Routine Access Is Powering Modern Intrusions, a New Threat Report Finds

Routine Access Is Powering Modern Intrusions, a New Threat Report Finds

Remote access and trusted administrative tools have become the backbone of how organizations operate today, and increasingly they are also the channels through which intrusions begin. The Blackpoint Cyber 2026 Annual Threat Report, built from thousands of security investigations conducted during the past year, reveals a shift in attacker behavior. Rather than relying primarily on exploiting software vulnerabilities, threat actors are frequently gaining entry with valid credentials, legitimate tools, and routine user actions. The report traces these patterns, notes where intrusion activity was interrupted, and distills defensive insights drawn from incident response outcomes observed throughout 2025.

Across many of the incidents analyzed, attackers entered through paths that looked legitimate long before alarms were triggered. SSL VPN abuse stood out as a major initial access vector, accounting for about one third of identifiable incidents. In numerous cases, attackers authenticated with credentials that were valid but compromised, creating VPN sessions that appeared normal to security controls and investigators alike. Once inside, these sessions often offered broad visibility and reach, enabling rapid movement toward high-value targets without immediately drawing attention.

The report also documents how trusted IT tools can become weapons in the hands of intruders. Remote Monitoring and Management (RMM) software was abused in roughly 30% of identifiable incidents, with ScreenConnect present in more than seven in ten rogue RMM scenarios. Because these tools are commonly used for routine administration, unauthorized installations could resemble legitimate activity and escape easy differentiation unless visibility is strong and tools are tightly governed. Environments that relied on multiple remote access tools were particularly vulnerable to blends of rogue activity with existing tooling.

Social engineering emerged as the dominant driver of incident volume, underscoring that many intrusions are propelled not by novel exploits but by human factors. Deceptive prompts such as Fake CAPTCHA and ClickFix-style campaigns accounted for about 57.5% of identifiable incidents. In these campaigns, users were guided to paste commands into the Windows Run dialog under the guise of a routine verification step. The attackers leveraged built-in Windows utilities to execute commands, avoiding traditional malware downloads or exploit activity.

In cloud environments, multifactor authentication did not always stop threat actors. Even with MFA enabled in many cases, attackers employed Adversary-in-the-Middle phishing techniques to disable accounts. Approximately 16% of documented cloud account disables involved this method. Rather than bypassing authentication outright, the attackers captured session tokens issued after MFA authentication and reused them to access cloud services. From the cloud platform’s perspective, the activity resembled a legitimate, authenticated session, complicating detection.

A notable example from recent investigations highlights how the initial foothold can evolve into broader compromise. The report describes a new implant, Roadk1ll, designed to pivot across systems using WebSocket-based communications while blending into normal network traffic to maintain access. Such capabilities illustrate how attackers move from initial access to full environment compromise, often laying low within the network while escalating privileges and expanding reach.

The overarching takeaway is clear: many successful intrusions rely on everyday operations that blend into the normal course of work. Rather than depending on flashy new exploits or sophisticated malware, attackers abuse routine workflows—remote logins, trusted tools, and standard user actions—to advance their objectives. This pattern underscores the importance of rethinking how remote access and administrative tools are managed and monitored.

From industry-wide observations to specific case examples, the 2026 Annual Threat Report emphasizes that the key to reducing risk lies in understanding how intruders leverage legitimate activities. The findings call attention to several underlying themes: the prevalence of legitimate access paths as entry points, the danger of over-trusting standard IT tooling, and the persistent influence of social engineering in driving incidents. Even as attackers adapt, these core patterns provide a roadmap for defenders aiming to disrupt intrusion chains before they reach critical assets.

The report suggests that organizations should scrutinize remote access as a high-risk, high-impact activity, maintain a precise inventory of approved RMM tools, minimize or retire unused or legacy agents, and regulate software installations to prevent execution from user-writable directories. It also highlights the value of conditional access approaches that consider device posture, location, and session risk when granting access to sensitive resources. While the specifics vary by sector, the patterns identified span manufacturing, healthcare, managed service providers, financial services, and construction, illustrating how pervasive these techniques have become across environments.

For those seeking a deeper dive, Blackpoint Cyber plans to explore the intrusion patterns, case studies, and practical takeaways from the 2026 Annual Threat Report in an upcoming live session. The discussion aims to illustrate how attacks unfold from initial access to comprehensive network compromise, offering a closer look at how a modern SOC detects, analyzes, and responds to these techniques in real time. Interested readers can register to receive the 2026 Annual Threat Report and gain access to the broader set of findings and demonstrations featured in the presentation.