派拓网络-2026年Unit42全球事件响应报告-Global Incident Response Report 2026

p

R

NIT42R

CASEID:CL-STA-0043

SYSTEM.

REFLECTION.METHODINFO

METHODINFO

=

ASSEMBLY.GETTYPES()

[

0

].GETMETHOD(”RUN”);

Global

Incident

Response

Report2026

ExecutiveSummary

WESEEFOURMAJORTRENDSTHATWILL

SHAPETHETHREATLANDSCAPEFOR2026.

First,AIhasbecomeaforcemultiplierforthreatactors.Itcompressesthe

attacklifecycle,fromaccesstoimpact,whileintroducingnewvectors.Thisspeedshiftismeasurable:in2025,exfiltrationspeedsforthefastestattacksquadrupled.

Second,identityhasbecomethemostreliablepathtoattackersuccess.Identityweaknessesplayedamaterialroleinalmost90%ofUnit42investigations.Attackers

increasinglyloginwithstolencredentialsandtokens,exploitingfragmentedidentityestatestoescalateprivilegesandmovelaterally.

Third,softwaresupplychainriskhasexpandedbeyondvulnerablecodeto

themisuseoftrustedconnectivity.Attackersexploitsoftware-as-a-service(SaaS)

integrations,vendortoolsandapplicationdependenciestobypassperimetersatscale.Thisshiftstheimpactfromisolatedcompromisetowidespreadoperationaldisruption.

Fourth,nation-stateactorsareadaptingstealthandpersistencetacticsto

modernenterpriseoperatingenvironments.Theseactorsincreasinglyreliedon

persona-driveninfiltration(fakeemployment,syntheticidentities)anddeepercompromiseofcoreinfrastructureandvirtualizationplatforms,withearlysignsofAI-enabledtradecraftusedtoreinforcethesefootholds.

87%

ofintrusions

spannedmultipleattacksurfaces

Whilethesefourtrendseachpresentachallenge,attackersuccessisrarelydeterminedbyasingleattackvector.Inmorethan750incidentresponse(IR)engagements,87%

ofintrusions·involvedactivityacrossmultipleattacksurfaces.Thismeansdefendersmustprotectendpoints,networks,cloudinfrastructure,SaaSapplicationsandidentitytogether.Further,nearlyhalf(48%)involvedbrowser-basedactivity,reflectinghowoftenattacks

intersectwithroutineworkflowslikeemail,webaccessandday-to-daySaaSusage.

Mostbreacheswereenabledbyexposure,notattackersophistication.Infact,in

over90%of·breaches,preventablegapsmateriallyenabledtheintrusion:limitedvisibility,inconsistentlyappliedcontrols,orexcessiveidentitytrust.Theseconditionsdelayed

detection,createdpathsforlateralmovement,andincreasedimpactonceattackers

obtainedaccess.

Securityleadersmustclosethegapsattackersrelyon.First,reduceexposureby

securingthe·applicationecosystem,includingthird-partydependenciesandintegrations,·

andhardeningthebrowser,wheremanyintrusionsnowbegin.Inparallel,reducearea

ofimpactbyadvancingzerotrustandtighteningidentityandaccessmanagement(IAM)

toremoveexcessivetrustandlimitlateralmovement.Finally,asthelastlineofdefense,·

ensurethesecurityoperationscenter(SOC)candetectandcontainthreatsatmachinespeedbyconsolidatingtelemetryandautomatingresponse.

oalto

pa

NETWORKS

UNT42TheGlobalIncidentResponseReport20262

TableofContents

INTRODUCTION04

EMERGINGTHREATSANDTRENDS06

INSIDETHEINTRUSION20

RECOMMENDATIONSFORDEFENDERS28

APPENDIX36

METHODOLOGY42

pa

oalto

NETWORKS

UNT42

TheGlobalIncidentResponseReport20263

Section01

g1

SECTION1:

Introduction

oalto

pa

NETWORKS

UNT42TheGlobalIncidentResponseReport20264

oalto

UNTa2

NETWORKS

TheGlobalIncidentResponseReport20265

Section01

In2025,Unit42respondedto·morethan750majorcyberincidents.Ourteams·workedwithlargeorganizationsfacing·extortion,networkintrusions,datatheftandadvancedpersistentthreats.Targetsspannedeverymajorindustryandmorethan50countries.Ineachcase,thesituationhadescalatedtothepointwheretheSOCcalledforbackup.

