When most people picture a cyberattack, they imagine someone breaking through a firewall with clever exploit code. Flashing red alerts on a screen. Dramatic stuff.

The actual data looks nothing like that. According to Blackpoint Cyber’s 2026 Annual Threat Report, which analyzed thousands of real security incidents across the past year, the overwhelming majority of successful intrusions looked like a normal Tuesday. An employee logging in. A remote session starting up. An IT tool being installed.

No alarms. No exploit. Just someone using a valid username and password that happened to belong to an attacker.

If your firm’s security strategy is built around keeping bad guys out, this data should change how you think about risk.

The numbers tell the story

Blackpoint’s report breaks down the most common patterns in real-world incidents, and the numbers are worth looking at closely.

Fake CAPTCHA and ClickFix attacks were the single most common pattern, showing up in 57.5% of all identifiable incidents. These attacks trick users into running malicious commands themselves. The user sees what looks like a verification prompt (“Prove you’re not a robot”) and follows instructions that include pasting a command into the Windows Run dialog. No malware download, no suspicious attachment. The user does the attacker’s work for them.

SSL VPN abuse accounted for 32.8% of incidents. Attackers authenticated to corporate VPN gateways using valid but stolen credentials. The resulting sessions looked completely legitimate, indistinguishable from a normal employee working remotely.

RMM tool abuse appeared in 30.3% of incidents. Remote monitoring and management tools are the backbone of IT operations. Attackers installed unauthorized copies of these same tools (ScreenConnect appeared in over 70% of rogue RMM cases) to maintain persistent access. Because the tools are widely used in legitimate IT environments, the installations blended right in.

Adversary-in-the-middle (AitM) phishing accounted for roughly 16% of cloud account compromises. Even when MFA was enabled, attackers intercepted authenticated session tokens in real time, bypassing multi-factor protection entirely.

The most targeted sectors included manufacturing, healthcare, MSPs, financial services, and construction. Professional services firms, including law firms, share the same risk profile.

VPN access: the front door is wide open

For firms that rely on VPN for remote access, the Blackpoint data is a wake-up call. Nearly a third of incidents involved attackers simply logging in through the VPN with stolen credentials.

Think about how remote work functions at most firms. An attorney connects from home, enters their username and password, and they’re on the network. If an attacker has those same credentials (purchased from a dark web marketplace, harvested from a phishing campaign, or reused from another breach), the login looks identical.

There’s no alert. There’s no anomaly. The VPN did exactly what it was designed to do: authenticate a valid credential and grant access.

This is why credential monitoring and conditional access policies matter so much. If your VPN grants full network access to anyone with the right password, you have a front door that can’t tell the difference between your attorneys and an attacker.

Fake CAPTCHAs: your users are running the attack

The ClickFix technique is especially dangerous because it turns your employees into the delivery mechanism.

A user visits a compromised website or clicks a link in an email. They’re presented with what looks like a standard CAPTCHA verification. The page instructs them to press a key combination and paste a command, sometimes framed as a “verification step” or a “browser update.” What they’re actually doing is executing a PowerShell command that downloads and runs malicious code.

No file attachment to scan. No executable to block. The user initiated the action, which means many traditional security tools don’t flag it.

This attack works because people are trained to follow instructions from things that look official. For a law firm, where attorneys and staff regularly interact with court e-filing systems, client portals, and document review platforms, these fake verification prompts don’t seem out of place.

When IT tools become attack tools

The RMM abuse finding deserves special attention. Remote management tools like ScreenConnect, AnyDesk, and similar products are standard in IT environments. Your managed IT provider probably uses one. Your internal IT team might use another.

The problem: when an attacker installs an unauthorized copy of a legitimate RMM tool, it looks like expected IT activity. The software is signed, it’s a known product, and it behaves normally. The only difference is who’s on the other end.

Blackpoint found that environments running multiple remote access tools were more likely to see rogue installations go undetected. If your firm already has two or three different remote access tools in use (maybe a legacy tool nobody decommissioned, plus your current provider’s tool, plus a vendor’s support tool), a fourth installation doesn’t raise eyebrows.

Maintaining a complete inventory of approved remote access tools and blocking unapproved installations is one of the most practical steps a firm can take.

Why this matters for law firms

Law firms hold confidential client data protected by attorney-client privilege. A breach doesn’t just mean operational disruption. It means potential bar disciplinary issues, malpractice exposure, and notification obligations under Iowa law.

And the threat is getting worse. A March 2026 Baker Hostetler report found that cyberattacks targeting law firms nearly doubled from 2024 to 2025. One threat actor group, known as Chatty Spider (also called Silent Ransomware and Luna Moth), specifically targeted law firms during that period.

The shift toward credential-based attacks changes the defensive equation. Firewalls and antivirus still matter, but they’re designed to stop threats that look like threats. When an attacker logs in with valid credentials and uses legitimate tools, those traditional defenses don’t see a problem.

Your security model needs to assume that attackers will get valid credentials. The question becomes: what happens next? Can you detect the abnormal behavior even when the access looks normal?

What actually works

Based on Blackpoint’s findings and what we see in practice, these are the defensive priorities that matter most right now:

Endpoint Detection and Response (EDR): Not basic antivirus. EDR watches for suspicious behavior patterns, even when the tools being used are technically legitimate.
Conditional Access policies: Restrict where, when, and how logins are accepted. If your attorney never logs in from Eastern Europe at 3 AM, that session should be blocked automatically.
Remote access auditing: Know exactly which remote access tools are approved in your environment. Monitor for unauthorized installations. Remove legacy tools that are no longer in use.
MFA with token theft awareness: MFA is still essential, but it’s not bulletproof. Pair it with conditional access and session monitoring to catch AitM attacks. (For a deeper look at how attackers bypass MFA through device code phishing, see our recent breakdown of that technique.)
Restrict software installation: Users should not be able to install applications freely. This single control would prevent most rogue RMM installations.
User training that reflects current threats: Your staff needs to know about fake CAPTCHA attacks. Traditional phishing training that focuses on suspicious email attachments doesn’t cover this.

None of this is theoretical. These are direct responses to the attack patterns that dominated real incidents in the past year.

If your firm hasn’t reviewed its remote access security, conditional access policies, or endpoint protection recently, now is the time. Artech Solutions works with Iowa law firms to close exactly these gaps. Let’s have a conversation about where your firm stands.