Uncovering the Dangers of Routine Access: A Comprehensive Threat Report Reveals Modern Intrusions

Today, remote access and trusted administrative tools are essential for organizational operations. According to the latest Annual Threat Report by Blackpoint Cyber, these tools are increasingly being used as the entry point for cyber intrusions.

Based on an analysis of numerous security investigations, the report reveals a shift in attacker tactics. Rather than exploiting vulnerabilities, threat actors are now more likely to gain access using valid credentials, legitimate tools, and routine user actions.

The report delves into these emerging patterns, highlights where intrusion activities were disrupted, and presents defensive strategies based on incident response outcomes observed throughout 2025.

For a more detailed look at the data and incident walkthroughs, Blackpoint Cyber will be hosting a live webinar soon.

➡️ Register here

Key Insights From the Latest Threat Report

Attackers Exploiting Legitimate Access Paths

According to the report, attackers are increasingly utilizing legitimate access points rather than traditional vulnerability exploitation techniques. SSL VPN abuse, accounting for 32.8% of incidents, is a common initial access vector. Threat actors often use compromised credentials to authenticate, making their VPN sessions appear legitimate to security measures.

Once inside, these attackers can quickly navigate to critical systems without raising immediate alarms, exploiting the broad internal reach provided by these sessions.

Abuse of Trusted IT Tools

The report also highlights the misuse of Remote Monitoring and Management (RMM) tools for unauthorized access and persistence. RMM abuse was observed in 30.3% of incidents, with ScreenConnect being prevalent in over 70% of rogue RMM cases. Since these tools are commonly used for IT administration, unauthorized activities can easily camouflage as legitimate actions, making detection challenging.

Environments with multiple remote access tools are particularly vulnerable to rogue instances blending in with legitimate tool usage.

Social Engineering Drives Incidents

While legitimate access paths are exploited, user interaction remains a significant driver of incidents. Deceptive campaigns like Fake CAPTCHA and ClickFix-style attacks constitute 57.5% of incidents documented in the report, relying on user deception rather than software vulnerabilities.

These campaigns instruct users to input commands into the Windows Run dialog, utilizing built-in Windows tools for execution without traditional malware downloads.

Cloud Intrusions and MFA

Despite Multi-factor Authentication (MFA) implementation in many cloud environments, account compromise still occurs. Adversary-in-the-Middle phishing, responsible for about 16% of cloud account breaches, captures authenticated session tokens after successful MFA and reuses them for unauthorized access to cloud services.

From the cloud platform’s perspective, this unauthorized activity appears as a legitimate authenticated session.

Implications for Security Teams

The report underscores a common pattern across industries: successful intrusions often blend into normal operations rather than relying on advanced malware or exploits. The report recommends several defensive priorities based on analyzed attack chains:

• Consider remote access as high-risk and high-impact
• Maintain an updated inventory of approved RMM tools and eliminate unused or outdated agents
• Restrict unauthorized software installations and control execution from user-writable directories
• Implement Conditional Access controls to assess device posture, location, and session risk

These patterns were observed across various sectors, including manufacturing, healthcare, MSPs, financial services, and construction.

To delve deeper into these intrusion patterns, Blackpoint Cyber will provide a comprehensive review of key findings, case studies, and defense strategies from the latest Annual Threat Report in an upcoming webinar.

➡️ Register to receive the 2026 Annual Threat Report

This article is sponsored and written by Blackpoint Cyber.