Whenthatcallcomes,ourincidentrespondersmovequicklytoinvestigate,containanderadicatethethreat.Wehelp

organizationsestablishwhathappened,restoreoperations,andreducetheriskofrecurrencebystrengtheningcontrols,

visibilityandresilience.·········

Eachintrusiontellsastory:whattheattackertargeted,howtheygainedaccess,howtheactivityescalatedandwhatcouldhavestopped·itsooner.·Intheaggregate,thesestoriesbecome·trendsandprovideinsightintotheglobalthreatlandscape.Theyshowwhat’schanginginadversarytradecraft,therepeatedmistakesorganizationsmake,andmostimportantly,whatdefenderscandotokeeptheirorganizationssafe.Thisreportdistillsthoselessons.

Overthepastyear,attackspeedscontinuedtoaccelerate.AttackersarestillearlyintheiradoptionofAI-enabledtradecraft,butitsimpactisalreadyvisible.AIreducesfrictionacrossreconnaissance,socialengineering,scripting,troubleshootingand·extortionoperations.Itenablesgreaterscaleand·theability·tolaunch·multipleattacks·

simultaneously.Theresultisashrinkingwindowfordetectionandcontainment,wherewhathappensinthefirstminutesafterinitialaccesscandeterminewhetheranincidentbecomesabreach.

Atthesametime,mostbreachesstillfollowfamiliarpaths.Andthatiswhyourmostimportantconclusionremains

unchanged:securityissolvable.Inmorethan90%ofincidents,misconfigurationsorlapsesinsecuritycoverage

materiallyenabledtheintrusion.Attackersareadapting,buttheymostoftensucceedbyexploitingpreventablegaps—inconsistentcontroldeployment,incompletetelemetry,over-permissiveidentitytrustandunmanagedthird-party

connectivityacrossSaaSandcloud.

Thisreportisorganizedasapracticalguidetothecurrentthreatlandscape:

EmergingThreatsandTrends:

Howattackertradecraftisevolving—AIasaforcemultiplier,identityasthemostreliablepathtosuccess,expandingsoftwaresupplychainriskthroughtrustedconnectivityandevolvingnation-statetactics.

InsidetheIntrusion:

Anaggregateviewofobservedtactics,techniquesandproceduresacrossUnit42investigations—whatattackerstarget,howtheygetin,howfasttheymoveandtheimpactstheydrive.

RecommendationsforDefenders:

Concretestepstoclosethegapsthatenablecompromise,constrainareaofimpact,andbuildresponsecapabilityfastenoughtostopincidentsbeforetheyescalate.

Unit42operates24/7toprotectthedigitalworldfromcyberthreats.Thegoalof·thisreportisstraightforward:toturnwhatwelearnonthefrontlinesintodecisionsthatstopincidentsbeforetheybecomebreaches.

SamRubin

SVPofConsultingandThreatIntelligence

Unit42

oalto

NETWORKS

fUNT42TheGlobalIncidentResponseReport20266

SECTION2:

EmergingThreats

andTrends

02

Section02

oalto

fUN·T42

NETWORKS

TheGlobalIncidentResponseReport20267

Section02

TREND1:

AlHasBecomeaForce

MultiplierforAttackers

AIischangingtheeconomicsofintrusions.Itincreasesattackerspeed,·scaleand·effectivenesswhileopeningentirelynewattackvectors.

