Skip Navigation
Get a Demo
 
Share
 
 
 
 
 
 
 
 
Resources Blog Threat detection

A defender’s guide to initial access techniques

Experts from Red Canary, MITRE ATT&CK® and Proofpoint explore the evolving ways that adversaries break into victim environments, including fake CAPTCHAs, social engineering, and more.

Susannah Clark Matt

When news of a major cyber attack breaks, most people have the same first question: How did it start?

In the latest Detection Series webinar, Proofpoint’s Selena Larson and Adam Pennington from the MITRE ATT&CK® team joined Red Canary’s Tony Lambert and Stef Rand to discuss the many ways that adversaries gain initial access to victim environments. Along with real-world examples of emerging tradecraft such as paste-and-run browser lures and email bombing campaigns, our panel advises on what security teams can do to better defend their organizations against the ways that intrusions, incidents, and breaches commonly start.

You can watch the full recording here or check out the clips below.

What exactly do we mean by “initial access?”

Put simply, initial access is how the bad guys break in. According to MITRE, the Initial Access ATT&CK tactic “consists of techniques that use various entry vectors to gain their initial foothold within a network.”

Common initial access methods include:

  • exploiting vulnerabilities in web-facing servers
  • compromising a third-party in an organization’s supply chain
  • logging in with stolen credentials obtained via phishing emails, browser lures, or social engineering

Using the corresponding ATT&CK techniques as benchmarks, Adam walks through a timeline of when certain initial access methods gained popularity over the last two decades.

What is “ClickFix” and why is everyone talking about it?

Selena breaks down the buzzy “ClickFix” social engineering technique, also known as “fakeCAPTCHA” and “paste and run.” ClickFix campaigns present web users with dialog boxes containing fake error messages in hopes of tricking them into copying, pasting, and running malicious commands.

Both Red Canary and Proofpoint saw an uptick in paste-and-run campaigns in 2024 that has continued into this year. Check out the 2025 Threat Detection Report for detection and prevention guidance.

 

How are ransomware operators breaking in these days?

Highlighting the Black Basta ransomware operation, Tony and Stef explain a social engineering scheme in which adversaries employ “email bombing”—flooding a user’s inbox as a pretense and impersonating an IT help desk employee over the phone. They then attempt to trick the user into installing remote management and monitoring (RMM) tools that enable the impersonators to drop additional malware or execute malicious code on a victim system.

Do I still need to worry about phishing?

Yes, and not just in your email. Selena explores the latest phishing trends, touching on SMS phishing, callback phishing, and everyone’s favorite word to say: quishing.

 

Why are RMM tools so popular with adversaries?

Selena dubs RMM tools “the new loaders,” citing their increasing popularity as a first-stage payload in email attacks. Because so many organizations use RMM tools such as TeamViewer, AnyConnect, and NetSupport Manager for legitimate reasons, it can be hard for defenders to distinguish authorized and malicious use.

What can I do to mitigate the risks of RMM tool abuse?

Responding to a question from the audience, Tony points to the LOLRMM project as a resource for Sigma rules and other detection tips. Selena also underscores the importance of network detection as well as allowlisting for cloud-hosted and on-prem installations.

Visit the NetSupport Manager page in this year’s Threat Detection Report for more detection and mitigation advice.

Which file types should I be wary of on my system?

Stef urges defenders to look twice at the following potentially malicious file types:

  • .msi
  • .js
  • .vbs
  • .dll

An easy mitigation strategy for malicious scripts is to create a group policy so that any unusual file type opens in Notepad by default, preventing unwanted execution.

 

How do adversaries compromise identities?

Who needs an RMM tool if you can just log right in? The panel discusses cloud and identity attacks enabled by credential theft, MFA abuse, and initial access brokers.

What about infostealers?

Stef gives a quick sidebar to explain how the infostealer ecosystem enables credential theft and identity attacks. Although LummaC2 was the most prevalent stealer Red Canary detected in 2024, activity has decreased substantially since a government takedown of its infrastructure in May 2025.

 

Won’t someone think of the Mac users?

Tony speaks to the Apple side of things, breaking down Poseidon and Atomic Stealer. The latest version of macOS Sequoia addresses a commonly exploited Gatekeeper bypass method, complicating things for adversaries pushing stealers and paste-and-run campaigns.

 

What’s next?

Before taking some audience questions, our panel closes out with some predictions about how initial access techniques will evolve in the coming months. While everyone agrees that social engineering will continue in stride, the impact of AI and LLMs is more debatable.

WATCH AND LEARN
Subscribe to Red Canary's YouTube channel for more educational videos on detection, threat intelligence, incident response, and more.
Related Articles
 

The double-edged sword of MCP: Understanding the threat landscape for AI workflows

 

Shape shifting: How to wrangle unpredictable data at scale

 

All about that baseline: Detecting anomalies with Surveyor

 

Cybersecurity metrics that matter (and how to measure them)

Subscribe to our blog

 

See Red Canary in action

Watch the 10-minute demo now.
Watch the demo

Security gaps? We got you.

Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.

 
 
 
 
Back to Top