Attack handoff times plummet, exploits remain leading attack vector

Median duration between initial network access and handoffs to another threat operation has fallen from over 8 hours in 2022 to only 22 seconds last year, with the steep decline driven by tighter coordination between initial access partners and secondary groups, as well as mounting automation, reports SecurityWeek. Exploits continued to be the most popular initial infection vector with the SAP NetWeaver flaw, tracked as CVE-2025-31324, the Oracle EBS flaw, tracked as CVE-2025-61882, and the SharePoint bug, tracked as CVE-2025-53770, being the most widely abused vulnerabilities followed by phishing, previous breaches, and compromised credentials, according to Google Cloud Mandiant's M-Trends 2026 report. Additional findings revealed that median dwell times increased from 11 days in 2024 to 14 days in 2025. Incidents that have not been detected for up to six months have also become more prevalent amid increasingly clandestine methods adopted by North Korean IT workers and cyberespionage operations. Among industries, high-tech was the most targeted in 2025, followed by financial services, business services, and health care. The report drew on data from Google's Threat Intelligence Group and over 500,000 hours of incident investigations by Mandiant in 2025.