Attackers keep finding the same gaps in security programs

Attackers keep getting in, often through the same predictable weak spots: identity systems, third-party access, and poorly secured perimeter devices. A new threat report from Barracuda based on Managed XDR telemetry from 2025 shows that many successful incidents still start with basic access and configuration failures, not advanced malware.

The report draws on more than two trillion IT events, nearly 600,000 security alerts, and more than 300,000 protected assets monitored over the year. Barracuda’s SOC triaged around 53,000 high-severity threats through its SOAR platform.

Key findings (Source: Barracuda)

Identity alerts lead the detection list

Suspicious logins were the most common detection type across monitored environments. The most frequently detected event was a Microsoft 365 anomalous login, with 42,859 detections over the last 12 months. Microsoft 365 “impossible travel” alerts followed at 22,343 detections.

These detections typically indicate credential theft, compromised accounts, or attackers testing access from new locations. The pattern suggests identity-based compromise remains one of the most reliable entry points into enterprise environments.

Other top detections included account takeover sign-ins, endpoint agent disabled alerts, and attempts blocked by access policy due to new geolocation. Brute-force attempts appeared lower on the list, though the report’s incident data shows password spraying remains common once attackers identify exposed services.

Privilege escalation blends into routine admin work

Once attackers gain a foothold, privilege escalation becomes a priority. Barracuda observed suspicious privilege manipulation activity across Windows environments, Microsoft 365 tenants, and firewall systems.

The most common activity was adding a user to a Windows group with high-risk security rights, accounting for 42% of privilege escalation detections. Another 27% involved removing a user from such a group, an action that can indicate cleanup after an escalation attempt.

Microsoft 365 privilege escalations were also common. Adding a user as a global administrator accounted for 16% of suspicious events, while removing a global administrator accounted for 12%. Firewall privilege escalation also appeared, including FortiGate firewall admin additions.

These actions often resemble normal IT operations, which makes them harder to detect through traditional alerting. Attackers increasingly rely on legitimate tools and standard workflows to stay hidden.

Remote management tools are a growing risk

Remote monitoring and management tools and remote access systems continue to attract attackers. Barracuda reported incidents involving abuse of SonicWall SSL-VPN, ScreenConnect, RDP, PsExec, AnyDesk, and firewall VPN services.

One incident described a malicious executable that attempted to register itself as a Windows service for persistence. It also tried to install ScreenConnect through PowerShell, using a trusted remote management tool as part of the compromise chain.

Another incident involved Akira ransomware, where attackers installed Datto RMM after gaining access to a domain controller. The activity resembled routine IT automation, blending into expected backup or maintenance behavior.

Third-party access plays a major role in incidents

Supply chain exposure and third-party access accounted for a large share of security incidents. Researchers found that 66% of incidents involved the supply chain or a third party, up from 45% in 2024.

Third-party access often persists longer than intended, especially when vendor accounts remain active after a contract ends. In one ransomware case involving Akira, attackers entered through an account created for a vendor that was never deactivated. They later pivoted to an unprotected server and launched ransomware.

The recurring theme is that access governance failures can create long-lived entry points that remain invisible until they are exploited.

Vulnerability exposure is still dominated by old crypto flaws

Outdated encryption and certificate issues remained common. The top detected network vulnerabilities included untrusted security certificates, certificate name mismatch, weak encryption checks, and self-signed certificates.

Legacy cryptography is still widespread. The most detected CVE was CVE-2013-2566, an RC4 encryption weakness. Other frequently detected CVEs included CVE-2019-11072 in lighttpd and CVE-2024-6387 in OpenSSH, which carried a critical severity rating.

Across all detected vulnerabilities, researchers recorded 2,525 unique vulnerabilities and 4,146 critical vulnerabilities. About 11% of vulnerabilities had a known exploit.

Misconfiguration leaves tools disabled when they matter most

Misconfiguration and disabled protections played a major role in incidents. Researchers found that endpoint protection agents accounted for 94% of disabled security feature detections. MFA disabling accounted for 3.62%, safe link rule disabling for 1.4%, and safe attachment rule disabling for 0.6%.

Every security incident Barracuda responded to involved at least one unprotected or rogue endpoint.

That data points to a recurring operational issue: unmanaged devices and inconsistent enforcement of endpoint coverage continue to undermine security controls across networks.

“What makes targets vulnerable is often easy to overlook. A single rogue device, an account that wasn’t disabled when someone left, a dormant application that hasn’t been updated, or a misconfigured security feature. Attackers only need to find one to succeed,” said Merium Khalid, Director, SOC Offensive Security at Barracuda.

Ransomware keeps exploiting perimeter devices

Ransomware remained one of the most consistent threats in 2025. Researchers identified 13,514 indicators of ransomware activity over the year, with steady volume across months.

Ransomware impact increased year over year. The proportion of organizations impacted by ransomware each month ranged from 5.1% to 10.9% in 2025, compared with 1.5% to 5.6% in 2024.

Firewalls played a central role in ransomware intrusions. Barracuda found that 90% of ransomware incidents exploited firewalls, either through a CVE or a vulnerable account.

Once lateral movement begins, ransomware deployment becomes likely. Researchers reported that 96% of incidents involving lateral movement ended with ransomware being released.

Attack speed also varied widely. The fastest ransomware attack observed went from breach to encryption in three hours, with some cases reaching lateral movement in 10 minutes. Other intrusions lasted weeks or months, giving attackers time to exfiltrate data and prepare ransomware deployment.