Introduction

Throughout the first half of 2025, the FortiGuard Incident Response team responded to dozens of engagements across multiple industries that we attribute broadly to financially motivated threats. Each case we investigated had unique circumstances, but several consistent themes stand out: attackers are continuing to rely on valid accounts and legitimate remote access tools instead of “implant-heavy” intrusions.

Industry representation aligns closely with findings from the FortiRecon Threat Intelligence Report (H1 2025), indicating that credential exposure trends observed externally mirror those seen during FortiGuard IR engagements.

Together, these insights point to a clear pattern: financially motivated adversaries are targeting a broad range of sectors but relying on the same low-complexity, high-return methods.

This approach allows threat actors to blend in with normal business activity, making detection significantly harder. In many cases, the “breach” was not a sophisticated exploit—it was simply a successful login event buried among routine ones. This can also be indicative of a prior breach due to a credential-harvesting phishing incident or an infostealer.

While this observation is not new, it is important for organizations to recognize the prevalence of this approach to an intrusion so they can appropriately apportion resources to mitigate it. This is especially important with the hype over more headline-grabbing threat landscape changes, such as AI-enabled attacks, which divert organizational focus away from more directly impactful threats.

Despite this hype around AI-enabled cyberattacks, the FortiGuard IR team has not identified evidence that adversaries are using AI in ways that warrant changes to current risk management priorities.

What We Observed

In cases we investigated, adversaries gained initial access through:

• Compromised credentials: Attackers used credentials harvested via phishing, through password reuse, or that were purchased from Initial Access Brokers (IAB). The FortiGuard IR team, in collaboration with the FortiRecon team, has been able to identify sold credentials related to compromised victims.
• External Remote Services: VPN services were the primary way that adversaries were able to leverage compromised credentials for valid accounts. Adversaries authenticated temporary workstations using the victims’ VPN and used this foothold to progress their intrusions.
• Exploit Public-Facing Applications: Financially motivated adversaries exploited vulnerabilities (overwhelmingly n-day exploitation) and used this access primarily to place legitimate remote management software (AnyDesk, Atera, Splashtop, etc.) to establish a foothold.

Once inside, adversaries often do the following:

• Leverage legitimate remote access tools: AnyDesk, Splashtop, Atera, and ScreenConnect were the most frequently observed in cases we investigated. While the client used these tools for legitimate reasons, threat actors would drop their own instances to establish a foothold or secondary persistence.
• Leveraged valid accounts for ‘manual’ lateral movement: We observed extensive lateral movement using built-in tools (RDP, SMB, and WinRM), much of which appeared to be performed ‘manually’ (i.e., a single adversary operator sequentially moving between VPN authenticated endpoints and individual endpoints within a victim network).
• Perform ‘manual’ data exfiltration: We observed numerous adversaries using ‘drag and drop’ capabilities with installed RMM and RDP access to exfiltrate data directly to their infrastructure. This technique is more difficult to mitigate and detect compared to more overt exfiltration techniques, such as T1567 – Exfiltration over Web Service, as there are limited artifacts to identify exfiltrated data.
• Dumped credentials through known tooling (Mimikatz) and Zerologon exploitation: Where adversaries need additional or elevated credentials, we have continued to observe heavy use of Mimikatz and its derivatives to perform various T1003 – OS Credential Dumping sub techniques as well as consistent Zerologon exploitation.

Example Cases:

• Case A - VPN misuse (ransomware): The IT team discovered their servers had been encrypted with no access to the virtual machines themselves, as the adversary had encrypted the hypervisor. Our investigation identified that the adversary had used valid credentials to authenticate with the victim’s VPN, configured without MFA, which granted them unrestricted access within the victim’s environment. Using this access, the adversary then pulled credentials for the hypervisor management interface cached in a compromised user's browser and deployed ransomware.
• Case B - Remote access tool abuse (APT): The adversary leveraged a stolen domain administrator account to authenticate with the victim’s VPN, configured without MFA, and deployed AnyDesk across the victim’s systems. This was achieved through a combination of RDP sessions and Group Policy. Blending malicious traffic with legitimate IT operations delays detection.
• Case C - Edge compromise and manual operations (ransomware): The adversary gained access through an n-day (12-month-old) exploitation in external-facing servers. They then deployed AnyDesk, Splashtop, and Atera on the compromised server for persistence. Next, they leveraged access to servers to create privileged accounts disguised as service accounts and used those privileged accounts to laterally move via RDP and manually identify key extortion documents before exfiltrating data via Restic.

Key Takeaway:

Different threat actors, but similar approaches using remote access software and valid accounts to evade detection. This overlap in approach highlights the need for a more identity focused defense and monitoring remote access tools, which frequently evade detection by EDR tooling that often focuses on detecting overtly malicious malware or behaviors in the context of a single endpoint.

