Threat Intel - Attackers Hand Off Access in 22 Seconds
Basically, attackers are getting faster at sharing access to compromised systems.
Mandiant's latest report shows attackers are transferring access in just 22 seconds. This rapid hand-off complicates defenses, as threat actors shift tactics. Organizations need to adapt their strategies to combat these evolving threats effectively.
The Threat
Mandiant's M-Trends 2026 report reveals alarming trends in cyberattacks. For the sixth consecutive year, exploits remain the leading entry point for attackers. The report, based on over 500,000 hours of incident response work in 2025, indicates that attackers are becoming increasingly efficient. They are now handing off access in a mere 22 seconds, a drastic reduction from over eight hours just three years ago. This rapid transfer of access allows attackers to execute follow-on operations much quicker, complicating detection and response efforts for defenders.
The report also highlights a significant shift in tactics. Attackers are moving away from traditional email phishing towards more interactive methods, such as voice phishing, which surged to become the second-most common initial infection vector. This evolution in strategy underscores the need for organizations to adapt their defense mechanisms to counteract these more sophisticated attack vectors.
Who's Behind It
The report identifies several threat clusters, including UNC6040 and UNC2165, that are exploiting these new tactics. For instance, UNC6040 has been using voice phishing to convince targets to hand over credentials, while UNC2165 has been linked to ransomware attacks that destroy backups and deploy malicious software across networks. The collaborative nature of these groups, where one gains initial access and another executes follow-on operations, is becoming more common. This division of labor is alarming, as it complicates the landscape for cybersecurity professionals trying to thwart these attacks.
Tactics & Techniques
The tactics employed by these threat actors are evolving. In 2025, a notable 9% of investigations followed a model where initial access was gained by one group and handed off to another for further exploitation. This new trend means that organizations must be vigilant not only about the initial compromise but also about the subsequent actions taken by secondary actors. Attackers are increasingly targeting backup and virtualization infrastructure, which can severely hinder an organization’s ability to recover from an attack.
Additionally, the report reveals that ransomware operators are focusing on recovery infrastructure, making it difficult for organizations to restore operations after an attack. This shift in focus emphasizes the need for robust backup and recovery strategies that can withstand sophisticated attacks.
Defensive Measures
To combat these evolving threats, organizations must enhance their detection capabilities. Traditional methods focusing solely on high-impact tactics may miss the low-impact techniques used by initial access partners. Implementing a layered security approach that includes monitoring for unusual access patterns and employing advanced threat detection tools is crucial.
Moreover, organizations should prioritize training staff on recognizing social engineering tactics, particularly as voice phishing becomes more prevalent. Regularly updating and patching systems is essential to mitigate the risks posed by known vulnerabilities, especially as attackers are exploiting zero-day vulnerabilities at an alarming rate. By staying informed and proactive, organizations can better defend against these rapidly evolving threats.
Help Net Security