TL;DR
- The hand-off window from initial access to secondary attack collapsed from 8 hours to 22 seconds in 2025 [1]
- Identity attacks have become the primary intrusion vector—adversaries "log in" rather than "break in" [2]
- Ransomware groups now actively destroy backups and hypervisors to deny recovery [1]
- Voice phishing (vishing) surged to 11% of intrusions, replacing email phishing [1]
- Action: Shift from perimeter defense to identity security, implement real-time detection, and test your incident response timeline
The 22-Second Hand-Off: Speed is Now a Weapon
In 2022, when attackers gained initial access to a victim's network, they typically waited 8 hours before handing off that access to a secondary group who would execute the real attack—ransomware deployment, data theft, or espionage [1].
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →In 2025, that window collapsed to 22 seconds [1].
This isn't a gradual improvement. This is a fundamental restructuring of how cyberattacks work. Attackers are no longer breaching systems and then figuring out what to do. They're pre-staging malware, tunnels, and tooling during the initial infection, so the moment they hand off access, the secondary group can launch operations immediately.
What does this mean for your business? Traditional detection and response timelines—measured in hours or days—are now orders of magnitude too slow. By the time your security team sees an alert, the attack has already progressed through multiple stages.
Mandiant's M-Trends 2026 report, based on over 500,000 hours of frontline incident investigations, reveals that the cybercrime ecosystem has专业化 into a hyper-efficient assembly line [1]. Initial access brokers use low-impact techniques to gain footholds. Secondary groups execute high-impact operations. And the hand-off between them now happens faster than a human can read an alert.
Identity: The New Battleground
The most significant shift in 2025 wasn't just speed—it was targeting. Adversaries increasingly chose to "log in" rather than "break in" [2].
PwC's Annual Threat Dynamics 2026 report confirms that identity has become the primary attack surface [2]. Attackers exploit credentials, session tokens, and federated access to bypass perimeter defenses entirely. Why bother hacking a firewall when you can phish a help desk worker, bypass MFA, and walk through the front door?
This aligns with Mandiant's finding that prior compromise—meaning the attacker already had access from a previous intrusion—became the top initial infection vector for ransomware operations in 2025, accounting for 30% of cases [1]. That's double what it was in 2024.
The implications are profound:
- Perimeter defenses are less effective when attackers enter with valid credentials
- Identity security is now business-critical, not a technical nice-to-have
- Session token security (OAuth, SAML, JWT) requires urgent attention
- Non-human identities (service accounts, API keys) are high-value targets
Related: Identity Attacks 67% of SMB Threats 2026
The Collapse of Email Phishing (Sort Of)
Here's a surprising statistic from M-Trends 2026: email phishing dropped to just 6% of intrusions in 2025 [1]. After years as the dominant attack vector, it's now relatively uncommon.
But attackers haven't abandoned social engineering—they've upgraded it.
Voice phishing (vishing) surged to 11%, nearly doubling to become the second-most common initial infection vector [1]. Attackers call targets, impersonating IT support, executives, or vendors, and manipulate them into granting access, revealing credentials, or approving fraudulent transactions.
Why the shift? Automated email security controls have improved dramatically. Attackers responded by shifting to highly interactive, voice-based social engineering that's harder to automate and more effective at bypassing MFA. Mandiant has extensively documented groups like UNC3944 targeting IT help desks to harvest long-lived OAuth tokens and session cookies [1].
Once an attacker has a valid session token, they don't need credentials. They don't need to bypass MFA. They just use the token to authenticate as the victim, often bypassing detection entirely because their traffic looks legitimate.
Ransomware Evolves: Recovery Denial
Ransomware has changed. In 2025, Mandiant observed a systemic shift where operators no longer just encrypt data—they actively destroy the ability to recover [1].
Targeting Backup Infrastructure
Attackers are exploiting misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation [1]. They're deleting backup objects from cloud storage. They're targeting backup software directly to ensure that even if you have backups, you can't restore them.
Hypervisor Attacks
By exploiting the "Tier-0" nature of hypervisors—the software that manages virtual machines—attackers bypass guest-level defenses entirely [1]. They target the virtualization storage layer directly or encrypt hypervisor datastores, rendering all associated VMs inoperable simultaneously.
This creates a brutal choice for victims: pay or rebuild from scratch.
The business impact is catastrophic. Recovery from ransomware that targets hypervisors isn't about restoring files—it's about completely rebuilding infrastructure. For SMBs without dedicated disaster recovery teams, this can mean weeks of downtime.
Related: Ransomware Response First 24 Hours SMB Guide 2026
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Edge Devices: The Blind Spot
While cyber criminals optimize for speed, espionage groups are optimizing for extreme persistence.
Mandiant found that threat clusters like UNC6201 and UNC5807 deliberately target edge and core network devices—VPNs, routers, firewalls—that typically lack standard endpoint detection and response (EDR) telemetry [1].
