LevelBlue TTP Briefing Q1 2026: Trust Abuse Exposes Weaknesses
Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q1 2026, a report built on frontline threat intelligence from our global incident response investigations across LevelBlue.
A Unified View of the Threat Landscape
This TTP Briefing is based on threat intelligence derived directly from LevelBlue incident response engagements worldwide over the past quarter. These engagements are technology-agnostic, providing a clear view into the real-world tactics, techniques, and procedures adversaries are using today. The result is a grounded and current perspective on the evolving threat landscape facing our clients.
As LevelBlue continues integrating capabilities across Cybereason, Stroz Friedberg, Trustwave, and Alert Logic, our threat intelligence is expanding to incorporate insights from SpiderLabs and trillions of security events. For the first time, this edition reflects data from the broader LevelBlue incident response and threat intelligence ecosystem. As a result, historical comparisons are not included.
Future editions of the TTP Briefing will continue to build on this unified foundation, delivering deeper and more comprehensive insights from across LevelBlue’s global incident response and threat intelligence teams.
New Tactics Expose Trusted Resources as the Attack Vector
Findings from Q1 highlight that attackers are leveraging new pressure tactics in their social engineering, going as far as impersonating IT teams, targeting help desks to bypass authentication protocols, and even make external calls on Microsoft teams to gain the trust of a potential victim. Once in, they are obtaining access to email accounts and exfiltrating SharePoint, OneDrive, and other email accounts and extorting victims. What started out as a business email compromise incident is now resulting in a full network intrusion leading to data exfiltration and extortion.
We have also observed an uptick in lateral movement tactics where threat actors are leveraging native AI tools to evade detection and to easily locate internal data, moving around almost undetected.
Let’s explore a few key findings:
Most Common Threat Types
Figure 1. Most common threat types.
-
Business email compromise (BEC) remained the top threat incident type, accounting for 39% of incidents.
-
Network intrusions without ransomware rose to the 2nd most common incident type at 30%. This is in part due to organizations improving their detection capabilities and stopping threat actors from reaching encryption, as well as threat actors simply exfiltrating and extorting victims rather than encrypting.
-
Ransomware remained prevalent, totaling 26% of incidents.
Business Email Compromise Leads to Data Exfil and Extortion
Threat actors, including groups like ShinyHunters, have broadened from endpoint-centric intrusion models to identity-driven access against cloud control planes. In Microsoft 365, threat actors are gaining access to OAuth tokens, and leveraging scripted access to Microsoft Graph API, which enables large-scale, low-noise data collection across Exchange Online, OneDrive, and SharePoint without deploying malware or triggering traditional EDR controls. In doing so, they can leverage a business email compromise incident into full data exfiltration and extortion, increasing the potential damage of an incident.
Initial Intrusion Vector (How Are They Getting In?)
Figure 2. Initial intrusion vector.
Phishing remained the dominant initial intrusion vector in Q1 at 58%. Exploited vulnerabilities rose to be a top concern in Q1 (20%), with vulnerabilities in edge devices remaining a target for threat actors. In conjunction, external remote services (RDP, VPN), was a top 3 initial intrusion vector at 11%.
Social Engineering Pressure Tactics on the Rise
Threat actors are increasingly exploiting trusted communication channels.
We observed threat actors leveraging new social engineering techniques to trick unsuspecting victims. Microsoft Teams has a capability where external accounts can send messages or make calls to accounts within an organization’s Teams tenant. From there, they are impersonating IT and reaching out to victims requesting them to download software or click on links, providing them access to the victim's network. These new efforts are harder to detect, because these messages and calls appear as if they are coming from within the organization, inherently appearing more trustworthy.
Most Commonly Observed CVEs – Q1
|
CVE |
Impacted Product |
|
CVE-2026-1731 |
BeyondTrust Remote Support |
|
CVE-2025-40601 |
SonicWall SonicOS SSL-VPN |
|
CVE-2025-0108 |
PAN-OS Authentication Bypass |
|
CVE-2024-55591 |
Fortinet FortiOS |
|
CVE-2024-53705 |
SonicWall SonicOS SSH |
|
CVE-2024-53704 |
SonicWall SonicOS SSL-VPN |
|
CVE-2024-40766 |
SonicWall SonicOS improper access control vulnerability |
|
CVE-2024-40762 |
SonicWall SonicOS SSL-VPN |
|
CVE-2024-23113 |
Fortinet FortiOS |
|
CVE-2024-21762 |
Fortinet FortiOS |
|
CVE-2021-4034 |
Polkit Privileged Escalation Vulnerability |
MFA Implementation Continues to Increase, so does Bypass
Figure 3. MFA implementation. Figure 4. MFA bypass.
In Q1, 84% of organizations had MFA implemented, but was it phishing resistant? Our data shows that in investigations where MFA was implemented, attackers bypassed it 95% of the time. Diverse phishing tactics, attackers in the middle (AiTM), and session token interceptions remain successful in bypassing authentication controls.
Most Targeted Industries and Company Sizes
Figure 5. Impacted industries.
Financial services remained the most targeted industry (21%). This quarter, healthcare was the second most impacted sector (16%) and manufacturing was third (14%), reflecting increased targeting amid broader geopolitical tensions.
Tactics Across the Intrusion Path
Figure 6. Trends across the intrusion path.
The TTP Briefing provides data across the five stages of the intrusion path, from initial access to persistence and escalation techniques, to exfiltration and monetization tactics. Noteworthy findings include:
-
Threat actors continue to leverage Anydesk and PSExec as the most common tools for persistence.
-
Native AI tools are being abused for lateral movement, allowing threat actors to reduce their footprint and evade detection when moving within a network.
-
Threat actors are increasingly exfiltrating data during network intrusion incidents at the data at risk stage of the intrusion path, but are not encrypting systems. In Q4 2025, we saw 69% data exfiltration, which increased in Q1 2026 to 73%.
Threat Actors Move Laterally, Discretely, with AI Tools
In Q1, we observed attackers leveraging native AI tools within compromised environments to locate sensitive data more efficiently.
By using internally available tools to search for network diagrams, credentials, and organizational data, attackers can move laterally with a lower profile, reducing the likelihood of detection.
A Look into Dwell Time
Figure 7. Dwell time with data caveat.
In the TTP Briefing, we exclude any MDR clients and measure dwell time from the initial date of the compromise until our IR team is engaged. 38% of our cases had 31+ day dwell time.
One factor that can contribute to the appearance of longer dwell times relates to initial access brokers (IABs), who obtain unauthorized access and then sell that access to another threat actor group. Therefore, we often observe a latency period between initial exploitation and the new threat actor leveraging the unauthorized access. During the latency period, within the overall 31+ dwell time averages, there is commonly no active malicious activity going on in the network, but the organization has been compromised.
If you would like more information about this report, our team is available 24/7 at response@levelblue.com