Attackers Transfer Compromise Access in 22 Seconds, Accelerating Supply‑Chain Threats, Mandiant Reports
What Happened — Mandiant’s M‑Trends 2026 report, based on >500,000 hours of incident response, shows that attackers now hand off initial access to a secondary group in a median of 22 seconds, up from >8 hours in 2022. Exploits remain the top entry vector (32 % of cases) while voice‑phishing has risen to the second‑most common vector (11 %).
Why It Matters for TPRM —
- The ultra‑fast hand‑off compresses the window for third‑party defenders to detect and contain breaches.
- Division‑of‑labor attacks blur the line of responsibility between vendors and downstream partners, complicating supply‑chain risk assessments.
- Growing focus on backup and virtualization infrastructure signals higher risk to SaaS and cloud service providers that host critical data.
Who Is Affected — SaaS vendors, cloud‑hosting providers, backup/virtualization service firms, and any organization that outsources critical workloads to third‑party platforms.
Recommended Actions —
- Review and tighten real‑time monitoring of credential use and privileged access across all third‑party connections.
- Incorporate rapid‑response playbooks that assume a hand‑off could occur within seconds.
- Validate that backup and virtualization environments are segmented and that immutable backups are enforced.
Technical Notes — Primary attack vectors are exploits (software vulnerabilities) and voice‑phishing (social engineering). The hand‑off model resembles a supply‑chain attack where an initial access group delivers malware directly to a secondary ransomware group. No specific CVE is cited, but the trend underscores the need for robust exploit mitigation and multi‑factor authentication controls. Source: Help Net Security