Why Edge Devices?
- Direct network interception: By leveraging native packet-capturing functionality, adversaries can intercept sensitive data and plaintext credentials as they transit the network [1].
- Persistence: Custom in-memory malware like the BRICKSTORM backdoor survives standard remediation efforts and system reboots [1].
- Visibility gap: With dwell times of nearly 400 days, standard 90-day log retention policies leave organizations completely blind to the initial access vector and full scope of the intrusion [1].
The mean time to exploit vulnerabilities dropped to an estimated -7 days in 2025 [1]. That's not a typo. Exploitation is routinely occurring before a patch is even released, giving attackers a window of zero-day advantage that defenders can't match.
AI: Accelerating Both Sides
PwC reports that threat actors are integrating AI as a core component of their tradecraft, using it to automate reconnaissance, generate phishing lures, accelerate malware development, and scale social engineering across languages and platforms [2].
But M-Trends 2026 offers a crucial nuance: 2025 was not the year where breaches were the direct result of AI [1]. From Mandiant's view on the frontlines, the vast majority of breaches still relied on known techniques—credential theft, vulnerability exploitation, social engineering—rather than novel AI-powered attacks.
However, AI is accelerating the lifecycle of attacks:
- Faster reconnaissance of targets
- More convincing phishing lures
- Rapid malware development and testing
- Automated vulnerability scanning and exploitation
For defenders, AI also represents the single greatest opportunity to match the pace. AI-enhanced detection, automated containment, and intelligence-led decision-making at scale are essential to keep up with machine-speed threats.
Related: AI Security Crisis CISO Blind Spots 2026
What This Means for Your Business
The collapse of attack timelines to machine speed has profound implications for SMB security strategies.
1. Detection Must Be Real-Time
Alerts that take minutes or hours to investigate are now useless. You need:
- Automated detection that triggers immediate containment
- Behavioral analytics that identify anomalies in real-time
- Identity monitoring that flags suspicious authentication attempts instantly
- Session monitoring that detects token theft and abuse
2. Incident Response Must Be Pre-Authorized
When an attack progresses from initial access to secondary compromise in 22 seconds, you can't afford a manual approval chain. Your incident response playbooks should:
- Define automated containment actions (account suspension, network segmentation)
- Pre-authorize specific response actions for specific scenarios
- Establish clear escalation paths with decision trees
- Use runbooks that execute without waiting for executive approval
3. Identity Security is Non-Negotiable
With identity as the primary attack vector, you need:
- Phishing-resistant MFA (FIDO2/WebAuthn hardware keys, not SMS or TOTP)
- Just-in-time access that grants permissions only when needed
- Session management that monitors for anomalous token usage
- Non-human identity governance for service accounts and API keys
- Privileged access management (PAM) for admin accounts
4. Backup Strategy Must Account for Recovery Denial
Traditional backup-and-recovery plans assume attackers won't target backups. That's no longer true. You need:
- Immutable backups that can't be deleted or encrypted
- Offline or air-gapped backups for critical data
- Regular restoration testing to verify backups actually work
- Hypervisor-level protection to prevent VM datastore encryption
- Documented rebuild procedures for worst-case recovery denial
5. Edge Device Security Can't Be Ignored
VPNs, routers, and firewalls are high-value targets. You should:
- Segment management networks from production traffic
- Implement zero-trust network access (ZTNA) to reduce VPN dependency
- Apply firmware updates promptly (especially for internet-facing devices)
- Monitor edge device logs for anomalies
- Consider replacing end-of-life devices that no longer receive security updates
Related: Why Every SMB Needs an Incident Response Plan 2026
The Board-Level Implication
Cyber risk is no longer a technical issue—it's a business continuity issue.
When attackers can destroy your ability to recover from ransomware, when identity compromise bypasses all perimeter defenses, when supply chain attacks inherit risks from dependencies you didn't know you had—this isn't an IT problem. It's an existential business risk.
PwC's report is blunt: "The advantage belongs to organizations that treat security not as a fixed set of controls, but as a high-performance system" [2].
That means:
- Board-level oversight of cybersecurity risk
- Security budget tied to business continuity, not IT operations
- Incident response tested at the executive level, not just technical
- Cyber risk embedded in strategic decision-making
For SMBs, this doesn't mean hiring a CISO. It means the business owner or CEO must understand that cybersecurity resilience is as critical as insurance, cash flow management, or legal compliance.
FAQ
Pre-staging. Initial access brokers deploy the secondary group's preferred malware, tunnels, and tooling during the initial infection. When the hand-off happens, the secondary group is fully equipped to launch immediately. They're not starting from zero—they're stepping into a prepared environment.
