When UltraViolet Cyber evaluated major trends across security threats in Q2, the landscape covered a lot of ground.
Highly active threat actors, exploited vulnerabilities, ransomware operations, AI-driven social engineering, identity-based intrusions, and a fast-growing family of “Fix-type” attacks all shaped the quarter.
But there was one pattern that kept showing up across categories that don’t always have a lot in common, and it wasn’t a malware family or a specific threat actor.
Rather, it was the exploitation of trusted access and trusted workflows. It’s true: in 2026, attackers aren’t just exploiting your technology, they’re exploiting trust.
Today’s adversaries bypass technical guardrails by targeting the trust in identities, people, business processes, and legitimate technologies.
- Key Takeaways
- Traditional threat boundaries are disappearing
- What security teams should prioritize
- Identity is more than an authentication problem
- Trust is replacing malware as the primary attack surface
- Edge infrastructure is still an easy way in
- Assume security controls will be bypassed
- Where this leaves us
Key Takeaways
- Trust has become the primary attack surface, with adversaries increasingly exploiting identities, workflows, and legitimate business processes instead of technical vulnerabilities alone.
- Traditional threat categories are converging as ransomware, nation-state operations, AI-driven social engineering, and identity attacks increasingly share tactics and infrastructure.
- Identity security now requires continuous verification, behavioral monitoring, and stronger access governance beyond authentication alone.
- Organizations should prioritize Zero Trust, rapid patching of internet-facing infrastructure, and layered defenses that assume individual security controls will eventually be bypassed.
- Security programs must evolve from periodic compliance exercises to continuous operational resilience that validates trust across users, systems, and business processes.
Traditional threat boundaries are disappearing
Traditional boundaries between threat categories are dissolving.
Ransomware operators borrow tradecraft from nation-states.
Nation-states pre-position inside commercial infrastructure.
Social engineering is empowered by generative AI and delivered through workflows users have been trained to trust.
What security teams should prioritize
Defending this environment means treating security as a continuous discipline rather than a periodic compliance exercise, with investment in identity verification, Zero Trust architecture, rapid patching, and resilience against attacks that bypass technical controls entirely.
For security teams, four areas stand out.
Identity is more than an authentication problem
Attackers are increasingly relying on valid accounts and legitimate access rather than forcing their way into environments.
Across the ransomware groups most active in recent months, credential abuse and legitimate administrative tools drove both initial access and lateral movement.
Compromise didn’t stop at the login event. It kept escalating after authentication, through hijacked sessions, abused OAuth grants, and misused native admin tools.
There’s a phrase going around the cybersecurity industry, “attackers aren’t breaking in, they’re logging in.”
And it’s true. We can certainly ask, “How do we stop attackers from logging in?” but it may be more effective to ask, “How do we continuously verify that trusted identities remain trustworthy?”
That means treating identity as a lifecycle: stronger verification during hiring, tighter access governance for remote employees, and ongoing behavioral monitoring for insider threat activity.
Trust is replacing malware as the primary attack surface
Many of the most effective Q2 attacks succeeded because users trusted familiar people, business processes, or workflows.
The vulnerability wasn’t in the software. It was in how people interacted with it.
Successful social engineering techniques all come back to trust.
AI-generated phishing now lacks the traditional red flags awareness training was built around, while voice phishing has displaced email as the leading social engineering vector in confirmed incidents.
Deepfake video impersonation in business email compromise and the ClickFix and ConsentFix families further exploit that trust by convincing victims to execute the malicious action themselves.
Security awareness must evolve accordingly.
Teaching employees to spot suspicious messages is no longer enough, as many phishing messages are now indistinguishable from legitimate correspondence.
The upskilling that matters now centers on verification behaviors: out-of-band confirmation, independent verification of unusual requests, and hardened help desk procedures for password resets and MFA changes.
Edge infrastructure is still an easy way in
Internet-facing systems remain a preferred entry point for the most capable attackers, and exploitation timeframes are shrinking.
The challenge isn’t merely patching vulnerabilities, it’s matching how fast attackers operationalize them.
The Chinese state-sponsored advanced persistent threat (APT) group Salt Typhoon was one of the most consequential threats this past quarter.
Their targeting has focused on North American telecommunications providers, government networks, commercial IT services, and defense-adjacent organizations, with a clear preference for edge-facing infrastructure where visibility is often weaker than inside the corporate network.
Nothing here is new. What we have been missing is consistent execution.
Organizations should review edge-facing network infrastructure, including routers, firewalls, VPN concentrators, and SD-WAN controllers, for unauthorized configuration changes, unexpected firmware versions, or anomalous administrative access.
Further, shorten patching cycles for internet-facing systems well below the standard 30-day cadence.
Lastly, treat management planes as sensitive assets, not convenient endpoints. And please, segment your infrastructure.
Assume security controls will be bypassed
One final theme this quarter: attackers succeed by going around individual security controls rather than taking them head on, meaning many of the controls organizations spent so much time implementing are being bypassed.
ConsentFix is the sharpest example of this in Q2.
The attack lives entirely in the browser, requires no endpoint code execution, and defeats phishing-resistant authentication by harvesting an OAuth authorization code from an already-authenticated session rather than stealing a credential.
Passkeys and FIDO2 keys, deployed specifically to close out credential phishing, provide no protection here because there’s no credential to protect.
The lesson is not that any single control has failed, but that no single control was ever going to be enough.
Security teams need to focus less on finding a control that stops every attack, and more on layered defenses that detect intrusions earlier, contain compromise faster, recover more effectively, and continuously validate trust across users, systems, and business processes.
Where this leaves us
What defines this threat landscape isn’t necessarily attack (or attacker) sophistication.
It’s that they’re exploiting trust across every stage of the attack lifecycle, and the gap between attacker capability and defender response time keeps widening.
The organizations best positioned to weather this environment are the ones treating security as an ongoing operational discipline rather than a periodic compliance exercise.
The lines between technical and human exploitation are dissolving.
Programs treating them as separate problems are defending yesterday’s threat model while attackers have already moved on.





