M-Trends 2026: Data, Insights, and Strategies From the Frontlines

Key Takeaways

• The median time between initial access and hand-off to secondary threat groups collapsed from over 8 hours in 2022 to just 22 seconds in 2025.
• Highly interactive voice phishing surged to 11% of intrusions, becoming the second-most common initial infection vector, largely bypassing traditional MFA.
• Ransomware operators are shifting to recovery denial by targeting backup infrastructure, identity services (AD CS), and Tier-0 hypervisors.
• Espionage groups are achieving extreme persistence (median dwell time of 122 days) by deploying custom in-memory malware like BRICKSTORM on unmonitored edge devices.
• Adversaries are beginning to integrate AI into the attack lifecycle, using malware like PROMPTFLUX and QUIETVAULT to query LLMs and search for local AI configuration files.

Affected Systems

• SaaS environments
• Active Directory Certificate Services (AD CS)
• Hypervisors (VMware vSphere)
• Edge and core network devices (VPNs, routers)
• Dell RecoverPoint for Virtual Machines
• Cloud storage backup infrastructure

Vulnerabilities (CVEs)

• Dell RecoverPoint for Virtual Machines Zero-Day (CVE not specified)

Attack Chain

Adversaries gain initial access via exploits, malicious advertisements, the ClickFix technique, or highly interactive voice phishing. Initial access brokers pre-stage malware and rapidly hand off access to secondary actors, often within 22 seconds. These actors then harvest long-lived OAuth tokens or session cookies to bypass MFA and pivot into downstream SaaS environments. Finally, attackers either target Tier-0 assets like hypervisors and backup infrastructure for ransomware recovery denial, or deploy custom in-memory malware on unmonitored edge devices for extreme, long-term persistence and data interception.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The provided article is a high-level threat landscape report and does not contain specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Low — Attackers are deliberately targeting edge network devices (VPNs, routers) and Tier-0 hypervisors that typically lack standard EDR telemetry or bypass guest-level defenses. Network Visibility: Medium — While network telemetry is critical, adversaries are leveraging native packet-capturing functionality on compromised edge devices to intercept data, making detection from standard internal network sensors difficult if the edge is already compromised. Detection Difficulty: Hard — The collapse of the hand-off window to 22 seconds leaves almost no time for reactive response, and the use of custom in-memory malware on devices with minimal storage severely limits forensic artifacts.

Required Log Sources

• Network device logs (application and administrative)
• Hypervisor-level telemetry
• SaaS integration audit logs
• Identity Provider (IdP) logs
• Cloud storage audit logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Adversaries are exploiting misconfigured Active Directory Certificate Services (AD CS) templates to create unauthorized admin accounts that bypass password rotation.	Active Directory Security Logs, AD CS Audit Logs	Privilege Escalation	Low
Threat actors are actively deleting backup objects from cloud storage or encrypting hypervisor datastores to inhibit recovery.	Cloud Provider Audit Logs, Hypervisor Management Logs	Impact	Low
Attackers are utilizing stolen OAuth tokens or session cookies to execute anomalous bulk API operations in SaaS environments.	SaaS Application Audit Logs, IdP Logs	Credential Access	Medium

Control Gaps

• Lack of EDR support on edge and core network devices
• Standard 90-day log retention policies failing to capture long-term dwell times (e.g., 400+ days)
• Guest-level defenses failing to protect Tier-0 hypervisor infrastructure
• Traditional MFA failing against highly interactive voice phishing and session cookie theft

Key Behavioral Indicators

• Anomalous bulk API operations in SaaS environments
• Suspicious use of SaaS integration tokens
• Unauthorized access attempts or configuration changes on edge devices
• Creation of admin accounts bypassing standard password rotation policies

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Treat routine, low-impact malware alerts as high-priority indicators of an impending secondary intrusion and remediate immediately.
• Audit SaaS integrations and revoke any unused, suspicious, or overly permissive personal access tokens and OAuth applications.

Infrastructure Hardening

• Isolate virtualization and management platforms as Tier-0 assets with the strictest access constraints.
• Decouple backup environments from the corporate Active Directory domain and utilize immutable storage.
• Route all SaaS applications through a central identity provider (IdP) and enforce strict least privilege.

User Protection

• Implement continuous identity verification and behavior-based anomaly detection to counter session cookie theft and MFA bypass.
• Enhance monitoring and strict access controls around IT help desk operations to prevent social engineering compromises.

Security Awareness

• Train help desk and IT staff specifically on the tactics used in highly interactive voice phishing (vishing) campaigns.
• Extend log retention policies well beyond standard 90-day windows for critical network devices and hypervisor telemetry to ensure adequate visibility for long-term intrusions.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1566.004 - Phishing: Voice
• T1550.004 - Use Alternate Authentication Material: Web Session Cookie
• T1490 - Inhibit System Recovery
• T1486 - Data Encrypted for Impact
• T1556 - Modify Authentication Process