It means attackers are stealing valid credentials, session tokens, or API keys instead of exploiting vulnerabilities. They authenticate as legitimate users, bypassing perimeter defenses entirely. Detection requires identity monitoring, not just intrusion detection.
Immutable backups (can't be deleted or encrypted), offline or air-gapped copies, regular restoration testing, hypervisor-level protection, and documented rebuild procedures. Assume attackers will target your recovery systems and plan accordingly.
Yes. Vishing bypasses email security filters, exploits human trust in voice calls, and allows attackers to manipulate targets in real-time. IT help desk impersonation is particularly effective for bypassing MFA and harvesting session tokens.
Not yet. M-Trends 2026 found that the vast majority of breaches still relied on known techniques, not novel AI attacks. However, AI is accelerating the attack lifecycle—faster reconnaissance, more convincing lures, rapid malware development. The bigger near-term risk is AI-generated code vulnerabilities, not AI-powered exploits.
References
[1] Google Cloud Mandiant, "M-Trends 2026: Data, Insights, and Strategies From the Frontlines," March 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026
[2] PwC, "Annual Threat Dynamics 2026: Cyber threats in motion," March 2026. [Online]. Available: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/annual-threat-dynamics.html
[3] Australian Cyber Security Centre (ACSC), "Essential Eight Maturity Model," 2025. [Online]. Available: https://www.cyber.gov.au/essential-eight
[4] NIST, "Computer Security Incident Handling Guide (SP 800-61 Rev. 2)," 2024. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
[5] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[6] CISA, "Ransomware Response Guide," 2025. [Online]. Available: https://www.cisa.gov/stopransomware
[7] Australian Signals Directorate (ASD), "Strategies to Mitigate Cyber Security Incidents," 2025. [Online]. Available: https://www.asd.gov.au/
[8] OWASP, "Identity and Access Control Cheat Sheet," 2025. [Online]. Available: https://cheatsheetseries.owasp.org/
Attackers are moving at machine speed. Is your defense keeping up? Book a free consultation to assess your incident response timeline and build resilience against modern threats.
Get Resilient → consult.lil.business
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Cyberattacks used to take hours to unfold—now they take seconds
- Attackers now steal login information instead of breaking down doors
- Ransomware gangs destroy backups so you can't recover your data
- Voice phishing (fake phone calls) is replacing email phishing
- Your business needs faster detection and better identity security
What Changed? The 22-Second Attack
Imagine a burglar who used to spend 8 hours casing your house before actually stealing anything. That gave you time to notice something was wrong and call the police.
Now imagine that same burglar moves in, steals everything, and leaves in 22 seconds.
That's exactly what happened with cyberattacks in 2025. The time between when attackers first get into a system and when they launch their real attack dropped from 8 hours to just 22 seconds [1].
Why does this matter? Because traditional security defenses work on timelines measured in hours or days. By the time your security team sees an alert and starts investigating, the attack is already over. The attackers have already stolen your data, encrypted your files, or done whatever they came to do.
This is like trying to catch a cheetah on foot. The cheetah (attackers) has evolved for speed. Your defenses are still built for a slower threat.
The "Log In" Instead of "Break In" Problem
Here's the second big change: attackers used to break into systems like burglars breaking windows. Now they mostly just log in like legitimate users.
How? By stealing login information.
Instead of hacking through firewalls or finding software bugs, attackers:
- Phish employees for passwords
- Trick IT help desks into giving them access
- Steal digital "keys" called session tokens that let them log in without passwords
- Buy stolen credentials on the dark web
This is like a burglar who finds a key under your doormat instead of breaking a window. From the outside, everything looks fine—they're using a legitimate key. But inside, they're stealing everything.
This matters because traditional security (like firewalls and antivirus) is designed to stop break-ins. It's much harder to detect someone who logged in with a stolen key but looks like a legitimate user.
Related: Identity Attacks Primary Vector AI Surge 2026
Ransomware Got Meaner: Destroying Backups
Ransomware is malicious software that encrypts your files and demands payment to decrypt them. It used to work like this:
- Attackers break in
- They encrypt your files
- You pay the ransom (or restore from backups)
But in 2025, ransomware got much meaner. Now attackers:
- Break in
- Encrypt your files
- Delete or encrypt your backups too
- Demand payment with no way to recover
This is called "recovery denial." Attackers target backup software directly. They encrypt the virtual machines that run your servers. They delete backup files from cloud storage [1].
This leaves businesses with an impossible choice: pay the ransom or rebuild everything from scratch.
For a small business, rebuilding from scratch can take weeks or months. Some businesses never recover.
Voice Phishing: The New Phone Scams
Email phishing (fake emails that trick you into clicking links or revealing passwords) used to be the most common way attackers got in. But email security filters got really good at catching these emails.
So attackers switched to voice phishing (vishing).
