In 2026, incident response (IR) will continue its shift away from traditional malware-centric investigations toward identity-driven intrusions, abuse of trusted cloud services, and low-signal, high-impact activity that blends seamlessly into normal business operations. Rather than relying on technical exploits, threat actors are prioritizing legitimate access, persistence, and operational efficiency, enabling them to evade users, security controls, and automated detection.
Over the last 12 months, we saw phishing and social engineering as the initial intrusion vector for 40% of all our cases worldwide, more than double the next two most popular vectors, credential abuse and CVE exploitation. Despite massive advancements in email security, attackers have been able to circumvent traditional defenses by avoiding traditional malware.
As a result, incidents will be defined less by obvious compromise indicators and more by subtle misuse of authentication flows, cloud applications, and established business workflows, challenging defenders to distinguish malicious activity from routine behavior.
By 2026, compromise will look less like an intrusion and more like business as usual.
1. Identity Is the Primary Attack Surface
Modern compromises will increasingly resemble normal user behavior rather than traditional breaches. Threat actors will continue to deprioritize malware in favor of abusing identity systems, cloud access, and trusted applications.
Attackers will increasingly rely on:
- Phishing-resistant MFA bypass attempts using adversary-in-the-middle (AiTM) techniques
- OAuth application abuse and token theft to gain and maintain authorized access
- Session hijacking through stolen cookies or tokens rather than credentials
- Abuse of legitimate enterprise applications to blend malicious activity into normal business operations
DFIR Impact:
Investigations will hinge on identity telemetry, including authentication and sign-in logs, token lifetimes, OAuth grants, consent history, and anomalous access patterns, rather than traditional endpoint artifacts or malware analysis.
2. OAuth & API Abuse Becomes a Standard Persistence Mechanism
Attackers will increasingly establish persistence through API-driven access paths, using OAuth primarily as the authorization layer rather than the end goal. Once access is granted, malicious activity shifts to app-only and background API operations that require no user interaction and often survive password resets, MFA resets, and session revocation.
This enables durable, low-noise persistence that bypasses traditional identity-based remediation and is difficult to detect using login-centric controls.
OAuth gets them in, APIs keep them there.
OAuth-based persistence will mature into a default post-compromise technique, including:
- Long-lived refresh tokens: Allow attackers to continuously obtain new access tokens without reauthentication.
- App consent abuse using benign-appearing permissions: Low-risk permissions (e.g., read access) are chained to enable reconnaissance, data access, and downstream fraud.
- Re-consent loops after remediation: Attackers intentionally engineer scenarios where users or admins re-authorize malicious apps after cleanup, restoring access as a recovery mechanism.
- Abuse of partner and third-party integrations: Persistence through trusted access paths such as MSP relationships, CRM integrations, marketing platforms, e-signature services, and accounting or invoice applications.
2026 reality: Attackers will increasingly pivot into trusted integrations instead of individual users, relying on API access that blends into normal business operations.
Persistence is no longer about staying logged in, it’s about staying authorized.
DFIR Impact:
Attackers will rely less on passwords and more on authorized access that survives remediation; OAuth apps, API tokens, and third-party integrations that look legitimate and quietly persist. IR timelines will increasingly require app-level analysis, not just account resets. Missed OAuth artifacts will result in re-compromise.
3. BEC Evolves Beyond Email
BEC is no longer about tricking users into clicking malicious links. Instead, it has evolved into quietly operating inside trusted business environments using legitimate access. BEC is no longer strictly an email problem, either. It is now an identity and collaboration abuse problem.
BEC will increasingly expand into:
- Calendar invite phishing: Attackers abuse calendar systems to deliver malicious links through meeting invitations that bypass traditional email controls.
- Teams/Slack–based social engineering: After compromise, attackers move conversations into real-time collaboration tools, using familiar internal messaging to request urgent financial actions (e.g., “Finance is asking you to process this ASAP”).
- Internal invoice manipulation via shared drives: Rather than sending fake invoices, attackers modify legitimate invoices stored in shared repositories, quietly changing payment details without generating new messages.
- Vendor impersonation using compromised SaaS tenants: Attackers compromise a vendor’s SaaS tenant and leverage legitimate vendor email, domains, shared folders, and collaboration tools. (They don’t impersonate the vendor, they are the vendor.)
DFIR Impact:
IR teams must correlate email, collaboration platforms, file access, and finance workflows to fully scope impact. BEC no longer lives in the inbox, it lives inside the business.
4. “Living-Off-the-Tenant” Attacks Increase
While there are still plenty of attacks involving living-off-the-land tactics with tools like Powershell or WMI, in cloud-centric incidents, the environment itself becomes the weapon. Rather than deploying malware or external tooling, threat actors increasingly abuse native tenant features, trusted services, and existing configurations to establish and maintain access.
Attackers will increasingly rely on:
- Native cloud tooling (Microsoft Graph API, Exchange Online management, SharePoint sharing, Teams messaging)
No foreign tools, only what already exists within the tenant.
- Admin-approved services (CRM connectors, e-signature platforms, marketing tools, MSP integrations)
Trust is already established, reducing friction and detection.
- Default configurations (user OAuth consent enabled, legacy protocols allowed, over-permissive sharing, weak Conditional Access baselines)
Attackers exploit what defenders never changed.
- Poor tenant hygiene (stale service principals, unreviewed app permissions, excessive global admins, limited log retention, lack of app ownership)
Persistence thrives in neglected environments.
DFIR Impact:
When attackers no longer need tools, the tenant itself becomes the attack surface. The absence of malware will no longer imply low risk. Investigators must prove negative evidence, what didn’t happen, as much as what did.
Recommendations for 2026
To address the continued shift toward identity-driven and cloud-native attacks, organizations and their risk advisors should prioritize the following:
- Enforce phishing-resistant MFA for all accounts, including administrators, service accounts, and high-risk users, to reduce reliance on credentials that can be replayed or bypassed. It’s no coincidence this is the first of the 11 essential cybersecurity controls.
- Treat identity telemetry as tier-1 forensic evidence by retaining sign-in, audit, and API activity logs beyond default retention periods to support incident investigation, insurance review, and regulatory scrutiny.
- Centralize Entra ID and identity provider logs and establish baselines for normal authentication and application behavior to improve detection of anomalous access patterns and non-interactive activity.
- Maintain a comprehensive inventory of enterprise applications and service principals, including ownership, permissions, and usage patterns, to identify unauthorized or high-risk integrations.
- Monitor new OAuth app registrations and consent events in near-real time, with alerts for both delegated and application permissions to detect persistence mechanisms early.
- Expand BEC detection and response beyond email, incorporating collaboration platforms such as Teams, calendar invitations, shared drives, and financial workflows into monitoring and investigation processes.
In 2026, the most dangerous breaches won’t announce themselves. They will blend in, persist quietly, and exploit trust, forcing DFIR teams to become identity investigators, cloud auditors, and storytellers all at once. To counteract that, defense should start with identity, visibility, and the assumption that attackers will operate using trusted access.