Whilemuchofthisactivityoccursonadversaryinfrastructure—beyondourabilityto·directlyobserve—Unit42investigationsandresearchreveal·aclearshift.In2025,

threatactorsmovedfromexperimentationtoroutineoperationaluse.AIisnotan

attacker“easybutton,”butitisamassivefrictionreducer.Itallowsthreatactorsto·movefaster,iteratemorefrequently,and·operatewithfewerhumanconstraints.·

·AIINCREASESTHESPEEDANDSCALEOFATTACKS·

AIcompressestheattacklifecycleandreducesthemanualeffortrequiredtooperateacrossmultipletargets.

Fastervulnerabilityexploitation:Thewindowbetweendisclosureandexploitationcontinuestoshrink.Threatactorsareautomating

the“monitor>diff>test>weaponize”loop.Unit42researchfoundthatattackersstartscanningfornewlydiscoveredvulnerabilities

within15minutesof·aCVEbeingannounced.Exploitationattemptsoftenbegin·beforemanysecurityteamshaveevenfinishedreadingthe·vulnerabilityadvisory.

Parallelizedtargeting:Operatortimeis·lessofaconstraint.AI-assistedworkflowsallowactorstorunreconnaissanceandinitialaccessattemptsacrosshundredsoftargetsinparallel,andthenconcentrateeffortwheretheyfindaweaksignal.

Ransomwareatscale:WeseeactorsusingAItoreducemanualworkduringdeployment(scriptgeneration,·templating)andextortion(messagingconsistency).Theshiftisnotthatransomwareisnew,itisthattheoperatortimerequiredtorunitatscaleisdropping.

Whatthismeansintime-to-impact:Lastyear,Unit42simulatedanAI-assistedattackthatreducedtime-to-exfiltrationdownto25minutes.Real-worldIRdatareflectsthisacceleration:Thefastest25%ofintrusionsreachedexfiltrationin72minutes,downfrom285minutesthecalendaryearprior.

TheAINegotiator

Inanextortioncase,Unit42negotiators

observedresponsesthatwereunusually

consistentintone,grammar,cadenceand

turnaroundtimeacrossexchanges.These

patternsareconsistentwithtemplated

orAI-assistedmessaging.Evenpartial

automationmatters:itenablesactorstorunmoreconcurrentnegotiationsandapply

moredisciplinedpressure,withouttyingupahumanoperatoroneverythread.

RansomwareAutomation

Inaransomwareinvestigation,Unit42recovered

operationalscriptsusedtodeploypayloads,

coordinatelateralmovementandimpairsecurity

controlsatscale.SeveralelementswereconsistentwithAI-assisteddevelopment,includingunusuallythoroughcommenting,templatedvariantsand

efficiency-focusedfallbacklogic.Theneteffect

wasmachine-likeexecutionacrosshundredsof

systems,compressingthetimeandefforttypicallyrequiredtostageamulti-phasedeployment.

oalto

NETWORKS

fUNT42TheGlobalIncidentResponseReport20268

Section02

AIIMPROVESATTACKEROUTCOMES

VibeExtortion

AIisraisingthesuccessrateofknownattacktechniques.

Anunsophisticatedactorexfiltratedsensitivedatabuthadnoplan

Hyper-personalizedsocialengineering:Wehavemovedpast“phishingwithbettergrammar.”

Actorscanautomateopen-sourceintelligence(OSINT)collection,includingprofessionalandorganizationalcontext,tocraftluresthatmatchthetarget’sroleandrelationships.

fortheshakedown.Tobridgethegap,theyusedanLLMtoscriptaprofessionalextortionstrategy,completewithdeadlinesand

Syntheticidentities:ThreatactorslikeMuddledLibraandNorthKoreanITworkers

pressuretactics.Theresultwassurreal:Theactorrecordeda

threatvideofromtheirbedwhilevisiblyintoxicated,readingthe

AI-generatedscriptword-for-wordfromascreen.Thethreatlacked

technicaldepth,butthemodel

suppliedcoherence.AIdidn’tmaketheattackersmarter;itjustmade

themlookprofessionalenoughtobedangerous.

increasinglyusedeepfaketechniquestostealcredentialsandpassremotehiringworkflows.

