A recent report from ConnectWise found that attackers are increasingly exploiting trusted identities, along with remote access infrastructure and software supply chains, while AI continues to accelerate in speed and scale.
2026 MSP Threat Report shows trusted identities and legitimate tools are top targets
The research, ConnectWise’s 2026 MSP Threat Report, provides global threat intelligence and actionable guidance for managed service providers (MSPs) navigating the cybersecurity landscape.
It has identified trends across North America, Europe, and the Asia-Pacific (APAC).
The report states that adversaries are no longer relying primarily on novel exploits; instead, they are exploiting trusted identities, legitimate system tools, remote access infrastructure, and software supply chains to gain faster, more scalable access to MSP-managed environments worldwide.
Backup infrastructure targeted early as actors bypass MFA and other safeguards
Groups such as Akira demonstrated rapid “scan, steal, encrypt” lifecycles that target backup infrastructure early to prevent recovery.
Threat actors have also bypassed OTP-based multi-factor authentication (MFA) by exploiting inherited VPN configuration artifacts or retained appliance secrets.
Regional nuances and other key findings point to evolving threat landscape
While the report found that risks are consistent worldwide, there are regional nuances.
In North America, ransomware operators prioritized speed and early disruption of backups in mid-sized business environments.
In Europe, manufacturing and supply chain ecosystems saw increased targeting through credential and remote access abuse.
In the APAC region, growing small- and medium-sized businesses (SMBs) are experiencing expanded exposure of perimeter infrastructure and credential-stuffing campaigns.
Among other findings are:
- VPN infrastructure became a consistent entry point: Publicly exposed SSL VPN interfaces were repeatedly targeted through credential stuffing, inherited secrets, and critical vulnerabilities affecting major vendors. Organizations have experienced full domain compromise within hours of successful VPN authentication.
- Software supply chain compromise expanded downstream risk: Supply chain attacks intensified in scale and automation. Campaigns have compromised npm maintainer accounts and propagated trojanized updates across thousands of downstream environments. Ecosystems like PyPI, NuGet, RubyGems, and Rust often faced phishing and malicious package-injection campaigns that turned routine dependency updates into execution paths.
- ClickFix and user-mediated execution matured: ClickFix-style social engineering attacks – where users are manipulated into copying and pasting malicious commands into legitimate utilities – are becoming a repeatable and adaptable intrusion method. This type of attack can bypass traditional defenses by shifting execution responsibility to the user.
- AI increased attacker scale and realism: AI’s impact has been evident through increases in deepfake-enabled fraud, LLM-generated phishing campaigns, AI-assisted malware development, and automation that lowered barriers to entry for threat actors globally. AI has made tactics faster, more scalable, and more convincing.
“The defining theme of 2025 was the abuse of trust,” said Patrick Beggs, Chief Information Security Officer at ConnectWise.
“Attackers are exploiting valid credentials, misconfigured VPNs, trusted updates, and even user behavior to gain access to systems and data. For MSPs, this means identity security, privileged access governance, and early behavioral detection must be foundational. At ConnectWise, we’re continuously evolving our platform to help customers ensure trust and transparency across the environments they manage.”
How ConnectWise is addressing this shift
By continuing to strengthen and integrate cybersecurity and data protection capabilities across the ConnectWise Platform, the organization is keeping pace with this shift.
The platform features:
- Privileged Access Management (PAM) to enforce least privilege and reduce the blast radius from credential compromise.
- Managed Endpoint Detection and Response (Managed EDR) for providing continuous, behavior-based monitoring and rapid containment.
- Security Information and Event Management (SIEM) for correlating identity, endpoint, and network telemetry across multi-tenant environments.
- Business Continuity and Disaster Recovery (BCDR) for immutable backup capabilities designed to resist tampering.
Recently, ConnectWise acquired zofiQ to accelerate automation across MSP service desks and to drive AI capabilities. Learn more about the acquisition from CEO Manny Rivelo and how they’re bringing zofiQ into the ConnectWise organization.