Cyber attackers are increasingly sidestepping traditional security tools by exploiting users themselves, according to Bridewell’s newly released Cyber Threat Intelligence Report 2026. The report highlights a significant shift in attacker behaviour, with threat actors moving away from malware-heavy campaigns towards identity-driven and socially engineered attacks that operate within trusted systems, often leaving little trace for security tools to detect.
Gavin Knapp, Head of Cyber Threat Intelligence at Bridewell, said the findings point to a fundamental evolution in how cyber attacks are executed.
“A key finding in the report is the move away from malware-led attacks toward identity-driven and user-led compromise, leveraging legitimate identities, software and techniques that operate inside trusted systems and bypass conventional defences,” he noted.
Security tools bypassed as attackers target users
At the centre of this shift is the rise of so-called “fix-style” attacks, including ClickFix, FileFix and ConsentFix. These techniques manipulate users into carrying out actions themselves, such as copying malicious commands, approving fraudulent authentication prompts, or completing legitimate login processes that hand control to attackers. Because these attacks rely on user execution, they can bypass endpoint security tools, multi-factor authentication (MFA), and traditional detection mechanisms entirely. In many cases, attacks now take place wholly within browsers or legitimate identity workflows.
Faster, more resilient cyber threats
Rather than reinventing tactics, attackers are refining existing methods to increase speed and resilience. Bridewell’s research shows that widely available offensive tools and command-and-control frameworks remain dominant, while adversary infrastructure is becoming more agile and distributed. This allows threat actors to quickly recover from disruption. When one tool or malware family is taken down, attackers rapidly switch to alternatives, minimising downtime and maintaining operational continuity.
Identity emerges as primary attack surface
The report identifies identity as the central battleground in modern cyber attacks. Credentials, session tokens and OAuth access are now heavily targeted, with information-stealing malware playing a key role in harvesting login data. This enables attackers to operate as legitimate users, significantly reducing the likelihood of detection while enabling follow-on attacks including ransomware and fraud.
Ransomware evolves towards data extortion
Bridewell also highlights a shift in ransomware tactics, with attackers increasingly prioritising data theft over encryption. This “smash-and-grab” approach focuses on rapid data exfiltration, allowing cyber criminals to extort victims without the need for prolonged network access. The result is faster attacks that reduce response times for defenders while increasing pressure on organisations to pay.
Blurring lines between cyber crime and nation-state activity
The report noted a growing convergence between cyber criminal groups and nation-state actors, with both adopting similar tools, techniques and infrastructure. This overlap is driving increased sophistication and unpredictability, particularly in attacks targeting critical national infrastructure and key industries.
What to expect
Looking ahead, Bridewell warns that organisations will face an increasingly adaptive threat landscape shaped by identity abuse, agile infrastructure, and AI-enabled attacks.
Key risks expected to dominate in 2026 include:
- Increased exploitation of edge devices and identity systems
- Continued growth in supply chain attacks
- Rising activity linked to DPRK and other state-aligned actors
- Ongoing convergence between cyber crime and nation-state operations
Knapp added that organisations must rethink their approach to security in response to these trends.
“As attackers continue to exploit trusted systems and human behaviour, organisations must move beyond traditional security approaches and focus on identity protection, user awareness and threat-informed defence,” he cautioned.