Malwaredevelopment:IntheShai-Huludcampaign,Unit42assessedthatattackersusedalargelanguagemodel(LLM)togeneratemaliciousscripts.

Loweredbarriertoentry:Purpose-builtmaliciousLLMsandjailbreakattackscontinuetoreducetheskillrequiredtoproducepersuasiveluresandfunctionalcodevariants.Theneteffectisthatmoreactorsareabletoexecutecredibletradecraftfaster,withfewermistakes.

Bottomline:AIimprovestheattackers’ratesofsuccessateachstage.Itimproves

thequalityoflures,shortensthetimeneededtoadapttoolsandreducesdependenceonconstantoperatorintervention,makingextortionmoreconsistentandscalable.

AICREATESNEWATTACKVECTORS····

EnterpriseAIadoptioncreatesanewclassofrisk:LivingofftheAIland(LOTAIL).Justas

attackersmisusePowerShellorWindowsManagementInstrumentation(WMI),theyarenowweaponizinglegitimateAIplatformsandembeddedassistants.

TurningyourAIplatformintoaweapon:ThreatactorsusevalidcredentialstomisuseenterpriseAIplatforms.Forexample,recentUnit42researchonGoogleVertexAI

demonstratedhowattackerscouldmisusecustomjobpermissionstoescalateprivilegesandusea·malicious·modelasaTrojanhorsetoexfiltrateproprietarydata.·

Theattacker’sco-pilot:Withcompromisedcredentials,anintrudercanuseaninternal

assistanttopullcontextatmachinespeed,includingrequestingintegrationguides,admin·runbooksornetworkmaps.Theassistantbecomesaforcemultiplier,allowingintruderstounderstandtheenvironmentwithfewermistakes.

Theriskisclear:Ifatoolcanhelpemployeesgetworkdone,itcanalso

helpintrudersunderstandyourenvironmentandmovewithfewermistakes.

TheAI-AssistedInsider

Aninsiderweaponizedtheir

company’sownAIassistantto

stageanattack.Forensicanalysisshowedtheinsiderusedthetooltoresearchinternalsystems,generateacustomdenial-of-service(DoS)

scriptandtroubleshooterrorsin

realtime.Theassistantbridged

askillgap,enablingtheactorto

targetcoreinfrastructuretheylikelycouldnothaveoperatedagainstaseffectivelywithoutAIsupport.

oalto

fUN·T42

NETWORKS

TheGlobalIncidentResponseReport20269

Section02

COUNTERMEASURES:

·DEFENDINGAGAINST·AI-DRIVENTHREATS

·Thesetactics·willhelpyou

defendagainstAI-assistedattacks

CounterAI-acceleratedattackspeed

Automateexternalpatching:

MandateautomatedpatchingforcriticalCVEsoninternet-facingassetstoclosethe24-hourexploitationwindow.

Autonomouscontainment:

DeployAI-drivenresponsetodrivedownmeantimetodetect/respond(MTTD/MTTR)·andisolatethreatsbeforetheycanautomatelateralmovement.·

Defendagainstimprovedtradecraft

Behavioralemailsecurity:

·Transitionfromsignature-basedfilterstoenginesthatidentifyanomalies·incommunicationpatterns.

Intent-basedawareness:

·Movebeyondsimplytrainingemployeestospottypos.Shifttoout-of-band(OOB)·

verificationforallsensitiverequests(e.g.,wiretransfers,credentialresetsorremotehiring).

ProtecttheAIattacksurface

Monitormodeltelemetry:

·CorrelateunusualAIAPIcallsor·scriptssourcedfrommodeloutputswithknownevasiontechniques.

Promptvisibility:

·AlertonsensitivequeriestointernalLLMs(e.g.,“findallpasswords”)and·

enforcestrictpermissionboundariesfortokensandserviceaccounts.

