Throughout the first half of 2025, the FortiGuard Incident Response team investigated dozens of security breaches across multiple industries driven by financially motivated threat actors.
What emerged from these investigations was a striking pattern: attackers are abandoning complex, malware-heavy approaches in favor of a deceptively simple method—simply logging in using stolen credentials and leveraging legitimate remote access tools to blend seamlessly into normal business operations.
This shift represents a fundamental change in how modern cybercriminals operate. Rather than deploying sophisticated implants or zero-day exploits, financially motivated adversaries are weaponizing the tools that defenders often overlook: valid user accounts and remote management software.
The findings align closely with FortiRecon Threat Intelligence Report data from H1 2025, showing that external credential exposure trends mirror those observed during active incident response engagements across diverse industry sectors.
The initial access vector in most investigated cases followed a consistent playbook. Attackers obtained valid credentials through credential-harvesting phishing campaigns, password reuse exploitation, or by purchasing compromised accounts from Initial Access Brokers at remarkably low prices.
For organizations with less than $100 million in revenue, stolen credentials cost as little as $100-500 USD in emerging economies, making this attack vector economically irresistible for threat actors.
Once inside victim networks, attackers leveraged VPN services configured without multi-factor authentication to establish footholds.
A particularly alarming finding was the extensive use of legitimate remote management tools—AnyDesk, Splashtop, Atera, and ScreenConnect—installed alongside legitimate instances to maintain persistence. This technique proved devastatingly effective because security teams often struggle to distinguish malicious tool deployments from legitimate IT operations.
Manual Operations and Stealth
What distinguished these intrusions was the manual, operator-driven approach. Threat actors moved methodically through networks using built-in tools like RDP, SMB, and WinRM, performing reconnaissance that resembled routine administrative activity.
In one notable case, an adversary with stolen domain administrator credentials accessed the victim’s VPN without MFA, then deployed AnyDesk across systems via Group Policy and RDP sessions, effectively hiding the intrusion within legitimate IT traffic.
Data exfiltration followed a similarly understated pattern. Rather than employing automated exfiltration mechanisms that trigger detection alerts, attackers used drag-and-drop capabilities within remote management tools to manually transfer sensitive data directly to their infrastructure.
This approach leaves minimal forensic artifacts, making detection significantly more difficult than traditional exfiltration techniques.
The prevalence of this attack methodology reflects a critical defensive gap. Stealth is paramount—adversary activity appears indistinguishable from legitimate user behavior unless security teams maintain rigorous behavioral baselines and anomaly detection.
Most endpoint detection and response solutions focus on malware signatures and endpoint behavior rather than identity-based anomalies spread across multiple systems.
Additionally, the low skill barrier to execution makes these attacks widely accessible. An attacker with stolen credentials needs minimal technical expertise to achieve objectives, requiring only knowledge of VPN access and basic RDP navigation.
Combined with the affordability of credentials in the underground market, this creates an attractive entry point for threat actors of varying sophistication levels.
Defending Against Credential-Based Attacks
Effective defense requires a fundamental shift toward identity-centric security strategies. Organizations must enforce multi-factor authentication across all access points, including internal networks and VPN infrastructure.
Behavioral monitoring should flag impossible travel scenarios, simultaneous multi-system logins, and access patterns inconsistent with normal operations.
Additionally, explicitly restricting and monitoring remote management tools—combined with detection mechanisms for their deployment and network activity—provides critical visibility into malicious operations.
The uncomfortable truth reinforced by these investigations remains unchanged: the most dangerous breach often involves no breach at all, merely an attacker successfully logging in with stolen credentials.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
