SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Flux result 1a6a6ec6 1acb 42db b993 70a3eae5d694
#
PAM
#
MFA
#
Cloud Security

Attackers exploit trust in Blackpoint Cyber report

Thu, 9th Apr 2026
Author image
By Shannon Williams, News Editor

Blackpoint Cyber has released its 2026 Annual Threat Report, which says attackers are increasingly gaining access by abusing trusted credentials and tools.

The findings are based on incident response data collected by Blackpoint's Security Operations Centre during 2025. They suggest a shift away from software exploits and toward methods that blend into normal business activity.

Instead of relying on malware or newly discovered vulnerabilities, attackers are logging in through SSL VPN gateways, using remote monitoring and management tools, and repurposing legitimate Windows utilities. This approach, often described as living off the land, can make malicious activity harder to distinguish from routine work by IT teams and employees.

One of the largest categories in the report involved attacks that exploit user behaviour. Fake CAPTCHA and ClickFix campaigns accounted for 57.5 per cent of incidents observed by the Blackpoint SOC. These campaigns are designed to persuade users to take steps that trigger remote code execution, often through prompts resembling common verification checks or standard workplace actions.

Remote access also featured heavily in the data. Abuse of legitimate RMM tools represented 30.3 per cent of incidents, while SSL VPN compromises accounted for 32.8 per cent of identifiable activity. Because both methods rely on software and services many organisations already use to manage systems and support staff, spotting intrusions quickly can be difficult.

The report also points to growth in identity-based attacks. It highlights adversary-in-the-middle techniques that can hijack authenticated sessions and bypass traditional multi-factor authentication protections. That matters because many security strategies still focus heavily on securing the login stage, even though session theft can let an attacker operate after that checkpoint has been passed.

Threat infrastructure is also becoming harder to trace. The report cites the use of Etherhiding, in which malicious logic is embedded in blockchain smart contracts to manage compromised websites at scale. This places parts of the attack chain on decentralised infrastructure that can be more difficult for defenders to remove or disrupt.

Manufacturing and industrial organisations remained a notable target, accounting for 11.5 per cent of incidents in Blackpoint's data. The report links this to the sector's reliance on legacy infrastructure and the operational cost of downtime, which can make disruption especially expensive.

The findings come as cyber security teams face pressure to detect attacks that do not always show familiar signs of compromise, such as malicious binaries or exploit activity. When attackers use approved software, valid accounts, and expected workflows, defenders must rely more on context, behavioural analysis, and rapid investigation.

Blackpoint said its SOC disrupted 56 per cent of incidents before attackers could deploy a payload during 2025. It presented that figure as evidence that intervention can still happen early in the intrusion chain, even when initial access appears legitimate.

“Throughout 2025, simple symbols of trust such as a valid username, a legitimate password, or a trusted tool became the adversary's welcome mat,” said Gagan Singh, Chief Executive Officer, Blackpoint Cyber. “If 2025 was the year attackers weaponized trust, then 2026 must be the year defenders redefine it.”

The report includes a series of defensive recommendations focused on access controls and identity protection. These include strengthening remote access policies, securing RMM deployments, and adopting phishing-resistant authentication methods to reduce exposure to credential-based attacks.

It also recommends tighter control over software installation and better monitoring of administrative tools and command chains. Measures such as limiting use of the Windows Run dialog for standard users, blocking execution from common staging directories, and watching for suspicious installer behaviour are intended to reduce attackers' ability to turn everyday actions into paths to compromise.

For identity security, the guidance focuses on separating privileged and non-privileged accounts and monitoring for token abuse and session hijacking. In cloud environments, the recommendations include least-privilege policies, restrictions on third-party app consent, and closer monitoring of unusual mailbox and identity activity.

The broader message is that trust relationships inside organisations have become a more attractive route for attackers than direct attempts to break through technical barriers. That creates a challenge for companies that have built detection models around malware signatures, exploit attempts, or clearly unauthorised software.

“Attackers today are not always breaking systems. They are exploiting trust,” said Wilfredo Santiago, Chief Security and Trust Officer at Blackpoint Cyber. “When adversaries operate inside legitimate systems and workflows, detection requires more than alerts. It requires context, expertise, and the ability to intervene in real time before intent turns into impact.”

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member