Section02

TREND2:

ldentitylstheMostReliablePathtoAttackerSuccess

Inthepastyear,identityweaknessesplayedamaterialroleinnearlyall(90%)ofthe

investigationsUnit42handled.Inourcaseload,identityshapedintrusionsendtoend.Itservedasthewayin,thepathtoprivilegeescalationandthemechanismforlateralmovementusingvalidaccess.

AsorganizationsmovedeeperintoSaaS,cloudandhybridenvironments,thenetwork

perimetermattersless.Identity—thelinkagebetweenusers,machines,servicesanddata—hasbecomethepracticalperimeter.Inmanycases,threatactorsdon’tneedasophisticatedexploitchain.Theyloginwithstolencredentials,hijackedsessionsormis-scopedprivileges.

Authenticatedaccesschangesthedynamicsofanintrusion.Itletsadversariesmovefaster,blendintonormalactivityandexpandtheirareaofimpactwithfewerobstacles.Thistrendisacceleratingasmachineidentities,embeddedAIapplicationsandfragmentedidentity

estatesexpandthenumberofaccesspathsattackerscanexploit.

THEWAYIN:IDENTITY-DRIVENINITIALACCESS

Unit42casedatashowsthat65%ofinitialaccessisdrivenbyidentity-basedtechniques,as

showninFigure1.Whiledefendersfocusonpatchingvulnerabilities,threatactorsoftenbypasssoftwarecontrolsbytargetingusersandauthenticationpaths.

65%

3

3

%

%

1

2

e

c

r

o

f

e

t

u

r

B

d

%

e

s

3

i

1

m

o

s

r

l

p

a

i

m

t

n

o

e

c

d

y

e

l

r

s

c

u

o

i

v

e

r

P

s

%

t

a

8

e

r

h

O

t

h

e

r

s

o

c

i

a

l

c

8

s

i

m

s

n

e

n

g

i

n

e

e

r

i

n

g

1

1

%

I

d

e

n

t

i

t

y

-

b

a

s

e

d

p

h

i

s

y

c

i

l

o

P

y

t

ti

n

e

d

I

e

c

r

o

F

e

t

u

r

B

d

n

a

e

s

u

s

i

M

l

a

i

t

n

e

d

e

r

C

I

d

e

n

t

i

t

y

-

r

e

l

a

t

e

d

S

o

c

i

a

l

E

n

g

i

n

e

e

k

s

i

R

r

e

Figure1.Thedatahighlightsidentityasthedominantdriverofinitialaccessinmodernintrusions.

Insidert

11%

IdentityDrivenInitialAccess

%3%

IAM

onfiguratio

hing22%

andInsid

r

i

n

g

oalto

NETWORKS

fuNT42TheGlobalIncidentResponseReport202610

TheGlobalIncidentResponseReport202611

Section02

Weseethefollowingprimaryroutestoinitialaccess:

Identity-relatedsocialengineering(33%):Identity-basedphishing(22%)andothersocialengineering(11%)remaintheleadingdriversofmodernbreaches.Ratherthansimplecredentialtheft,thesetacticsincreasinglyfocusonmulti-factorauthentication(MFA)circumventionandsessionhijacking,allowingattackerstobypassauthenticationcontrolsandmovelaterallybyexploitingtrustedidentityworkflows.

Credentialmisuseandbruteforce(21%):Previouslycompromisedcredentials(13%)andbruteforceactivity

(8%)allowattackerstogainaccesswithlittleinteraction.Byusingvalidaccountsobtainedfrompriorbreachesorundergroundmarkets,actorslogdirectlyintovirtualprivatenetworks(VPNs),remoteaccessgatewaysandcloudportals,bypassingtraditionalperimeterdefenseswithouttriggeringearlydetection.

