Threat Intel - Initial Access Handoff Now Just 22 Seconds
Basically, hackers now pass control of compromised systems in just 22 seconds.
The Threat The latest M-Trends 2026 report from Google’s Threat Intelligence Group reveals a shocking trend in cyberattacks. The time between initial access to an organization’s systems and the handoff to a secondary threat group has plummeted from hours to just 22 seconds. This significant reduction suggests that cybercriminals are becoming more efficient and organized in their operations. In
The Threat
The latest M-Trends 2026 report from Google’s Threat Intelligence Group reveals a shocking trend in cyberattacks. The time between initial access to an organization’s systems and the handoff to a secondary threat group has plummeted from hours to just 22 seconds. This significant reduction suggests that cybercriminals are becoming more efficient and organized in their operations. In 2022, the median time for this handoff was over 8 hours, but the trend has steadily declined since, indicating a shift in tactics among threat actors.
Mandiant researchers attribute this rapid handoff to closer collaboration between initial access brokers and secondary groups. In many instances, initial access brokers are delivering malware directly for secondary groups, rather than merely selling access on cybercrime forums. This change in strategy poses a heightened threat to organizations as attackers can now exploit vulnerabilities much faster.
Who's Behind It
The report highlights various attack vectors used by cybercriminals. The most common method of initial infection was through exploits, which accounted for 32% of cases. Other methods included phishing (11%), prior compromise (10%), and stolen credentials (9%). Notably, traditional email phishing has seen a decline, dropping from 22% in 2022 to just 6% in 2025.
The report also identifies specific vulnerabilities that were frequently exploited, such as the SAP NetWeaver vulnerability (CVE-2025-31324), the Oracle EBS flaw (CVE-2025-61882), and the SharePoint flaw (CVE-2025-53770). Understanding these vulnerabilities is crucial for organizations to bolster their defenses against these tactics.
Tactics & Techniques
In 2025, the median dwell time—the duration an attacker remains undetected in a victim's environment—was 14 days, a slight increase from previous years. This increase may be attributed to the activities of North Korean IT workers and cyberespionage actors, who are known for their sophisticated evasion techniques. Alarmingly, incidents that remain undetected for 1-6 months are on the rise, underscoring the need for improved detection mechanisms.
Moreover, approximately 30% of observed attacks were financially motivated, while 40% involved data theft. The high-tech sector was the most targeted, followed by finance, business services, and healthcare. This trend indicates a shift in the focus of cybercriminals, prioritizing sectors that hold valuable data.
Defensive Measures
Organizations must adapt to these evolving threats by implementing robust security measures. Regularly updating systems to patch known vulnerabilities is essential. Additionally, enhancing employee training on recognizing phishing attempts can help mitigate risks associated with initial access vectors.
Furthermore, investing in advanced threat detection solutions can significantly reduce dwell time and improve incident response capabilities. As cyber threats continue to evolve, staying informed about trends and adapting security strategies is crucial for maintaining resilience against potential attacks.
SecurityWeek