The cyber attacks allegedly targeted MPs from several parties. — © AFP/File ADEK BERRY
AI-driven cyberattacks are rapidly reshaping the managed service provider (MSP) threat landscape, according to a new. PMM State of Threat Report 2026 issued by the Guardz firm. Non-human identities now outnumber human users 25:1 as attacks accelerate across identity, email and cloud environments.
Research shows session hijacking increases by 23%, ransomware by up to 190%, and non-human identities outnumbering users 25:1 as AI accelerates attacks across identity, email and cloud environments.
of the report highlights a growing shift towards identity-based attacks at scale. Nearly 1 in 3 login attempts is unauthorized, 89% of SMBs have at least one compromised credential, and session hijacking incidents have increased by nearly 23%. Attackers are moving away from traditional malware and instead “breaking in” to operate undetected.
Artificial intelligence is rapidly reshaping the threat landscape as it exposes persistent gaps in identity, authentication, endpoint and cloud security. The findings point to a growing imbalance between the speed at which threats are evolving and the ways security operations are structured to respond, particularly for security tools that still rely on manual processes and lack agent workflows to automate triage, enrichment and remediation.
However, while the report shows that while AI has dramatically increased the speed and scale of cyberattacks, the fundamental points of compromise remain unchanged.
Types of attacks
In other words, attackers are exploiting the same vulnerabilities more efficiently, especially in misconfigured identity systems, authentication flows, and cloud environments.
The main types of attacks are:
- Pervasive identity compromise: 89% of monitored SMBs had at least one user with compromised confirmed credentials at any time, with nearly a third of users (31%) exposed to compromised passwords every month
- Hijacking the rising session: Session hijacking incidents increased by 23% over a 180-day period, emerging as the fastest growing attack vector and enabling attackers to completely bypass MFA
- Non-human identities expand the attack surface: Machine identities now outnumber human users by 25:1 in Microsoft 365 environments, creating a largely unmonitored and high-risk entry point for attackers
- Ransomware and fileless attacks are on the rise: Ransomware behavior detections increased by 190% over a 50-day window as attackers increasingly shifted from traditional malware to “living off the ground” techniques.
- BEC losses escalate dramatically: Confirmed incidents of business email compromise (BEC) ranged from $140,000 to $1.5 million, a significant increase from the average of around $40,000 seen in early 2025
The overall threat is particularly acute for MSPs because the attack surface multiplies across every customer they manage. The report found that abuse of RMM tools was the single largest endpoint threat campaign, accounting for 26% of all detections.
Tools including ScreenConnect, AteraAgent, and MeshAgent were observed being set up for persistent unauthorized access. A single compromised MSP tool does not impact a business; it opens a direct path to each client in their portfolio.
The report highlights a critical shift in attacker behavior: Instead of expanding their reach, threat actors are increasingly deepening access within compromised accounts. This is reflected in the rise of session-based attacks, OAuth abuse, and post-authentication persistence techniques that circumvent traditional defenses. At the same time, the adoption of AI by defenders is becoming essential to keep pace.
Therefore, as a counterbalance, AI-driven detection and response systems can significantly improve speed and accuracy, enabling security teams to classify, investigate and respond to threats at scale.