Identitypolicyandinsiderrisk(11%):Stemmingfrominternaltrustandarchitecturalflaws,thesevectorsinvolve

theexploitationofvalidpermissions.AttackersleverageIAMmisconfigurations(3%),suchasoverlypermissive

policies,toescalateprivilegesandinheritaccess,whileinsiderthreats(8%)involvetheabuseoflegitimatecredentials.

Identityandvulnerabilitymanagementarenotseparatefights.Aleakedcredentialcancreatethesameexposureasanunpatchedinternet-facingsystem.

THEWAYTHROUGH:IDENTITYTURNSACCESSINTOIMPACT

Afterinitialaccess,identitygapsareoneofthemostcommonwaysattackersturnafootholdintoahigh-impactbreach.Inmodernenvironments,authenticatedactionsdeterminespeedandblastradius.

Unit42analysisofmorethan680,000identitiesacrosscloudaccountsfoundthat99%ofcloudusers,rolesandserviceshadexcessivepermissions,someunusedfor60daysormore.Thiscreatesanenvironmentwherelateral

movementiseasierthanitshouldbe,becausemanyidentitiescarryprivilegestheydon’tneeddaytoday.Attackersexploitbothhumanandmachineidentitiesasoperationallevers:

Privilegeescalation:Over-scopedroles,inheritedpermissionsandunretiredlegacygrantscreaterepeatablepaths

tohigherprivilege.OnceanattackercanwritetoIAM,theycanoftenescalatequicklywithoutdeployingnoveltooling.

Credentialreuseandlateralmovement:Actorscommonlytestcompromisedcredentialsacrossothersystems.Thisisespeciallytruewherepasswordsarereusedacrossproductionandnon-productionenvironments,orwhere

sharedaccountsstillexist.

TokenandOAuthmisuse:StolensessiontokensandillicitOAuthgrantsletattackersbypassinteractiveauthentication(includingMFA),persistwithoutrepeatedloginsandoperatewithfewerobviousalerts.

Trustpaths(e.g.,sharedadministrativeaccounts,delegatedaccessandthird-partytools)becomefastlanesfor

lateralmovement.Withouttightprivilegeboundariesandstrongidentitysegmentation,asinglecompromisedidentitycanexpandintobroadaccess.

of680,000

cloudidentitieshadexcessivepermissions

99%

oalto

NETWORKS

fUNT42TheGlobalIncidentResponseReport202612

Section02

THEEXPANDINGIDENTITYATTACKSURFACE

Theidentitylandscapeisexpandingandfragmenting.Asorganizationsadoptcloud,SaaSandAI-enabled

·workflows,identitymovesinto·areasthatoftensitoutsideconsistentgovernance,creatingareaswhereattackers

operatewithreducedvisibility.

·Threetrendsaredrivingthisshift:········

TheriseofmachineandAIidentities:Non-humanidentities,likeserviceaccounts,automationroles,APIkeys·andemergingAIagents,often·outnumberhumanusers.Theseidentitiesarefrequentlyover-privileged,relyon

long-livedcredentialsandareinconsistentlymonitored.Foranattacker,compromisingaserviceaccountcanbehigherleverageandquieterthancompromisingaperson.

Shadowidentities:CloudandAIadoptionhasincreasedthevolumeofunsanctionedaccounts,developer

environmentsandthird-partyconnectors.Theseshadowidentitiesoftenbypassstandardonboarding,reviewand·logging,creatingaccesspathstheSOC·mightnot·seeuntilafterimpact.····

Identitysilos:Mostenterprisesoperatemultipleidentitysystems(e.g.,ActiveDirectory,Okta,cloud-nativeIAM).·Whenauthenticationandauthorizationarefragmented,soisvisibility.Attackerscanmove·betweenon-premises

andcloudenvironmentswhileleavingincompletetrailsinanysinglecontrolplane.

·Misconfigurationatscaleturnsidentityfromacontrolintoaliability.Whenmachineidentities,shadowaccessand

fragmentedidentityestatescombine,attackersgainmorereliablepathstopersistandexpand.Anddefendersloseend-to-endvisibility.

