Find notable cyber news and cases, enriched with sources, timelines, and signals.

2025 Rise in legitimate-access intrusions across enterprise sectors

Trend
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

Legitimate access abuse is now a leading intrusion pattern across 2025 investigations, increasing the risk of stealthy compromise across manufacturing, healthcare, MSPs, financial services, and construction. SSL VPN abuse and RMM abuse were among the most common entry paths, showing that attackers are often blending into normal admin activity. Fake CAPTCHA/ClickFix-style social engineering and cloud session reuse after MFA further reduced the need for obvious malware or exploit chains. The pattern matters because defenders may miss intrusions that begin with apparently routine logins or trusted tools.

Related Happenings

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

Service desk social engineering defenses tighten identity verification for password resets and MFA changes

Defensive Guidance
H score17 First: 24.06.2026 17:02 Last: 24.06.2026 17:02 Sources 1

About this happening: **Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

CISA FortiBleed mitigation guidance

Advisory/Mitigation
H score67 First: 19.06.2026 09:47 Last: 19.06.2026 09:47 Sources 1

About this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...

FortiBleed Fortinet/FortiGate VPN credential leak

Data Leak
H score80 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...

Latest development: 19.06.2026 09:47

CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.

Timeline

  1. 01.04.2026 17:05 2 articles · 3mo ago

    Blackpoint Cyber reports 2025 legitimate-access intrusion trends

    Initial Disclosure

    Blackpoint Cyber's 2026 Annual Threat Report, published on 2026-04-01, summarizes thousands of 2025 investigations and says intrusions increasingly began with valid credentials, legitimate tools such as RMM/ScreenConnect, Fake CAPTCHA/ClickFix-style prompts, and Adversary-in-the-Middle phishing that reused cloud session tokens after MFA. The report also says SSL VPN abuse, rogue RMM activity, and Windows Run dialog abuse blended into normal operations, with manufacturing, healthcare, MSPs, financial services, and construction repeatedly affected.

    Show sources