Routine Access - New Threat Report Reveals Intrusion Tactics
Basically, hackers are using regular access methods instead of breaking in through vulnerabilities.
A new report reveals that modern intrusions increasingly rely on valid credentials and routine access. This shift poses significant risks across various industries. Organizations must adapt their security measures to counter these evolving tactics.
What Happened
According to Blackpoint Cyber’s 2026 Annual Threat Report, a significant shift in how cyber intrusions occur has been identified. Instead of exploiting software vulnerabilities, attackers are increasingly using valid credentials and legitimate tools to gain access to systems. This report, based on thousands of security investigations, reveals that routine user actions have become a primary entry point for many intrusions.
The analysis indicates that SSL VPN abuse is the most common method for attackers, accounting for 32.8% of incidents. This means that many breaches are happening through seemingly legitimate means, making them harder to detect. Attackers can log in using compromised credentials, allowing them to navigate internal networks without raising immediate alarms.
Who's Being Targeted
The report highlights that various industries, including manufacturing, healthcare, financial services, and construction, are being affected by these intrusion tactics. The use of Remote Monitoring and Management (RMM) tools has also been noted, with 30.3% of incidents involving their abuse. Tools like ScreenConnect were found in over 70% of rogue RMM cases, making it difficult for organizations to distinguish between legitimate and malicious use.
Social engineering tactics are also prevalent, with deceptive campaigns driving 57.5% of incidents. These tactics often involve users being tricked into executing commands that appear harmless, further complicating detection efforts.
Tactics & Techniques
Attackers are increasingly leveraging social engineering techniques rather than sophisticated exploits. The report indicates that many incidents begin with users being prompted to perform actions that seem routine, such as entering commands into their systems. This method allows attackers to execute their plans without traditional malware downloads or exploits.
In cloud environments, attackers are capturing authenticated session tokens post-Multi-Factor Authentication (MFA) to gain access. This highlights a critical gap where even robust security measures like MFA can be circumvented if session tokens are reused. The report emphasizes that understanding these tactics is crucial for organizations to defend against such intrusions effectively.
Defensive Measures
The findings of the report suggest that organizations need to reassess their security strategies. Remote access should be treated as high-risk activity, and organizations must maintain an inventory of approved RMM tools. It is also essential to restrict unapproved software installations and apply Conditional Access controls that evaluate device posture and session risk.
By recognizing the patterns of these intrusions, security teams can implement more effective defenses. The report serves as a wake-up call, urging organizations to adapt to the evolving landscape of cyber threats where attackers are using everyday access methods to infiltrate systems.