Here's how it works:
- You get a phone call from someone claiming to be from "IT support"
- They say there's a problem with your account and they need to verify your information
- They ask you to read them a code from your phone, or approve a login attempt
- Once you do, they have access to your account
These calls are incredibly convincing. The attackers use real information about your company (found on LinkedIn or your website). They sound professional. They create urgency—you need to fix this problem now.
Voice phishing surged to become the second-most common attack method in 2025, accounting for 11% of all intrusions [1]. That's nearly double from the previous year.
The Hidden Danger: Devices You Forgot About
Here's something most businesses don't think about: your routers, VPNs, and firewalls.
These "edge devices" sit at the boundary between your network and the internet. They're critical for security, but they often don't have the same protection as your computers.
Attackers love these devices because:
- They often lack security monitoring
- They rarely get updated
- They see all your network traffic
- They provide persistent access even if you reset everything else
Mandiant found that some attackers lived in these edge devices for nearly 400 days before being detected [1]. That's more than a year of uninterrupted access to everything on your network.
What This Means for Your Business
If you run a small or medium business, here's what these changes mean in practical terms:
Speed Matters
You can't rely on detecting attacks after they happen. You need:
- Real-time monitoring that spots suspicious activity immediately
- Automated responses that can lock down accounts or systems the moment something suspicious is detected
- Pre-approved plans so you're not deciding what to do during an emergency
Identity is Your New Perimeter
Since attackers mostly log in with stolen credentials instead of breaking in, you need to protect logins:
- Use hardware security keys (special USB devices) instead of just passwords or SMS codes
- Implement multi-factor authentication everywhere possible
- Monitor for suspicious login attempts (wrong location, wrong time, unusual patterns)
- Limit what each account can access—not everyone needs admin privileges
Backups Need Protection
Your backup strategy must assume attackers will try to destroy them:
- Keep offline backups that aren't connected to your network
- Make backups immutable (impossible to delete or encrypt)
- Test your backups regularly to make sure they actually work
- Have a plan for rebuilding from scratch in the worst case
Train Your Team
Your employees are the first line of defense:
- Teach them about voice phishing scams
- Create a simple process: "If someone calls asking for login info, hang up and call the official number"
- Never approve login requests you weren't expecting
- Report suspicious calls immediately
Related: Essential Eight 2026 SMB Guide
The Good News
Despite all these changes, the fundamentals of good security haven't changed:
1. Keep everything updated. Apply security patches promptly, especially to internet-facing devices like routers and firewalls.
2. Use strong authentication. Passwords aren't enough—add multi-factor authentication everywhere.
3. Test your backups. Backups you can't restore are useless. Test them regularly.
4. Have a plan. Know what you'll do if you're attacked. Write it down. Test it.
5. Get help when you need it. Cybersecurity is complicated. Working with a security consultant isn't an admission of weakness—it's smart business practice.
The attackers have evolved. Your defenses need to evolve too. But you don't have to face this alone.
FAQ
Attackers prepare everything in advance. They deploy their tools and malware during the initial access, so when the "real" attack starts, everything is ready to go. It's like a burglar who picks the lock, unlocks all your doors, and brings boxes to pack your stuff—all before they actually start stealing.
Antivirus is great at stopping known malware, but it can't stop someone who logs in with a stolen password or valid session token. Modern attacks look like legitimate user activity because they are legitimate user activity—just by the wrong person.
Email phishing sends fake emails trying to trick you. Voice phishing calls you on the phone. Voice phishing is harder to detect because there's no email to filter, and real-time conversation makes it harder to think critically. A skilled scammer can be very convincing.
Yes. If an attacker gets into your router, they can see and modify all your internet traffic. They can steal passwords, redirect you to fake websites, and maintain access even if you reset all your computers. Keep your router firmware updated and change default passwords.
Basic protections (strong authentication, updates, backups) cost very little. Advanced protections (security monitoring, incident response planning) cost more but are still far cheaper than dealing with a breach, which averages $4.88 million globally [5]. Think of it like insurance—you hope you never need it, but you're glad you have it.
References
[1] Google Cloud Mandiant, "M-Trends 2026: Data, Insights, and Strategies From the Frontlines," March 2026.
[2] PwC, "Annual Threat Dynamics 2026: Cyber threats in motion," March 2026.
[3] Australian Cyber Security Centre (ACSC), "Essential Eight Maturity Model," 2025.
[4] CISA, "Ransomware Response Guide," 2025.
[5] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025.
[6] National Cyber Security Centre (UK), "Cyber Security for Small Businesses," 2025.
[7] Stay Smart Online (Australian Government), "Simple Steps to Protect Yourself Online," 2025.
[8] Scamwatch (Australian Competition & Consumer Commission), "Phone Scams," 2025.
Cyberattacks are moving faster than ever. Is your business ready to respond at machine speed? Book a free consultation to assess your risks and build a defense that can keep up.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.