Attackers are no longer using zero-day vulnerabilities and malware to gain initial access into corporate systems, but are now exploiting the pillars of trust that organizations rely on. This includes SSL VPN tools andremote monitoring and management(RMM) software, including tactics such as running fake CAPTCHA andClickFixscams.This shift has led to a new reality in cybersecurity: threat groups are no longer breaking into IT environments – they are simply logging in.A range of cybersecurity firms are reporting on the ongoing shift. Palo Alto Networks’Unit 42threat intelligence unit, in itsGlobal Incident Response Report 2026, found that last year, identity weakness – such as stolen credentials and tokens – played a key role in almost 90% of its investigations.“Stolen credentials are particularly dangerous because they allow attackers to blend in with legitimate user activity, making them difficult to detect with traditional firewalls,”Huntressresearcherswrote in February. “Once inside, attackers use these identities to move laterally through a network, escalate privileges, and launch more severe attacks like ransomware or Business Email Compromise (BEC).”
Bypassing Defenses
A report released this week by managed detection and response (MDR) firmBlackpoint Cyberputs the spotlight on the trend, highlighting that its security operations center (SOC) saw an increase in hackers bypassing traditional defenses by using legitimate credentials and turning the tools that organizations rely on against them.For example, 30% of security incidents Blackpoint Cyber responded to involved abusing RMM software, while SSL VPN tool compromises accounted for 32.8% of activity identified, according to the2026 Annual Threat Report. At the top of the list of attack campaigns were CAPTCHA and ClickFix scams, driving 58% of malicious activity detected.The trend is not slowing down, according toSam Decker, threat intelligence engineer at Blackpoint Cyber.“Throughout 2025, Blackpoint saw how attackers were doubling down on this approach because, frankly, why wouldn’t they?” Decker told MSSP Alert. “Stealing credentials and abusing tools that are already trusted in the environment is easier than finding a zero-day in an appliance. SSL VPN compromises, rogue RMM installs, and fake CAPTCHA campaigns tricking users into running commands themselves are all built around the same idea of blending in rather than breaking in.”
MSSPs, MSPs Are Targets
Such tools also highlight why MSSPs and MSPs – which have broad access into their client IT environments – are becoming attractive targets for cybercriminals. Again, Decker said, “It makes complete sense from an attacker’s perspective.”“Why spend time compromising one company when you can compromise the MSP managing 50 of them?” he said. “We’re seeing attackers specifically go after the tools and access paths MSPs rely on to do their jobs, such as RMM platforms, VPN infrastructure, and admin credentials, because that’s where the real leverage is.”
Exploiting Trust
Wending its way throughout these new attack pathways is the issue of trust. The report’s authors wrote that “if a platform is trusted, the activity will be trusted, too. And that trust gives them everything they need.”“A VPN credential becomes a golden ticket to accessing the crown jewels,” they wrote. “A rogue RMM install hides in plain sight among legitimate IT tools. A trojanized installer impersonates the software users expect to download anyway. A fake CAPTCHA turns a habitual click into remote code execution. None of these triggers early alarms because nothing looks overtly malicious.”VPN gateways are attractive to bad actors because they’re internet-facing, allow broad access into IT environments, and offer limited telemetry. RMM software comes with built-in remote access capabilities that make communication with a command-and-control (C2) server easier, while CAPTCHA and ClickFix exploit routine human behavior.
A Strength and a Weakness
That said, while the shift in attackers’ strategies makes them more difficult to detect, it also can become a weakness. Decker called it a “double-edged sword” for attackers, noting that “when you’re living off legitimate tools, you’re constrained by how those tools behave.“ScreenConnect [a RMM tool] looks a certain way, remote execution from a VPN address pool behaves a certain way, and when you know what ‘normal’ looks like, those patterns stand out,” he said. “The fact that attackers are hiding in plain sight doesn’t mean they’re invisible. It just means you have to know where to look and have the proper context.”Blackpoint’s SOC blocked more than 7 million unauthorized application installs in 2025, and ScreenConnect accounted for more than half of those, he said.
Security Services Providers Must Adapt
In this environment, MSSPs and MSPs need to make some adjustments, Decker said. Key among them is understanding that they’re not only their clients’ protector, but they’re also a target. They need to make sure their own environment is protected. That includes running an RMM inventory, ensuring strong multifactor authentication without legacy fallbacks, and application control to defend against unauthorized installs.They also need to invest in detection tools that understand the behavior of attackers, not only the malware signatures, because the threats they face don’t always rely on malware.MSSPs are becoming more aware of the threats they’re facing, but preparedness “is all over the map,” Decker said.“Many MSPs and MSSPs still lean heavily on their EDRs to catch everything,” he said. “However, EDRs are not the catch-all solution for all security threats. The Blackpoint SOC beat EDR to the alert 72% of the time last year. These attacks are specifically designed not to look malicious, which emphasizes the need to have more than a tool sitting on an endpoint waiting for a signature match.”
