Incident Response Reports Highlight Identity and Low-Complexity Initial Access as Dominant Intrusion Drivers
Two 2026 incident-response reports describe threat actors increasingly favoring fast, low-complexity initial access over sophisticated exploitation, with identity compromise and common remote access paths repeatedly enabling broad downstream impact. Unit 42’s Global Incident Response Report 2026 data (based on 750+ engagements) indicates attacker activity crossed multiple attack surfaces in 87% of cases, requiring investigation across endpoints, identity systems, networks, and cloud services; it also attributes a material role to identity weaknesses in nearly 90% of investigations and reports identity-based techniques as the initial access method in 65% of cases (e.g., phishing, stolen credentials, brute force, insider activity). Phishing and vulnerability exploitation were cited as top initial access vectors (tied at 22% each), reinforcing that common, repeatable techniques remain highly effective.
Arctic Wolf reporting similarly concludes that attackers are prioritizing accessible entry points, with phishing frequently initiating business email compromise and with ransomware intrusions often beginning via abuse of remote access services such as RDP, VPN, and remote monitoring and management (RMM) tooling. Both sources emphasize that weak access controls—such as excessive permissions, non-phishing-resistant MFA, credential reuse/default passwords, IAM misconfigurations, unmanaged OAuth grants, and stale/shared accounts—allow a single foothold to expand laterally across SaaS, cloud, and on-prem environments, increasing blast radius and complicating detection and response.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CSO Online reports identity and trust failures dominate incidents
On February 20, 2026, CSO Online summarized research showing identity and trust conflicts played a role in about 90% of examined security incidents, with attackers commonly using social engineering, identity phishing, credential abuse, brute force, and insider threats. The report also highlighted widespread overprivileged cloud accounts and expanding identity attack surface from cloud, SaaS, and AI adoption.
Multiple IR reports highlight shift to fast, low-complexity attacks
On February 18, 2026, coverage of incident-response findings from firms including Coveware and Barracuda said attackers increasingly favor phishing, abused remote access services, SaaS admin compromise, and edge-device exploitation over complex zero-day-style tradecraft. The reports emphasized rapid ransomware operations and the need to monitor recurring attacker behaviors such as suspicious privilege changes.
Unit 42 publishes Global Incident Response Report 2026
On February 18, 2026, reporting on Unit 42's Global Incident Response Report 2026 highlighted that identity weaknesses contributed to nearly 90% of investigations and identity-based techniques drove initial access in 65% of cases. The report also noted growing use of token theft, OAuth abuse, browser-based credential theft, and AI-assisted intrusion activity.
Unit 42 analyzes 750+ incident response cases for 2025 trends
Palo Alto Networks' Unit 42 compiled findings from more than 750 incident response engagements, identifying identity compromise, cross-surface movement, and accelerating attacker timelines as dominant patterns in 2025 intrusions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
KI und Komplexität als Brandbeschleuniger für Cyberkriminelle | CSO Online
csoonline.com
Open sourceOne stolen credential is all it takes to compromise everything - Help Net Security
helpnetsecurity.com
Open sourceHackers Increasingly Prefer Fast and Low-Complexity Attacks
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Threat Reports Highlight Identity Abuse and OT Intrusions as Primary Initial Access Vectors
Palo Alto Networks’ **Unit 42** reported that **identity abuse** has become the dominant initial access vector in incident response engagements, with identity-based techniques accounting for **nearly two-thirds** of initial intrusions and an identity-related element present in **nearly 90%** of cases across the attack lifecycle. The report highlights **social engineering** as the leading entry method (about **one-third** of cases), alongside compromised credentials, brute force, overly permissive identity policies, and insider threats; it also notes that growth in **machine identities** and **AI agents** is expanding the identity attack surface and complicating detection because malicious use of valid identities can blend into normal telemetry. Dragos’ 2026 OT/ICS Year in Review described industrial threat actors increasingly moving beyond opportunistic access toward **control-loop mapping**—identifying engineering workstations and collecting configuration/alarm files to understand how processes behave and enable physical impact. Dragos tracked **26** OT-targeting threat groups and identified new groups (**AZURITE, PYROXENE, SYLVANITE**), emphasizing specialization and a division of labor where initial-access activity (including targeting **internet-facing systems**) feeds more OT-capable operators; it also warned that **ransomware** is driving operational disruption and multi-day outages that require OT-specific recovery and is often underestimated as “just IT.”
Mar 21, 2026
Identity Abuse and Credential Misuse as the Primary Initial Access Vector
Recent threat intelligence reporting indicates **identity-based attacks** (credential theft, social engineering, and misuse of legitimate access) are now the dominant driver of initial compromise, increasingly outpacing exploitation of software vulnerabilities. A *Unit 42* report cited by SC Media attributes **65% of initial access** to identity techniques versus **22%** to vulnerabilities, and notes accelerating attacker tempo—down to **72 minutes** from initial access to data exfiltration in the fastest observed cases—alongside growing cross-surface intrusions where **87%** of incidents span multiple environments (endpoints, cloud, SaaS, and identity systems). The report also highlights the **browser** as a key battleground (involved in **48%** of attacks) and a sharp rise in **SaaS supply-chain** abuse (nearly **4x** since 2022), including the use of **OAuth tokens** and **API keys** for lateral movement. Separately, Google Threat Intelligence Group commentary on the **defense industrial base (DIB)** describes adversaries shifting beyond classic espionage toward operations intended to **disrupt production capacity** and **compromise supply chains**, with **identity** increasingly treated as the “new security boundary” across the broader defense ecosystem (from prime contractors to smaller dual-use suppliers). The DIB focus underscores that credential-driven access and downstream supply-chain compromise can have strategic impact beyond data theft, including staging access for future contingencies and enabling ransomware/extortion that indirectly degrades defense supply availability.
Mar 21, 2026
Reports Highlight Shift Toward Identity-First Attacks and Phishing-Driven Intrusions
Recent reporting and vendor research indicate threat actors are increasingly prioritizing **identity-based intrusion paths**—notably phishing, credential theft, and **Business Email Compromise (BEC)**—over traditional vulnerability exploitation as the most common initial access vector. A Darktrace report cited by SC Media describes identity breaches as the leading entry point, alongside broader trends including accelerated breach tempo, increased automation, and “converging” tactics; it also notes exploitation can occur **before public disclosure** and that overall **CVE volume rose by 20%+ year-over-year**. Email remains a dominant delivery mechanism in these identity-first campaigns. Darktrace telemetry referenced by SC Media reported **32M+ high-confidence phishing emails** across its customer base, with many messages bypassing baseline controls (including **70% passing DMARC**), targeting executives, using **malicious QR codes**, and leveraging newly registered domains. Separately, a SOCRadar analysis frames the U.S. financial sector as a disproportionate target for phishing and dark-web activity, emphasizing AI-enabled crime, persistent BEC, and third-party/supply-chain risk, and citing metrics such as **~48% of global financial phishing activity** and **~23.5% of finance-related dark web threat activity** attributed to the U.S. market.
Mar 21, 2026