Enterprise attackers in early 2026 stopped trying to break through perimeters — they started walking in through stolen session tokens. Two simultaneous campaigns show exactly how that works, and why the gap between “we have MFA” and “we are actually protected” is wider than most vendor security programs acknowledge.

In mid-January 2026, Microsoft Defender Experts identified a sustained credential theft campaign tracked as Storm-2561. The group — active since May 2025 — distributed trojanized versions of enterprise VPN clients, including spoofed installers for Cisco Secure Client, Fortinet VPN, Check Point Remote Access VPN, and Ivanti Pulse Secure. The distribution mechanism was SEO poisoning: employees searching for VPN software encountered results pointing to convincing spoofed sites, which served malware-laden ZIP files containing digitally signed trojans. Once installed, the malware harvested VPN credentials and session tokens, then displayed a realistic error message and directed the user to the legitimate vendor site — leaving no visible evidence of compromise. Microsoft publicly disclosed the campaign on March 12, 2026, after tracking it for nearly ten months.

Storm-2561 was not the only campaign targeting credentials through developer tooling in the same window. Beginning in January 2026, security researchers discovered GlassWorm: at least 72 malicious extensions injected into the Open VSX Registry — the extension marketplace used by VS Code forks including Cursor, Eclipse Theia, and Gitpod. By early March, the campaign had accumulated over 9 million installs of malicious packages and infected 151 GitHub repositories between March 3 and March 9 alone. GlassWorm’s approach was technically precise: rather than embedding malware directly in extension code, the threat actor used invisible Unicode characters to encode loader payloads — content that rendered as blank space in editors and terminals but decoded to scripts that extracted tokens, credentials, and repository secrets. Neither Storm-2561 nor GlassWorm required exploiting a vulnerability in a target’s production infrastructure. Both relied on users doing something routine — downloading software they use every day.

The Cloudflare 2026 Threat Intelligence Report, published in early March and drawing on telemetry across approximately 20% of global web traffic, provided the statistical context for this pattern. Across Cloudflare’s network, 94% of all login attempts were executed by bots using credential stuffing, brute force, and stolen password lists. Among human-initiated login attempts, 46% used credentials already compromised in prior breaches. Cloudflare’s central finding: attackers have largely stopped hacking in. They log in.

“94% of all login attempts observed across Cloudflare’s network are executed by bots — and among human-initiated logins, 46% use credentials already compromised in prior breaches.”

— Cloudflare 2026 Threat Intelligence Report

Enterprise security teams have begun updating vendor risk programs to reflect this specific threat model. SOC 2 assessments increasingly scrutinize session lifecycle controls — particularly token expiry policies, detection of concurrent sessions from anomalous locations, and how developer credential stores are protected from access by third-party tooling. Vendor security questionnaires from financial services and healthcare buyers now explicitly ask whether a SaaS vendor enforces zero-exclusion MFA policies — meaning no accounts are exempt, including service accounts and shared admin accounts — and whether the vendor has controls capable of detecting session replay. The question has shifted from “do you use MFA?” to “what is your response plan if MFA is rendered irrelevant?”

For a SaaS company working toward enterprise security readiness, the specific control gap these campaigns expose is session management. Early-stage compliance programs typically deploy MFA and document it — which satisfies a surface-level check. What they rarely address is what happens after authentication: session tokens with multi-hour or multi-day expiry windows, no concurrent session limiting, no geographic anomaly detection, and no distinction in session controls between production access and developer tooling. Both Storm-2561 and GlassWorm extracted value precisely from that gap — not from failing to authenticate, but from what remained accessible after authentication succeeded.

Being prepared on session management means having documented, testable controls rather than general policy statements. A complete posture includes defined token lifetimes by account type, documented conditions for automatic session revocation, and a process for flagging anomalous concurrent sessions. For companies where engineers use third-party IDEs, extensions, or VS Code-compatible tooling, the security program should explicitly address developer credential exposure — including secrets management, repository scanning for exposed tokens, and a policy on approved extension sources. Assessors asking about this in 2026 are not looking for a specific product; they are looking for evidence that the company has thought through the full credential lifecycle, not just the login event.

