typical of criminal adversary groups, Wizard Spider has targeted a wide variety of victim organizations with ransomware. Among the tactics and techniques used by Wizard Spider include the six techniques highlighted in this report around spearphishing, user execution, and command and control.

Other active criminal adversary groups relying heavily on ransomware included TA505 (a.k.a. Hive0065), who is responsible for the Clop ransomware, and FIN7 (a.k.a. GOLD NIAGARA, ITG14, Carbon Spider), who used the REvil ransomware and created the Darkside ransomware. While the top criminal adversary groups targeting Netskope customers are Russian and Ukrainian, the top geopolitical adversary groups are Chinese, led by memupass (a.k.a. Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH) and Aquatic Panda, both of whom have targeted a variety of different types of organizations worldwide.


Geographic and Industry Differences

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle techniques with minimal customization. By industry vertical, there are two that stand out: financial services and healthcare. In those two verticals, the split between criminal and geopolitical adversary activities is nearly 50/50. Meanwhile in the other industry verticals, the split is closer to 80/20. This indicates that organizations in the financial services and healthcare sector are more commonly targeted by geopolitical adversaries.

Adversary Motivations by Target Industry

These differences are also apparent when comparing the likely sources of the adversary activity in each industry. Because many of the criminal adversaries we are tracking are located in Russia, the industries with the highest percentage of criminal activity also have the highest percentages of activity attributable to groups based in Russia. Meanwhile, financial services and healthcare (the industries targeted by more geopolitical adversaries) have a more even mixture of adversaries targeting them from Russia, the Middle East, and China. The other adversary locations not shown in the chart below include North Korea, Pakistan, India, Vietnam, and Nigeria.

Industry Adversary Activity

By region, the most active adversaries also differ significantly, with two stand-out regions: Australia and North America. Both of these regions stand out by having the highest percentage of adversary activity attributable to criminal groups.This indicates that users in the US and Australia are more likely to be targeted by criminal adversaries, whereas in other parts of the world, the split of geopolitical and criminal adversary activity is closer to 50/50.

Adversary Motivations by Target Region

The breakdown of regional adversary activity follows a similar pattern as the industry data: the regions targeted by criminal groups tend to be targeted by groups based in Russia, while the regions with a higher percentage of geopolitical activity tend to see a more significant percentage of adversary activity attributed to geopolitical groups in China.

Regional Adversary Activity



The Mitre ATT&CK framework provides a common language for adversary groups, their tactics, and their techniques. Defenders can use this framework to determine whether their defenses are appropriately matched against their adversaries. For each of the techniques discussed in this report, this section provides specific recommendations.

Initial Access: Spearphishing Links
Implement anti-phishing defenses that go beyond email to ensure that users are protected against spearphishing links no matter where they originate. A SWG solution that inspects DNS traffic, cloud traffic, and web traffic for evidence of phishing can prevent users from visiting spearphishing links regardless of origin, using signatures and intelligence to protect against known phishing threats and AI to protect against unknown and targeted threats. Netskope customers can configure their Netskope NG-SWG to protect against phishing. Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites in categories that can present higher risk, like newly observed and newly registered domains, personal webmail, and social media.

Initial Access: Spearphishing Attachments
While spearphishing link protections can also help protect against users that click on links in spearphishing attachment, a more robust defense will provide additional protections against users downloading spearphishing attachments. Because they can come from multiple sources, an effective strategy will inspect all HTTP and HTTPS downloads, including all web and cloud traffic, for evidence of spearphishing using threat intelligence, signatures, heuristics, and AI. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. Inspecting content downloads from popular cloud apps (like Microsoft OneDrive) is particularly important to protect against adversaries abusing such apps to deliver malware.

Execution: Malicious Link and Execution: Malicious File
Because adversaries use multiple channels to deliver malware, including popular cloud apps like Microsoft OneDrive, an effective defensive strategy must inspect all traffic–including web and cloud–for malicious content. Ensure that high-risk file types, like executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected by multiple static and dynamic analysis engines, including ones that use AI to detect targeted attacks. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. To further reduce risk surface, configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances (company vs. personal) that are necessary. Block downloads of all risky file types from newly registered domains, newly observed domains, and other risky categories.

Command and Control: Application Layer Protocol: Web Protocols
An effective strategy to detect and prevent adversary C2 traffic over web protocols includes using a SWG and an IPS to block communication to known C2 infrastructure and exhibiting common C2 patterns. Netskope Advanced Threat Protection customers can use the IPS and Advanced UEBA features to identify C2 traffic and other signals of post-compromise behavior. Blocking newly registered domains, newly observed domains, and alerting on unusual network traffic patterns can also reduce risk surface and enable early detection. DNS Security and Cloud Firewall can also be used to protect against non-HTTP/HTTPS C2 traffic.

Exfiltration: Exfiltration over C2 Channel
The same protections for detecting and preventing adversary C2 traffic can also be effective against data exfiltration over the same C2 channel or any other web protocols. Netskope customers using DLP can configure policies that restrict where data can be uploaded, effectively limiting the channels over which the attacker is able to exfiltrate data. Netskope customers using Advanced UEBA have additional protections against C2 that include the identification of data transfer anomalies, including spikes of uploads to unusual locations and the transfer of encrypted or encoded content (a common technique used by adversaries).

In summary, an assessment of what traffic is inspected versus bypassed is vital for your defenses to protect users, data, applications, and infrastructure from these adversaries. Knowing you are inspecting all possible traffic, the next step is to align defenses to the six techniques noted in this report. Some defenses will rely on signatures and patterns, while innovations in AI/ML (e.g., algorithms, feature extractors, and anomaly detection) can be used to protect against unknown or zero-day threats. Once or twice per year, assess how adversaries are pivoting to evade current defenses and review what new defenses are available to protect your users, data, applications, and infrastructure.

About This Report link link

Netskope Threat Labs publishes a quarterly Cloud and Threat Report to highlight a specific set of cybersecurity challenges. The purpose of this report is to provide strategic, actionable intelligence on active threats.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Therefore, the tactics and techniques highlighted in the report are limited to those that are observable in HTTP/HTTPS traffic, and the adversary groups tracking in this report are limited to those using said techniques. Stats presented in this report are a reflection of both adversary activity and user behavior. For example, the Initial Access: Spearphishing section discusses the actual phishing links that users are clicking, not the universe of all phishing links created by adversaries. Stats in this report are based on the period starting January 1, 2023 through September 23, 2023.

Netskope Threat Labs link link

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest web, cloud, and data threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, Black Hat, and RSA.

light blue plus

Cloud and Threat Reports

The Netskope Cloud and Threat Report delivers unique insights into the adoption of cloud applications, changes in the cloud-enabled threat landscape, and the risks to enterprise data.

Storm with lightning over the city at night

Accelerate your security program with the SASE Leader