Voice Phishing is a Growing Social Engineering Threat

Exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32% of enterprise intrusions in the M-Trends 2026 report. While vulnerabilities represent a massive technical challenge—with the mean time to exploit dropping to an estimated minus 7 days—the most alarming shift in the data involves social engineering.

Highly interactive voice phishing surged to 11%, becoming the second-most observed vector. Attackers are effectively bypassing automated security controls and multi-factor authentication (MFA) protocols by targeting IT help desks directly. For example, threat groups pose as legitimate employees to reset credentials. This evolution demonstrates that attackers are finding equal success exploiting fundamental human vulnerabilities as they are zero-day exploits.

Ransomware has evolved from simple data encryption into systemic recovery denial. According to the M-Trends 2026 report, ransomware operators, including those using REDBIKE and AGENDA, are now actively targeting resilience infrastructure to force organizations into paying the ransom.

Instead of just locking user files, attackers are purposely destroying backups, targeting identity services, and attacking virtualization management planes like hypervisors. For example, attackers exploit virtualization storage layers to simultaneously render all associated virtual machines inoperable. Because they are systematically deleting cloud backups and bypassing guest-level defenses, ransomware is now a fundamental resilience crisis where traditional recovery methods hold less value.

Threat actors are using highly interactive voice phishing to directly bypass multi-factor authentication (MFA) and gain initial access to software-as-a-service (SaaS) environments. Instead of relying on traditional email phishing—which dropped to just 6% of intrusions—groups like UNC3944 call IT help desks posing as employees to reset credentials.

Once inside, they harvest long-lived OAuth tokens and session cookies. By compromising third-party SaaS vendors, they steal hard-coded keys and personal access tokens, allowing them to seamlessly pivot into downstream customer environments. In practice, organizations must audit SaaS integrations and monitor for anomalous token usage to combat this human-centric invasion method.

The primary cybersecurity trends in M-Trends 2026 highlight a clear divergence in adversary pacing. On one hand, cybercriminal groups are optimizing for immediate impact, reducing the "hand-off window" between initial access and secondary payloads to just 22 seconds, and aggressively targeting backups for ransomware recovery denial.

On the other hand, cyber espionage groups and insider threats are prioritizing extreme persistence, achieving median dwell times of 122 days by embedding custom in-memory malware into edge devices and routers. Additionally, voice phishing has overtaken traditional email phishing as a primary infection vector, and early use of AI by attackers to accelerate the attack lifecycle has emerged. To adapt, defenders must expand visibility and pivot toward continuous identity verification.

Attackers achieve extreme persistence by specifically targeting edge and core network devices, such as virtual private networks (VPNs) and routers. These devices typically lack standard endpoint detection and response (EDR) agents, creating massive visibility gaps.

M-Trends 2026 highlights threat clusters deploying custom, in-memory malware—such as the BRICKSTORM backdoor—directly onto these non-traditional network appliances. By residing primarily in memory on devices that cannot support traditional security tooling, this malware routinely survives standard remediation efforts and system reboots. Attackers then use native packet-capturing functions to intercept sensitive data and plaintext credentials in transit, allowing them to quietly gather intelligence for hundreds of days without moving deeper into heavily monitored workstations.

While not the primary cause of breaches in 2025, adversaries are actively integrating AI into their operations to accelerate the attack lifecycle. The M-Trends 2026 report observed malware families like PROMPTFLUX and PROMPTSTEAL querying large language models (LLMs) mid-execution to evade detection.

Additionally, "distillation attacks" are being used to extract proprietary logic from high-value machine learning models. Threat actors are also abusing AI within compromised environments; for example, the QUIETVAULT credential stealer searches machines for local AI command-line tools and executes predefined prompts to harvest configuration files. In practice, organizations should establish behavioral baselines around developer toolchains and adopt robust frameworks to secure their AI implementations.

The "hand-off window" refers to the time it takes for an initial access broker to transfer network access to a secondary threat group that executes the primary attack, such as ransomware.

In the M-Trends 2026 data, this window aggressively collapsed from over 8 hours in 2022 to an astonishingly fast 22 seconds. Initial access partners are increasingly pre-staging the secondary group's preferred malware—or establishing network tunnels—during the very first infection. This means secondary threat actors are fully equipped to launch their high-impact operations the exact moment they log into the network. For defenders, this metric signifies that routine, low-level malware alerts must be treated as critical indicators requiring immediate remediation before interactive operations begin.

To defend against modern ransomware, organizations must architect their networks with the assumption that attackers will attempt "recovery denial." M-Trends 2026 emphasizes the need to isolate critical control planes. Virtualization and management platforms should be treated as Tier-0 assets with strict, isolated access controls.

Most importantly, to counter the active destruction of backups, environments should be decoupled completely from the corporate Active Directory domain and rely heavily on immutable storage. Organizations must transition from relying on static indicators of compromise to behavioral anomaly detection, flagging abnormal bulk API operations or unauthorized access to edge devices long before modern ransomware can corrupt hypervisor datastores.

Continuous identity verification is vital because interactive social engineering and voice phishing effectively bypass static multi-factor authentication (MFA) protocols. According to M-Trends 2026, attackers are actively harvesting long-lived OAuth tokens and session cookies to slide past initial login hurdles entirely.

Once they possess these tokens, they can silently persist in SaaS applications without repeatedly authenticating. By mandating continuous identity verification—enforcing strict least privilege mechanisms, routinely auditing third-party SaaS integrations, and routing all applications through a central Identity Provider (IdP)—organizations can detect anomalies like suspicious token use or abnormal geo-locations, rapidly shutting down access before data exfiltration occurs.