**Attackers are Handing Off Access in Record Time: Mandiant's 2025 Report Reveals Shocking Trends**

The cybersecurity landscape continues to evolve at an alarming rate, with attackers becoming increasingly sophisticated and brazen in their tactics. According to Mandiant's M-Trends 2026 report, which draws on over 500,000 hours of incident response work conducted in 2025, the time it takes for attackers to hand off access has decreased dramatically, from over eight hours in 2022 to a mere 22 seconds in 2025.

This alarming trend is just one of many disturbing findings in Mandiant's report, which highlights the growing sophistication and speed of cyberattacks. In this article, we'll delve into the key takeaways from the report and explore what they mean for organizations looking to protect themselves against these threats.

**The Shift Away from Email Phishing**

Email phishing has long been a favorite tactic of attackers, but Mandiant's report shows that it's no longer the dominant social engineering vector. In 2025, email phishing accounted for just a fraction of its former share, with voice phishing surging to become the second-most common initial infection vector.

This shift is significant, as interactive social engineering methods require live human engagement and are more resistant to automated technical controls than volume-based email campaigns. As such, defenders need to adapt their detection strategies to account for this new reality.

**The Access Hand-Off is Getting Faster**

As mentioned earlier, the time between initial compromise and hand-off has collapsed to just 22 seconds in 2025. This rapid transfer of access is a hallmark of modern cyberattacks, with initial access partners often delivering malware directly on behalf of secondary groups.

In one documented case, UNC1543 distributed the FAKEUPDATES JavaScript downloader through drive-by downloads, while UNC2165, a financially motivated cluster, ultimately destroyed backups and deployed RansomHub ransomware across Windows and virtual management servers.

**Global Dwell Time Rises to 14 Days**

The median dwell time for global threats has risen to 14 days in 2025, driven largely by long-term espionage intrusions and North Korean IT worker operations. This extended dwell time is a concern, as it gives attackers more time to move laterally within the network and carry out their objectives.

Organizations that detect intrusions internally did so in about nine days, while external notification cases took substantially longer – a median of 25 days in 2025.

**Ransomware-Related Intrusions on the Rise**

Ransomware-related incidents accounted for 13% of Mandiant investigations in 2025, with attackers moving beyond dual-threat encryption-and-theft operations to systematically deny organizations the ability to recover. In one documented case, attackers exploited misconfigured Active Directory Certificate Services (AD CS) templates to create administrator accounts exempt from multi-factor authentication.

**The Most Frequently Exploited Vulnerabilities**

Mandiant's report highlights several zero-day vulnerabilities that were exploited in 2025, including:

* CVE-2025-31324: an improper authorization flaw in SAP NetWeaver's Visual Composer component * CVE-2025-61882: an improper authentication vulnerability in Oracle E-Business Suite * CVE-2025-53770 and CVE-2025-53771: deserialization vulnerabilities in Microsoft SharePoint Server

These vulnerabilities were exploited by multiple threat clusters, often with devastating consequences for the targeted organizations.

**The Growing Importance of AI**

Finally, Mandiant's report notes that threat clusters are increasingly incorporating AI tools to accelerate reconnaissance, social engineering, and malware development. This shift is significant, as it allows attackers to move faster and more efficiently than ever before.

While most successful intrusions continue to stem from human and systemic failures rather than AI-powered attacks, the use of AI by attackers is a growing concern that organizations need to take seriously.

**Conclusion**

Mandiant's M-Trends 2026 report provides a sobering look at the state of cybersecurity in 2025. With attackers becoming increasingly sophisticated and brazen, it's more important than ever for organizations to stay vigilant and adapt their defenses accordingly.

By understanding the trends and tactics outlined in this report, defenders can better prepare themselves against the threats that lie ahead. Whether it's the rapid hand-off of access or the growing use of AI by attackers, one thing is clear: the cybersecurity landscape will only continue to evolve at an alarming rate in the years to come.

Stay ahead of the curve with our expert analysis and insights into the world of cybersecurity. Follow us for more updates on the latest threats and trends in the industry.