Remote access and trusted administrative tools play a central role in how organizations operate today. According to Blackpoint Cyber’s 2026 Annual Threat Report, they are also increasingly central to how intrusions begin.
Informed by analysis of thousands of security investigations conducted during the reporting period, the report highlights a shift in attacker behavior. Rather than relying primarily on vulnerability exploitation, threat actors frequently gained access by using valid credentials, legitimate tools, and routine user-driven actions.
The report examines these patterns, documents where intrusion activity was disrupted, and presents defensive priorities derived from analyzed incident response outcomes observed throughout 2025.
Additional data and incident walkthroughs will be covered during an upcoming live webinar hosted by Blackpoint Cyber.
Key Findings From the 2026 Annual Threat Report
Attackers Are Entering Through Legitimate Access Paths
Across incidents analyzed in the report, attackers were more likely to log in using legitimate access than to exploit vulnerabilities as their primary entry point.
SSL VPN abuse accounted for 32.8 percent of all identifiable incidents, making it one of the most common initial access vectors. In many cases, threat actors authenticated using valid but compromised credentials, resulting in VPN sessions that appeared legitimate to security controls.
Once access was established, these sessions often provided broad internal reach, allowing attackers to move rapidly toward high-value systems without immediately triggering alerts.
Trusted IT Tools Are Being Used Against Organizations
The report also documents frequent abuse of legitimate Remote Monitoring and Management tools as a method of access and persistence.
RMM abuse appeared in 30.3 percent of identifiable incidents, with ScreenConnect present in more than 70 percent of rogue RMM cases. Because these tools are commonly used for standard IT administration, unauthorized installations often resembled expected activity and were difficult to distinguish without strong visibility.
The report notes that environments with multiple remote access tools in use were more likely to see rogue instances blend in with existing tooling.
Social Engineering, Not Exploits, Drove the Majority of Incidents
While legitimate access paths enabled many intrusions, user interaction represented the largest driver of overall incident volume.
Fake CAPTCHA and ClickFix-style campaigns accounted for 57.5 percent of all identifiable incidents, making them the most common attack pattern documented in the report.
Rather than exploiting software vulnerabilities, these campaigns relied on deceptive prompts. Users were instructed to paste commands into the Windows Run dialog as part of what appeared to be a routine verification step. Execution used built-in Windows tools, without traditional malware downloads or exploit activity.
Cloud Intrusions Focused on Session Reuse After MFA
Multi-factor authentication was enabled in many cloud environments associated with investigated incidents, yet account compromise still occurred.
Adversary-in-the-Middle phishing accounted for approximately 16 percent of cloud account disables documented in the report. In these scenarios, MFA functioned as designed. Instead of bypassing authentication, attackers captured authenticated session tokens issued after successful MFA and reused them to access cloud services.
From the perspective of the cloud platform, this activity aligned with a legitimate authenticated session.
Many of the attacks described above begin with legitimate access. What happens next is where real damage occurs.
In a recent investigation, our SOC identified a new implant called Roadk1ll, designed to pivot across systems using WebSocket-based communication and maintain access while blending into network traffic.
Join Inside the SOC Episode #002 to see how these attacks progress from initial access to full environment compromise.
What These Findings Mean for Security Teams
Across industries, environments, and attack types, the report highlights a consistent pattern: many successful intrusions relied on activity that blended into normal operations.
Rather than relying on novel exploits or advanced malware, attackers abused everyday workflows such as remote logins, trusted tools, and standard user actions. Based on the attack chains analyzed, the report identifies several defensive priorities:
- Treat remote access as high-risk, high-impact activity
- Maintain a complete inventory of approved RMM tools and remove unused or legacy agents
- Restrict unapproved software installations and limit execution from user-writable directories
- Apply Conditional Access controls that evaluate device posture, location, and session risk
These patterns were documented across frequently targeted sectors, including manufacturing, healthcare, MSPs, financial services, and construction.
For teams interested in examining how these intrusion patterns unfold, Blackpoint Cyber will review key findings, case examples, and defensive takeaways from the 2026 Annual Threat Report during an upcoming live webinar.
➡️ Register to receive the 2026 Annual Threat Report
Sponsored and written by Blackpoint Cyber.
