2025 Rise in legitimate-access intrusions across enterprise sectors
Target Trend
Summary
Hide ▲
Show ▼
Legitimate access abuse is now a leading intrusion pattern across 2025 investigations, increasing the risk of stealthy compromise across manufacturing, healthcare, MSPs, financial services, and construction. SSL VPN abuse and RMM abuse were among the most common entry paths, showing that attackers are often blending into normal admin activity. Fake CAPTCHA/ClickFix-style social engineering and cloud session reuse after MFA further reduced the need for obvious malware or exploit chains. The pattern matters because defenders may miss intrusions that begin with apparently routine logins or trusted tools.
Related Happenings
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
Vulnerability
First: 21.05.2026 00:19
Last: 21.05.2026 00:19
Sources 1
About this happening:
Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
VulnerabilityAbout this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/Mitigation
First: 07.05.2026 21:00
Last: 07.05.2026 21:00
Sources 1
About this happening:
The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/MitigationAbout this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
AWS exposed-key hardening guidance for Amazon SES phishing abuse
Defensive Guidance
First: 04.05.2026 23:03
Last: 04.05.2026 23:03
Sources 1
About this happening:
**Kaspersky** urged organizations to harden **AWS IAM** and credential handling after **exposed access keys** were linked to phishing delivery through **Amazon SES**, reducing the...
AWS exposed-key hardening guidance for Amazon SES phishing abuse
Defensive GuidanceAbout this happening: **Kaspersky** urged organizations to harden **AWS IAM** and credential handling after **exposed access keys** were linked to phishing delivery through **Amazon SES**, reducing the...
VENOMOUS#HELPER phishing campaign using RMM tools
Campaign
First: 04.05.2026 21:06
Last: 04.05.2026 21:06
Sources 1
How related:
An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts.
About this happening:
An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...
VENOMOUS#HELPER phishing campaign using RMM tools
CampaignHow related: An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts.
About this happening: An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...
Latest development: 05.05.2026 17:00
Securonix found the Venomous#Helper phishing campaign using emails impersonating the US Social Security Administration to send victims to gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to payload delivery from a separate compromised cPanel account. The campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay, and the downloaded JWrapper-packaged binary was signed by SimpleHelp Ltd with a valid Thawte certificate. In a one-hour observation, Securonix recorded 986 background process-creation events and WMIC execution through a renamed wmic.exe.bak copy to evade EDR rules.
Timeline
-
01.04.2026 17:05 2 articles · 1mo ago
Blackpoint Cyber reports 2025 legitimate-access intrusion trends
Initial DisclosureBlackpoint Cyber's 2026 Annual Threat Report, published on 2026-04-01, summarizes thousands of 2025 investigations and says intrusions increasingly began with valid credentials, legitimate tools such as RMM/ScreenConnect, Fake CAPTCHA/ClickFix-style prompts, and Adversary-in-the-Middle phishing that reused cloud session tokens after MFA. The report also says SSL VPN abuse, rogue RMM activity, and Windows Run dialog abuse blended into normal operations, with manufacturing, healthcare, MSPs, financial services, and construction repeatedly affected.
Show sources
- Routine Access Is Powering Modern Intrusions, a New Threat Report Finds — www.bleepingcomputer.com — 01.04.2026 17:05
- RMM Tools Fuel Stealthy Phishing Campaign — www.darkreading.com — 04.05.2026 23:56