Microsoft Security Blog — Storm-2561 Uses SEO Poisoning to Distribute Fake VPN Clients for Credential Theft · The Hacker News — GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers · Cloudflare — 2026 Threat Intelligence Report: Nation-State Actors and Cybercriminals Shift from ‘Breaking In’ to ‘Logging In’ · The Register — Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs

A single misconfigured OAuth integration triggered a cascade of breaches across 200+ companies. 2025 proved that your security posture is only as strong as the vendors you trust.

For years, third-party risk management lived in the compliance department — a checkbox on the annual audit, a stack of PDF questionnaires filed and forgotten. Then 2025 happened. In November, the Salesforce ecosystem saw one of the most consequential supply-chain breaches on record: hackers linked to the ShinyHunters group exploited Gainsight OAuth integrations to access data across more than 200 companies. The incident sent shockwaves through procurement teams at enterprises everywhere.

It was not an isolated event. Throughout 2025, the pattern repeated with disquieting consistency. Coinbase faced a major extortion attempt traced to overseas support contractors. Marks & Spencer’s operations were severely disrupted by a ransomware attack tied to IT outsourcing. The UK retail siege that followed implicated a web of third-party dependencies that most of the affected brands had never fully mapped. Cybercriminals had stopped targeting the castle walls and started targeting the gates that trusted vendors hold open.

According to Verizon’s 2025 Data Breach Investigations Report, 30% of all breaches involved a third-party access vector — double the share recorded just one year earlier.

Enterprise procurement teams are drawing direct lessons from these incidents. According to research by Optiv, 67% of organizations now require vendors to demonstrate cybersecurity readiness through formal certifications before a business engagement begins. The shift is behavioral, not bureaucratic — buyers watched companies they trusted get compromised through their own vendor stack, and they are now scrutinizing yours.

For SaaS founders and growing technology companies, this creates a concrete challenge: the security questionnaire you receive from a prospective enterprise customer is no longer a formality. It reflects a procurement team that has been burned. When they ask whether you have a vendor management policy, documented access controls, or an incident response plan, they are asking because companies just like them discovered — too late — that their vendors had none of these things.

The practical implication is straightforward. If your company lacks formal documentation of how you manage third-party access, how you respond to incidents, and how you control which vendors can touch customer data, you are already behind the baseline that enterprise buyers now expect. The breach landscape of 2025 has raised the floor on what “prepared” looks like — and the companies that close those gaps first will win deals that others will lose.

Sources: Infosecurity Magazine — Top 10 Cyber-Attacks of 2025 · CSIS Significant Cyber Incidents · Optiv TPRM Governance Trends 2025 · Secureframe Third-Party Risk Statistics 2025

Enterprise security reviews have quietly shifted from “nice to have” documentation checks to deal-blocking requirements. Here’s what’s driving the change — and what it costs companies that aren’t ready.

In early 2025, a breach at SitusAMC — a financial services and technology provider — ultimately affected several large institutions including JPMorgan Chase, Citi, and Morgan Stanley. The attackers did not breach those banks directly. They compromised a trusted vendor and used that access as a path into well-protected downstream environments. The banks’ own security controls were strong. Their vendor’s were not. The incident cost far more than the breach itself; it cost those financial institutions credibility with regulators who immediately asked one question: how did you vet this vendor?

That question is now being asked in every enterprise sales process. When a growing SaaS company tries to close a deal with a company that has experienced — or closely watched — a vendor-sourced breach, the security review is no longer a late-stage formality. It is an early-stage qualification. Deals are being stalled and lost not because the product is wrong, but because the vendor cannot answer basic questions about how they protect customer data.

