Sophos 2026 Active Adversary Report — identity the dominant intrusion root cause; Impacket and AnyDesk most-observed post-exploitation [SINGLE-SOURCE]

Published 2 June (Sophos X-Ops; drawing on 661 IR/MDR cases; daily 2026-06-03). The findings that directly shift defender priorities: identity-based compromise — stolen/valid credentials, brute force, phishing — is the leading intrusion root cause, with missing or misconfigured MFA present in a majority of incidents. Time from initial access to Active Directory compromise has compressed materially. Impacket is among the most frequently observed post-exploitation toolkits; AnyDesk is the most-abused legitimate remote-access tool, consistent with this week's Luna Moth tradecraft. The recurring telemetry blind spots are the load-bearing findings: firewall logs were missing in roughly half of ransomware cases, and a meaningful share of compromised Windows Servers were running end-of-life builds. Practical hunt targets: alert on Impacket artefacts (impacket-named tool processes, secretsdump-style NTDS access, SMBExec/WMIExec parent processes); instrument the initial-access-to-DC-compromise window; inventory EOL Windows Servers; verify firewall log retention is complete before an incident, not during one. This is a single-vendor IR report; treat findings as directionally correct rather than statistically definitive without independent corroboration. [SINGLE-SOURCE]