A major shift is underway in the cybersecurity landscape, and according to Blackpoint Cyber, attackers are no longer relying on sophisticated malware or zero-day exploits to breach systems. Instead, they are increasingly gaining access simply by logging in—using stolen credentials and trusted tools that organizations depend on every day.

This evolving tactic marks a fundamental change in how cyberattacks are carried out. Rather than “breaking in,” threat actors are blending into normal operations by exploiting identity-based weaknesses. Research from Palo Alto Networks Unit 42 highlights the scale of this trend, revealing that identity-related issuessuch as compromised credentials and tokens—played a role in nearly 90% of incident response cases in 2025.

The growing reliance on login-based attacks is closely tied to the abuse of legitimate tools. Attackers are targeting SSL VPNs and remote monitoring and management (RMM) platforms, which are designed to provide secure access but can become powerful entry points when credentials are compromised. In many cases, these tools allow attackers to move laterally across networks, escalate privileges, and launch further attacks without triggering traditional security alerts.

According to Blackpoint Cyber’s 2026 Annual Threat Report, a significant portion of incidents involved the misuse of these trusted systems. RMM tools were abused in roughly 30% of cases, while compromised VPN access accounted for over 32% of observed activity. Even more striking is the rise of social engineering techniques such as fake CAPTCHA and ClickFix scams, which drove more than half of the malicious activity detected. These tactics exploit routine user behavior, tricking individuals into unknowingly granting attackers access.

This trend is particularly concerning for managed security service providers (MSSPs) and managed service providers (MSPs). Because these organizations have privileged access to multiple client environments, they present a high-value target. As threat intelligence experts point out, compromising a single MSSP can potentially provide access to dozens—or even hundreds—of downstream organizations, amplifying the impact of an attack.

Ad Banner

At the core of this shift is the exploitation of trust. When attackers use legitimate credentials or trusted software, their actions often appear normal within the system. A compromised VPN login can act as a “golden ticket,” granting access to sensitive resources, while a malicious RMM installation can blend in seamlessly with legitimate IT operations. This makes detection far more challenging, as traditional defenses like firewalls and signature-based tools are not designed to identify such behavior.

However, this strategy is not without its limitations. Security experts note that attackers who rely on legitimate tools are constrained by how those tools behave. This creates patterns that, when properly analyzed, can reveal suspicious activity. The key lies in understanding what “normal” looks like within an environment and identifying deviations from that baseline.

Blackpoint Cyber’s findings also highlight the need for MSSPs and MSPs to rethink their security strategies. It is no longer enough to focus solely on protecting clients—service providers themselves must strengthen their own defenses. This includes enforcing strong multi-factor authentication, maintaining strict control over application installations, and investing in advanced detection capabilities that focus on behavior rather than just malware signatures.

Ultimately, this shift toward login-based attacks underscores a broader reality: cybersecurity is no longer just about keeping attackers out—it’s about detecting and responding to threats that may already be inside.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading