Mandiant M-Trends 2026 — Annual Threat Intelligence Report

annual-report · annual-report:mtrends-2026

Coverage timeline

first 2026-05-07 → last 2026-05-10

Briefs

2 distinct

Sources cited

19 hosts

Sections touched

research, weekly_summary

Co-occurring entities

see Related entities below

2026-05-072 appearances2026-05-10

Story timeline

2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
weekly_summaryConsolidated in weekly summary for week 2026-W19
2026-05-07CTI Daily Brief — 2026-05-07
researchFirst and only treatment. Published 2026-03-23; outside standard recency window; included as first coverage. Key findings: median dwell 14 days; espionage 122-day median; vishing surged to second-most-common initial access vector (11%); prior compromise as ransomware IAV doubled to 30%; edge-device persistence dominant for espionage; zero-day exploitation accelerating.

Where this entity is cited

research1
weekly_summary1

Source distribution

attack.mitre.org10 (28%)
cloud.google.com8 (22%)
bleepingcomputer.com2 (6%)
careers.ox.ac.uk1 (3%)
cert.ssi.gouv.fr1 (3%)
github.com1 (3%)
helpnetsecurity.com1 (3%)
horizon3.ai1 (3%)
other11 (31%)

Related entities

Akira — ransomware operator targeting EU healthcare and SME via edge-device CVE chains and intermittent-encryption EDR evasion
actoractor:Akira×1
CL-STA-1132 — likely state-sponsored exploitation cluster for CVE-2026-0300 (PAN-OS)
campaigncampaign:CL-STA-1132×1
Embargo — ransomware group; responsible for ChipSoft Netherlands attack
actoractor:Embargo×1

All cited sources (36)

Items in briefs about Mandiant M-Trends 2026 — Annual Threat Intelligence Report (1)

Mandiant M-Trends 2026

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

M-Trends 2026 (published 2026-03-23, first covered 2026-05-07) reinforces three cross-cutting trends visible in this week's incidents: voice phishing surged to the second most prevalent initial-access vector at 11% (overtaking email phishing at 6%) driven by IT help-desk impersonation and SaaS OAuth token theft — directly evidenced this week in the ADT vishing → Okta SSO → Salesforce pivot and in MuddyWater's Teams external-access helpdesk pretext (§ 7); ransomware initial access via prior compromise doubled to 30% — implicit in the access-broker / ransomware-affiliate model behind Akira, Embargo, and Qilin's targeting of European victims; and edge-device persistence on VPNs, routers, and network appliances without EDR coverage remains the dominant initial-access technique for state-sponsored espionage — directly mirrored in CL-STA-1132's PAN-OS exploitation and in Ivanti EPMM's named EU victims. The reframe IOCTA does not give but M-Trends does: median dwell time globally has increased to 14 days (up from 11 in 2024) and espionage-focused intrusions average 122-day median dwell — i.e. when the Ivanti EPMM and PAN-OS post-compromise hunting horizons land on retrospective log review back to March/April, that horizon is consistent with Mandiant's observed espionage dwell envelope. (Google Cloud / Mandiant M-Trends 2026, 2026-03-23; daily 2026-05-07).