Trusted tools are attack paths

A lot of break-ins now start with a correct password, not a broken lock. Blackpoint Cyber said its 2026 threat report found attackers increasingly got in by abusing trusted credentials, virtual private network access, and remote-management software that companies already use every day. (blackpointcyber.com) That changes the shape of the problem. If an employee account logs in through a company virtual private network gateway, the traffic can look normal at first glance because the attacker is wearing the company’s own badge. (blackpointcyber.com) Blackpoint said more than half of the incidents it investigated began with activity that initially looked legitimate. Its report says attackers often moved from that first foothold into discovery, lateral movement, and privilege escalation before the activity looked obviously malicious. (blackpointcyber.com) One of the biggest doors is remote-monitoring and management software, which is the class of tools information-technology staff use to fix machines from afar. Blackpoint said abuse of those legitimate remote tools represented 30.3 percent of incidents, turning help-desk software into an attack path. (compuserve.com) Another big door is the secure sockets layer virtual private network, which is the encrypted tunnel many companies use for remote workers. Blackpoint said secure sockets layer virtual private network compromises accounted for 32.8 percent of identifiable activity, meaning attackers often did not need a software exploit if they already had working credentials. (compuserve.com) The strangest part is how often the victim helps open the door. Blackpoint said fake CAPTCHA and ClickFix campaigns made up 57.5 percent of incidents its security operations center observed, using familiar “prove you are human” prompts to trick users into running commands or enabling access. (compuserve.com) ClickFix is a social-engineering trick dressed up like technical support. Security reporting on Blackpoint’s findings says the page shows a fake error or verification step, then tells the user to paste a command into Windows so the attacker can launch malware or a remote session under the user’s own approval. (bleepingcomputer.com) That is why classic “block the virus file” defenses miss some of this activity. Blackpoint’s report focuses on behavior chains instead of single tools, like a remote-tool launch followed by unusual administrator actions, or a brand-new device succeeding on a virtual private network and then touching sensitive data minutes later. (blackpointcyber.com) The company says speed still matters after the login succeeds. In incidents from 2025, Blackpoint’s security operations center said it disrupted 56 percent before the attacker could deploy a payload, which means the best chance to stop the intrusion was often in the short window between first access and the next step. (markets.businessinsider.com) The bigger lesson is that trusted tools now need the same suspicion companies once reserved for obvious malware. When attackers can log in through the front door, the alarm has to watch for strange behavior inside the building, not just broken glass at the window. (msspalert.com)