**Attackers are Hacking Faster Than Ever: Mandiant Report Reveals Alarming Trends**

A new report from cybersecurity firm Mandiant has shed light on the rapidly evolving threat landscape, highlighting alarming trends that indicate attackers are becoming more sophisticated and efficient in their operations. The M-Trends 2026 report, based on over 500,000 hours of incident response work conducted in 2025, reveals that attackers are handing off access to compromised systems in as little as 22 seconds, leaving defenders with a shrinking window to respond.

According to the report, exploits remain the leading entry point for attackers, accounting for 32% of all initial infections. This is not surprising, given the constant stream of new vulnerabilities being discovered and exploited by threat actors. However, what's more concerning is that email phishing, which was once the dominant social engineering vector, has seen a sustained decline, making way for voice phishing, which now accounts for 11% of all initial infections.

**The Access Hand-Off: A Growing Concern**

One of the most alarming trends highlighted in the report is the growing share of Mandiant investigations that involve a division-of-labor model, where one threat cluster gains initial access and transfers it to a separate group for follow-on operations. This pattern appeared in 9% of 2025 investigations, up from 4% in 2022. The time between initial compromise and hand-off has also collapsed, with the median time falling to just 22 seconds.

This rapid hand-off allows attackers to bypass underground forum sales and compresses the window defenders have to act. In one documented case, a threat cluster used a JavaScript downloader to deliver malware directly on behalf of secondary groups, allowing them to bypass detection and gain access to sensitive systems.

**Ransomware: A Growing Threat**

The report also highlights the growing threat of ransomware, which accounted for 13% of all Mandiant investigations in 2025. Operators have moved beyond dual-threat encryption-and-theft operations toward systematically denying organizations the ability to recover, targeting identity services, virtualization management planes, and backup infrastructure.

In one case, attackers exploited misconfigured Active Directory Certificate Services (AD CS) templates to create administrator accounts exempt from multi-factor authentication. In another, they extracted dozens of high-privilege credentials in a single session from enterprise credential vaults, then forced password changes on privileged accounts, locking defenders out of emergency access during a crisis.

**Vulnerabilities: A Never-Ending Problem**

The report identifies several vulnerabilities that were exploited by attackers in 2025, including CVE-2025-31324, an improper authorization flaw in SAP NetWeaver's Visual Composer component, and CVE-2025-61882, an improper authentication vulnerability in Oracle E-Business Suite. These vulnerabilities allowed unauthenticated file uploads and remote code execution, respectively.

The report also highlights the growing use of AI tools by threat actors to accelerate reconnaissance, social engineering, and malware development. Malware families including PROMPTFLUX and PROMPTSTEAL actively query large language models during execution to support evasion.

**Conclusion**

The Mandiant report paints a dire picture of the cybersecurity landscape in 2025. Attackers are becoming more sophisticated and efficient in their operations, with a shrinking window for defenders to respond. The use of AI tools by threat actors is a concerning trend that highlights the need for organizations to invest in robust detection and response capabilities.

As we look ahead to 2026, it's clear that cybersecurity will continue to be a top concern for organizations of all sizes. By staying informed about the latest threats and trends, defenders can better prepare themselves for the challenges ahead and protect their organizations from the ever-evolving threat landscape.

**Key Takeaways**

* Attackers are handing off access in as little as 22 seconds * Exploits remain the leading entry point for attackers * Voice phishing is becoming a more popular social engineering vector * Ransomware operators are targeting identity services, virtualization management planes, and backup infrastructure * Vulnerabilities continue to be exploited by threat actors * AI tools are being used by threat actors to accelerate reconnaissance, social engineering, and malware development