Vanta’s 2025 State of Trust report, which surveyed more than 2,500 IT and business leaders, found that 46% had already experienced a data breach traced back to a vendor after the partnership began.

The gap is rarely technical. The SaaS companies that fail enterprise security reviews are not usually running insecure systems. They are running systems without the paper trail that enterprise security teams need to check their own boxes. A SOC 2 audit requires evidence that controls exist and operate over time — not just that someone intended to implement them. An Information Security Policy needs to exist as a document, reviewed and approved, before an enterprise buyer will accept it. An Incident Response Plan needs to be written down and tested, not just understood informally by the engineering team that would handle a breach if one occurred.

This is the practical problem: enterprise buyers are working from standardized questionnaires that ask for documentation. When a startup answers “we do this informally” or “our team knows how to handle this,” the reviewer marks the control as absent. From the buyer’s perspective, if it is not documented, it does not exist. The cost of that failure is not just one lost deal — it is a deferred enterprise motion that can set a company back by months or years at a critical growth stage.

The encouraging part is that the gap is closeable. Companies that have solid practices but poor documentation can often get their security posture into enterprise-ready shape in a matter of weeks. The key is knowing exactly which controls are being evaluated, which frameworks enterprise buyers reference most, and which documentation gaps are most likely to be deal-blockers. That intelligence, applied quickly and systematically, is the difference between passing a security review and failing one.

Sources: Kybersecure — Biggest Cybersecurity Breaches of 2025 · CM Alliance TPRM Tools 2026 Guide · TrustCloud TPRM Trends & Technology · Vanta 2025 State of Trust

Not every breach starts with a sophisticated attack. Two of 2025’s most consequential incidents traced back to basic credential hygiene and a poorly configured analytics tag. The patterns are a warning for any company that handles personal data.

In mid-2025, researchers uncovered 30 exposed datasets containing more than 16 billion login credentials — passwords for Google, Apple, Facebook, Telegram, GitHub, and government services. No single organization had been breached in a novel way. The dataset was an aggregation of credentials stolen by infostealer malware and earlier breaches, hosted openly online long enough to become what analysts called a “credential buffet” for attackers. The implication was stark: an employee reusing a compromised password from a personal account could become the entry point into your company’s production environment.

Separately, Blue Shield of California’s 2025 breach affecting approximately 4.7 million customers did not involve a sophisticated attacker at all. It stemmed from a Google Analytics misconfiguration — an improperly configured GA4 tracking script that had been quietly transmitting customer data, including names, email addresses, and partial policy numbers, to third-party analytics endpoints. No threat actor was linked to the incident. The company’s own tracking infrastructure had become the data exposure.

Both incidents highlight failure modes that are invisible until they are not. Credential hygiene failures accumulate quietly — there is no alert when an employee’s personal password manager is compromised. Analytics misconfigurations are often introduced by marketing teams working outside the security function’s visibility. In both cases, by the time the exposure becomes apparent, the data has already left the building.

For technology companies preparing for enterprise security reviews or SOC 2 assessments, these incidents point to specific control gaps that auditors and enterprise buyers are increasingly probing. Multi-factor authentication and password policies are no longer aspirational — they are table stakes, evaluated on every security questionnaire. Data minimization practices, including what your analytics and tracking infrastructure actually collects and where it sends data, are becoming a standard component of privacy reviews under frameworks like GDPR and state-level privacy regulations in the United States.

The common thread across both patterns is visibility. Companies that understand what data they hold, where it goes, and who can access it with what credentials are the companies that can answer enterprise security questionnaires with confidence. Those without that visibility — even if their core product is well-engineered — will find the documentation gaps expose them to exactly the kind of scrutiny they most need to avoid.

Sources: Guardz — Top Data Breaches of 2025 · CM Alliance Biggest Cyber Attacks of 2025 · Cybersecurity Ventures 2025 Almanac · PKWARE Data Breaches 2025