COUNTERMEASURES:DISRUPTING

IDENTITY-DRIVENTRADECRAFT

Thesetacticalstepscandisruptthe

identity-relatedtradecraftobservedinUnit42cases.

Deployphishing-resistantMFA:StandardMFAisnotenoughagainstmodernbypassandadversary-in-the-middletactics.PrioritizeFIDO2/WebAuthnhardwarekeysorpasskeysforhigh-valueroles(admins,executives,developers).

Inventoryandrotatemachineidentities:Establishcontinuousdiscoveryfornon-humanidentities(serviceaccounts,

automationroles,APIkeys).Immediatelyrotatestaticcredentialsforanyprivilegedserviceaccountthathasnotchangedin

90daysandreducecredentiallifetimewhereverpossible.

Hardenthesession:Attackersincreasinglypivotpost-loginbystealingtokensandmisusingOAuthgrants.Reducesessionlifetimesforsensitiveapplicationsandenforceconditionalaccessthatcontinuouslyevaluatesdevicehealth,locationand

riskduringthesession.

Eliminatestandingadminrights:Moveprivilegedaccesstoajust-in-timemodel.Removepersistentadmingrantsand

requiretime-boundelevationwithapprovalsandstronglogging,soacompromisedaccountyieldsminimalprivilegebydefault.

oalto

fUN·T42

NETWORKS

TheGlobalIncidentResponseReport202613

Section02

TREND3.

SoftwareSupplyChain

AttackslncreasinglyDrive

DownstreamDisruption

Supplychainriskisnolongerlimitedtovulnerablecode.In2025,thesupplychain·expanded·toincludeSaaSintegrations,vendormanagementplanesandcomplex

dependencyecosystems.Thedefiningpatternwasdownstreamdisruptionandparallel

assessment.Whenanupstreamproviderreportedacompromiseoroutage,customers·wereoftenlefttostopandanswerabasicquestion:areweaffected?Inmanycases,

theyhadlimitedvisibilityintotheirownexposure.

·Thenewfailuremodeisnotonecompromisedcustomer.Therearemanycustomers

pushedintoparalleltriagewhiletheupstreampictureisstillunclear.Thismakesthe

supplychainahigh-valuetargetforbothnation-statesandcriminalgroups.Asingle·compromisecancreateaone-to-manyopportunity,deliveredthrough·thetrusted

connectivitymodernbusinessrelieson.

SAASINTEGRATIONS:INHERITED·PERMISSIONSATSCALE

TheHiddenIntegrationRisk

SaaSenvironmentsarestitchedtogetherthroughOAuthapps,APIkeysandworkflow

Inarecentinvestigationinvolvingacompromisedsalesengagement

·platform(Salesloft/Driftintegration),·

attackersleveragedvalidOAuthtokenstoaccessdownstreamSalesforce

·environments.Theactivityresembled·

routinecustomerrelationshipmanager(CRM)automationandblendedinto

·expectedintegrationtraffic.Post-·

incidentreviewrevealedadeeperissue:theorganizationdiscoverednearly

·100additionalthird-partyintegrations·

connectedtoSalesforce,manydormant,unmonitoredorowned

·byformeremployees.··

automation.Theseconnectionsroutinelycarryaccesstodataandbusinessprocesses.Forattackers,compromisedintegrationscanbecomealateralmovementpaththat

lookslikenormalautomation.

ThisexposureisreflectedinUnit42investigations.DatafromSaaSapplicationswasrelevantto23%ofcasesin2025,upfrom18%in2024,12%in2023,andjust6%in

2022.Thesteadyincreaseshowshowattackersaremovingpasttraditionalperimetersandconcentratingonthecloud-basedtoolswheremodernworknowtakesplace.

Theriskisinheritedpermissions.Whenanorganizationintegratesathird-partyapp

viaOAuth,thatapplicationreceiveswhateverrightswereoriginallyg