Routine Access Is Powering Modern Intrusions, a New Threat Report Finds

ROUTINE ACCESS IS POWERING MODERN INTRUSIONS: INSIGHTS FROM THE 2026 ANNUAL THREAT REPORT

Remote access and the tools trusted to manage networks have become the backbone of how organizations operate. Yet the 2026 Annual Threat Report from Blackpoint Cyber shows that the same access paths that enable productivity are increasingly shaping how intrusions begin and progress. The analysis draws on thousands of security investigations conducted through 2025, revealing a shift in attacker behavior: orchestration of breaches is increasingly built on legitimate credentials, legitimate management tools, and routine user actions rather than on overt vulnerability exploitation. This evolving pattern is driving defenders to rethink what constitutes an entry point and how to disrupt an attacker’s foothold early, before the first lateral move takes hold.

Across the incidents studied, attackers were more often seen entering through familiar, trusted channels than by exploiting new software flaws. One of the most telling findings is the prominence of SSL VPN abuse, which accounted for roughly one third of identifiable incidents. In many cases, threat actors authenticated with credentials that were valid but compromised, creating VPN sessions that security controls struggled to distinguish from legitimate remote work traffic. Once established, these sessions frequently granted broad internal reach, enabling rapid movement toward high-value targets while delaying or masking the usual alerts that might have flagged suspicious activity.

The report also highlights how trusted IT tools—especially remote monitoring and management (RMM) software—are being misused to gain access and maintain persistence. RMM abuse appeared in nearly a third of identifiable cases, with ScreenConnect appearing in the majority of rogue RMM incidents. Because these tools are designed for legitimate remote administration, unauthorized installations can resemble normal operations and can be difficult to pin down without comprehensive visibility. Environments already using multiple remote access tools were more likely to see rogue activity blend in with the existing tooling, further complicating detection and response efforts.

Social engineering remains a dominant driver of incidents, even as attackers capitalize on legitimate access paths. The report notes that deceptive prompts and user interactions—such as fake CAPTCHA challenges or ClickFix-style campaigns—accounted for more than half of identifiable incidents. Rather than deploying complex malware or chasing zero-day exploits, many campaigns relied on tricking users into taking action through innocuous-sounding prompts. In practice, incidents were triggered by commands entered into familiar Windows interfaces, using standard system tools rather than downloaded or executed payloads that would raise alarms. This finding reinforces the reality that human factors, when exploited through believable prompts and routines, can unlock access that conventional security controls miss.

Cloud environments are not immune to these dynamics. Even with MFA enabled, attackers are finding ways to leverage legitimate sessions after initial authentication. Adversary-in-the-Middle phishing campaigns captured authenticated session tokens issued post-MFA, enabling attackers to reuse those tokens to access cloud services. From the cloud platform’s perspective, the activity looked like a genuine user session, underscoring the need for deeper session risk analysis and token-management controls that look beyond the moment of authentication.

The report also delves into how intrusions evolve after initial access. A notable case described by the security operations center (SOC) illuminated a new implant, known as Roadk1ll, designed to pivot across systems using WebSocket-based communication. The implant’s objective was to maintain stealthy presence while moving laterally across the environment, a reminder that attackers are focused on persistence and persistence-friendly architectures as their objectives broaden. The takeaway is clear: initial access is often just the first step in a longer chain of actions intended to maximize damage and exfiltration.

For security teams, the implications of these patterns are practical and actionable. Across industries and threat types, the consistent thread is that intrusions frequently hide in plain sight by blending into normal workflows. Rather than chasing novel exploits or sophisticated malware, attackers are exploiting routine processes and trusted tools. From this understanding, several defensive priorities emerge:

• Treat remote access as high-risk, high-impact activity. Because SSL VPNs and similar pathways frequently serve as entry points, continuous monitoring, anomaly detection, and strict diligence around access management are essential.
• Maintain a complete inventory of approved RMM tools and remove unused or legacy agents. Visibility into what is installed and where it runs helps prevent unauthorized use and makes rogue installations easier to spot.
• Restrict unapproved software installations and limit execution from user-writable directories. Limiting execution paths reduces the risk that benign-looking prompts or scripts will launch harmful actions.
• Apply conditional access controls that evaluate device posture, location, and session risk. A more contextual approach to access can disrupt the advantage attackers gain from legitimate sessions, particularly in cloud environments.

These patterns and priorities are relevant across sectors that have historically faced targeted intrusions, including manufacturing, healthcare, managed service providers, financial services, and construction. The overarching message is that attackers are increasingly relying on the everyday mechanics of how organizations work—remote logins, trusted tools, and standard user actions—to establish a foothold and move deeper into networks.

What this means for defenders is a push toward stronger alignment between identity, device posture, and access decisions, coupled with heightened scrutiny of tools that operate with broad network reach. Everyday workflows—with their routine passwords, authorized software, and common admin utilities—are the vectors that attackers are most likely to exploit, not exotic malware in most cases. This reality calls for a defense-in-depth approach that doesn’t simply focus on the latest vulnerability, but rather on rigorous controls over who, what, and where access is permitted, and on ensuring that the tools used to manage networks cannot serve as backdoors when misused.

In sum, the 2026 Annual Threat Report paints a portrait of intrusion and persistence built on routine access and trusted software. It is a reminder that the most effective security measures are those that can see and govern the everyday actions that occur within networks—like remote sessions, tool deployments, and user-driven prompts—before they become the starting point of a breach. As organizations continue to navigate an environment where legitimate pathways can become adversarial routes, the emphasis on visibility, control, and contextual evaluation of access will be central to stopping intrusions in their tracks.