Why Attackers Favor This Approach

• Stealth: Adversary activity looks like legitimate user or administrator behavior. Unless the security team has alerts set up to monitor for discrepancies in end-user behavior across an environment, detection through standard controls is unlikely unless an adversary makes a mistake.
• Bypassing controls: Malware and endpoint behavior-focused defenses often miss user/identity-based anomalies, especially when anomalies are only detectable when analyzing artifacts spread across multiple endpoints, i.e., login events indicating impossible travel or data access outside reasonable business usage expectations.
• Speed: Valid accounts let attackers move directly to sensitive systems. Threat actors do not need to create new accounts when they have already been provided the access needed. Additionally, by using services like RDP, adversaries can leverage compromised users’ workflows, enabling them to quickly identify services and key data in the valid user’s workflows.
• Low cost: As widespread infostealer and credential harvesting campaigns continue to achieve success across the globe, along with all business verticals, stolen credentials are becoming cheaper and more widely available. Figure 3, below, shows indicative advertised prices to purchase credentials for organizations across the globe, with price ranges associated with the type of access and victim type.
• Low skill barrier: In many cases, we observed the adversary simply using valid credentials to authenticate with a VPN and then only using RDP to move through a victim’s network. This has an extremely low barrier of entry to achieve objectives.

Figure 3. Price of Credentials by Organization, Size, and Region

Implications for Defenders

Defending against these trends requires a shift toward identity and behavior-driven detections rather than relying on the generic detection logic built into most EDR solutions. The majority of these detection and hardening considerations are only effective if tailored around behavior specific to the implementing organization and will require investment from security teams to implement effectively.

Examples:

• Build baselines of normal account activity and alert on deviations: For example, if certain users should only be accessing specific systems or applications at certain times, and they are not, this should be flagged as unusual and looked into further.

Identity Security

• Enforce MFA for all users, including contractors, vendors, and privileged accounts: Adversaries continue to take advantage of organizations’ degraded security configurations that are often put in place to allow legitimate third-party access.
• Enforce MFA within a network: Relying on MFA for securing the perimeter is effective, but enforcing it internally reduces impact and elongates adversaries’ intrusion timelines in the event of a breach. This also provides more detection opportunities.
• Apply conditional access policies: This will enable organizations to more quickly detect and prevent compromised accounts from fast-tracking adversaries through their kill chains. Where conditional access policies cannot be enforced, organizations will still benefit from logging access to key data and services. As with internal MFA, this provides additional data to identify anomalous behaviors.
• Enforce minimum privilege accounts: Limit the use of privileged accounts throughout environments and prevent privileged accounts from being able to authenticate using the VPN infrastructure. Build detections around anomalous use of privileged accounts.

Remote Access Controls

• Explicitly restrict RMM tools like AnyDesk, Splashtop, Atera, and ScreenConnect, where not required for business purposes: Monitor new installations of RMM tools, execution of associated binaries, and implement detections for network connections associated with their operation. These tools are the most prevalent we observed over the last six months, but the fantastic open-source project LOLRMM provides a more comprehensive list of tools along with details on detecting their use.
• Disable SSH, RDP, and WinRM tools where not required to support business functions explicitly: Once disabled, implement detections for incidents when these tools are being used. Adversaries often re-enable these tools, and without triggers in place, organizations may miss high-confidence detection opportunities.

Anomalous User Behavior

• Monitor for suspicious remote access activity: Impossible travel scenarios (such as an employee logging on from somewhere they could not possibly be), system access outside normal business hours, and remote logins for in-office endpoints for regular users provide tried and tested detection opportunities that can be implemented using freely available logs.
• Monitor for unusual account activity across systems that share accounts: Apply this to user, admin, and service accounts. For example, one account logged into multiple systems simultaneously, or multiple accounts logged into the same system in a short window, should trigger an alert.
• Remote Desktop Protocol (RDP) misuse: While RDP use may be typical for administrators or IT support, it is usually only from approved workstations or servers. Monitoring RDP logons (Logon Type 10) and comparing the source host to a list of known approved admin systems can help identify lateral movement attempts.

Recommended Fortinet Solutions

Organizations can strengthen their defenses and improve detection, visibility, and response across these attack techniques using the following Fortinet products:

• FortiRecon: Continuously monitor your external attack surface and receive alerts for exposed or compromised credentials before they’re exploited.
• FortiSIEM: Correlate and hunt for suspicious user and system activity across hybrid environments to identify account misuse or anomalous logins.
• FortiDeceptor: Deploy decoys to detect and investigate lateral movement attempts in real time, providing early warning of credential abuse or internal reconnaissance.
• FortiNDR: Identify and contain suspicious network activity through advanced behavioral analytics and AI-driven threat detection.
• FortiEDR: Detect and stop malicious activity on endpoints, including ransomware encryption attempts and credential dumping behavior.

Together, these solutions extend visibility from endpoint to cloud, helping defenders detect stealthy intrusions earlier in the kill chain and reduce attacker dwell time.

Closing Thoughts

Across these breaches investigated by the FortiGuard IR team, the story was consistent: Attackers didn’t need to break in—they simply logged in.

The abuse of valid accounts and legitimate remote access tools continues to be one of the biggest blind spots in enterprise defense. Organizations that strengthen identity protections, access controls, and behavioral monitoring will be far better prepared to stop these stealthy, malware-less intrusions before damage occurs.

Additional guidance on mitigating these adversary activities is available in our most recent yearly report: FortiGuard Incident Response Insights Report 2024: What worked, what failed, and why

FortiGuard Security Advisory Services

FortiGuard Security Advisory Services deliver expert guidance and hands-on support to help organizations assess, prepare for, and respond to cybersecurity incidents. These vendor-agnostic offerings are designed to strengthen resilience and close gaps related to people, processes, and technology before an incident occurs or during an active compromise.

If your organization is experiencing a cybersecurity incident and needs assistance, FortiGuard IR offers a free scoping consultation to determine how we can support your response. Contact us directly.