Rise of Routine Access Exploits: A Growing Cybersecurity Concern
Attackers Are Utilizing Authorized Access Routes to Initiate Intrusions, Reveals a Recent Threat Report
Organizations heavily rely on remote access and legitimate administrative tools for day-to-day operations. However, according to a comprehensive threat report, these same tools are increasingly being exploited by malicious actors to initiate intrusions.
The report indicates that attackers frequently gain access through legitimate means, rather than relying on novel exploits or advanced malware. In fact, 32.8% of all identifiable incidents involved SSL VPN abuse, with attackers authenticating using compromised credentials. This approach allows them to establish seemingly legitimate VPN sessions, which grant broad internal reach and enable rapid movement towards high-value systems without triggering alerts.
Remote Monitoring and Management (RMM) tools, commonly used for standard IT administration, are also being exploited by attackers. In 30.3% of identifiable incidents, RMM abuse was documented, with ScreenConnect present in over 70% of rogue RMM cases. Unsanctioned installations of these tools often blend in with existing tooling, making detection challenging without robust visibility.
User interaction represents the largest driver of overall incident volume, accounting for 57.5% of all identifiable incidents. Fake CAPTCHA and ClickFix-style campaigns, reliant on deceptive prompts, are the most common attack pattern documented in the report. Users are instructed to paste commands into the Windows Run dialog as part of a seemingly routine verification step, which executes built-in Windows tools without the need for traditional malware.
In cloud environments, despite the implementation of multi-factor authentication (MFA), account compromise still occurs. Approximately 16% of cloud account disables involve adversary-in-the-middle phishing, where MFA functions as designed, but attackers capture authenticated session tokens and reuse them to access cloud services. From the perspective of the cloud platform, this activity appears as a legitimate authenticated session.
According to the report, “many successful intrusions rely on activity that blends in with normal operations.” As a result, security teams should prioritize the following defensive measures:
- Treat remote access as high-risk, high-impact activity
- Maintain a complete inventory of approved RMM tools and remove unused or legacy agents
- Restrict unapproved software installations and limit execution from user-writable directories
- Apply Conditional Access controls that evaluate device posture, location, and session risk
These recommendations apply across frequently targeted sectors, including manufacturing, healthcare, MSPs, financial services, and construction.
About Author
English