DomainTools Reflections on the 2025 Verizon DBIR
We are once again thrilled to announce our role as a Contributing Organization to the always-outstanding Verizon Data Breach Investigations Report – 2025 edition! This report is so well-aligned with our mission of making the Internet a safer place and provides some incredible insights into breaches over the past year.
Here’s the tl;dr from an Internet intelligence perspective:
- 30% of all analyzed breaches featured third-party involvement, double the amount from past year
- Human involvement (i.e., clicking on a phishing email or visiting a malicious website) appeared in 60% of breaches
- 20% of breaches involved the exploitation of vulnerabilities, up 34% from the 2024 report
- 42% of the exploited vulnerabilities affected web applications
- 22% of the exploited vulnerabilities affected VPN and edge devices
- Ransomware was present in 44% of all breaches
- The use of synthetically-generated text in malicious emails has doubled over the past two years.
We at DomainTools are fond of saying, “It’s always DNS,” and these threats continue to support that concept. We’ll provide more detail on this in a moment, but first let’s give credit where credit is due.
Verizon DBIR Report Credits
We would like to offer a huge thank you to the Verizon Threat Research Advisory Center (VTRAC), who provided the incidents and breaches (22,052!) analyzed in this DBIR report. And who analyzes these breaches? The incredible Verizon DBIR team of course:
C. David Hylender, Philippe Langlois, Alex Pinto, Suzanne Widup
Special thanks as well to:
- Abdul Abufilat, Darrin Kimes, Dave Kennedy, Eric Gentry, and Erika Gifford
- Kate Kutchko, Marziyeh Khanouki, Rahshid Aria, and Shubhra Kumar
All in all, the DBIR team analyzed 12,195 confirmed breaches, which is the highest number ever featured in a single report! While this number is daunting, it only underscores the value of the DBIR report and its analysis of an ever-present issue. Let’s jump into some of the main takeaways.
DBIR Takeaways
Third-Parties
Third-party involvement in breaches is perhaps the most notable takeaway from the report, as shown by its visualization on the 2025 DBIR cover. The increase from 15% in last year’s report to 30% is significant and points to the high-profile exploitation of vulnerabilities or deficiencies in third-party providers over the last year. The Snowflake intrusion – resulting in around 165 affected organizations – is a key example of how threat actors can reach multiple victims through the exploitation of just one common provider.
This also highlights the importance of monitoring for domains that not only impersonate your organization, but your vendors as well. Threat actors obtaining knowledge of your relationship with a third-party via a breach could lead to a follow-on attack from totallyrealvendor[.]com. As the DBIR report suggests, it is important to consider the security posturing and limitations of any external organization you plan on doing business with.
Human Involvement
It is no surprise that human involvement of varying kinds continues to factor into breaches. The DBIR breaks down the high-level components of the human element, with credential abuse taking the top spot:
As the report details, there is an overlap between social actions and credential abuse, which may occur subsequently. You are most likely familiar with the top social action varieties, phishing (57% of social engineering incidents) and pretexting (30%), though this year also featured prompt bombing (14%), which occurs when threat actors bombard users with MFA login requests.
We’ve all experienced phishing emails originating from malicious domains or that encourage us to visit them. Luckily, the report suggests that training on how to report phishing scams is having a positive impact, though click rate remains concerning:
“When we examined the reporting rate of phishing emails, we found that users who had more recent training reported the phishing emails at a significantly higher rate – about 21% against a base rate of 5%, a four times relative increase. However, the impact of recent training in click rate was way less prominent, with only 5% relative impact on each training.”
Vulnerabilities
As stated in the tl;dr, the exploitation of vulnerabilities is a growing initial access vector for breaches (20%). Even more strikingly, vulnerability exploitation was an initial access vector for around 70% of analyzed breaches motivated by espionage (17% of analyzed breaches). Edge devices and VPNs became a popular target, growing from 3% last year to 22% this year.
The DBIR hits the nail on the head with the takeaway on this: “make sure your organization understands well the exposure you have to the internet.” Predicting and mapping attacker infrastructure is a crucial part of preventing attacks, but we’d argue that understanding your own infrastructure and exposure is equally important. Don’t get burned by a forgotten edge device!
Ransomware
The 2025 DBIR offers key insights on the state of ransomware. On the one hand, ransomware (with or without encryption) was present in 44% of all breaches. It also disproportionately affected small businesses, appearing in 88% of their breaches. However, the median ransomware payout has decreased to $115,000, as opposed to $150,000 in last year’s report. Additionally, there are more victim organizations who did not pay the demanded ransom – 64% as compared to 50% in 2022. As the report suggests, there may be a correlation between the lower ransomware payouts and the decrease in victims actually paying the ransom.
The report cites vulnerability exploitation, credential abuse, and phishing as the known initial access vectors for ransomware-related breaches, underscoring the importance of holistically securing your organization from this threat. Today’s ransomware attack might possibly have originated from an employee clicking on a malicious Google ad and having their credentials harvested weeks or even months ago.
AI
Everyone has their eye on AI and its usage by bad actors, but the DBIR shines a light on an equally concerning problem – the leakage of sensitive corporate data to GenAI platforms by employees themselves. According to the DBIR team’s findings, 14% of employees routinely accessed GenAI systems on corporate devices. Out of those employees, 72% used non-corporate email addresses as their account identifier, while 17% used corporate emails without the proper integrated authentication systems. This poses a threat when, as the report points out, GenAI tools prompt users to upload sensitive documents when assisting with coding, summarizing, and other projects.
The report also found that synthetically generated text in malicious emails has doubled over the past two years, growing from around 5% to 10%. It remains to be seen if this number will continue to grow, but it is important to consider how phishing may become even more efficacious now that AI models are in play.
Conclusion
We are incredibly proud to be a Contributing Organization to the 2025 DBIR. Given the inextricable relationship between DNS and the types of cyber threats that lead to breaches, it is imperative to understand how your organization is positioned in the context of the wider Internet. Actions such as proactive domain monitoring, mapping out known malicious infrastructure, and leveraging passive DNS can all help to predict, prevent, and mitigate threat activity before it can impact your organization.
Lastly, as the DBIR so nicely illustrates, we can all benefit from industry-wide collaboration and information-sharing. Cheers to another wonderful report!
