COMMENTARY: Trust is now part of the attack surface. MSPs have deep access to customer systems, tools, and credentials, which makes them attractive targets for attackers who want to hit many environments through one provider. Identity abuse, compromised software updates, and infostealers are giving attackers more ways to get into customer environments. For MSPs, that means stronger access controls, better checks around the tools they use, clearer endpoint visibility and faster response all matter more than ever. An MSP’s own security maturity now affects customer risk. Providers that still treat security as something reactive will have a harder time protecting clients and maintaining trust.
Managed service providers (MSPs) have always relied on trust, but in the modern cybersecurity landscape, that trust is being exploited. As the gatekeepers to hundreds of networks, MSPs are the prime target for cybercriminals.
Recent data from the
Barracuda SOC Threat Radar shows a troubling shift: attackers are moving away from simple “smash-and-grab” tactics toward more advanced, identity-focused, and supply-chain-based strategies designed to bypass traditional defenses.
For the modern MSP, good-enough security is now a significant liability. Protecting a client base in this hostile landscape requires more than just managing tickets; it demands fundamental hardening of the digital infrastructure that connects providers to their customers.
The Identity Crisis: Going Beyond Basic Credentials
Identity-based threats have evolved beyond stolen passwords and now incorporate sophisticated engineering techniques. In February 2026, Barracuda researchers observed that approximately 1 in 16 suspicious logins originated from Romania, highlighting a prevailing trend in recent years of identity-based attacks gaining momentum in the threat landscape.
These attackers aren’t just guessing passwords. They’re utilizing “
phishing kits 2.0” and polymorphic tactics to bypass multifactor authentication (MFA). Through MFA relay attacks (adversary-in-the-middle), criminals can sit between a user and a legitimate login page, capturing session cookies in real-time to gain access without ever needing to crack a token.
To counter this, MSPs must move beyond standard push notifications. Implementing phishing-resistant MFA, such as Fast Identity Online 2 (FIDO2) security keys or biometric authentication, is becoming an operational mandate. Organizations must enforce geo-blocking and conditional access policies to automatically restrict logins from unexpected regions, effectively neutralizing the risk of global credential abuse.
Weaponizing the Tools of the Trade
One of the most alarming trends in 2026 is the rising abuse of legitimate update mechanisms. Attackers recently compromised the update infrastructure for
Notepad++, a common tool in many MSP environments. By redirecting selective targets to a malicious installer, they delivered a custom espionage backdoor known as Chrysalis.
This represents a direct assault on the software supply chain. When a trusted update channel is weaponized, traditional signature-based defenses often fail to flag the installer as malicious. For an MSP, a single compromised tool on a technician’s workstation may serve as the initial access vector for an attacker, subsequently facilitating lateral movement and execution of their objectives across the entire managed portfolio.
Hardening the supply chain requires strict control over how third-party software is installed and updated. MSPs must ensure all downloads originate from approved domains and consider temporarily disabling automated “check for update” functions in favor of manual, verified downloads for mission-critical utilities.
The PDF Trap and the Rise of Infostealers
While identity and supply chains remain the main targets, malware delivery techniques are becoming more inventive. Barracuda reported in its threat report that its SOC has stopped several campaigns using weaponized PDFs (i.e., toxic PDFs) to spread information-stealing malware, such as TamperedChef and Santa Stealer.
These infostealers are designed to harvest credentials, web cookies, and even cryptocurrency wallet data. Often distributed through fraudulent websites promoted via Google advertising, these attacks lure users into downloading free PDF editors that are secretly loaded with malware.
Santa Stealer is particularly dangerous because it operates entirely in memory to evade detection. Once inside, these stealers provide initial access brokers with the data they need to sell network entry to ransomware gangs. This underscores the need for robust endpoint security that can detect and block malware in real-time, coupled with advanced email security to stop these lures before they reach the inbox.
Building a Resilient Managed Defense
The sophistication of 2026’s threat landscape means that traditional monitoring is no longer a viable strategy for MSPs. The sheer volume and velocity of AI-driven attacks require an automated, multilayered response.
This is where managed XDR (extended detection and response) becomes a competitive differentiator. By combining real-time threat intelligence with a 24/7/365 SOC, MSPs can bridge the gap between detection and remediation. A modern security posture doesn’t just look for known bad files; it monitors for anomalous behavior – such as a login at 3 a.m. from a restricted country – and intervenes before the attacker can move laterally.
Ultimately, the goal for any MSP in 2026 is to shift from a reactive break-fix security approach to a proactive, evidence-based accountability strategy. By deploying AI-driven cybersecurity solutions to detect and respond to complex and rapidly evolving threats, enforcing strict access controls, and employing continuous monitoring, MSPs don’t just protect their clients – they become strategic advisors who ensure business continuity in an era of digital volatility.
MSPs that modernize their security stack today will not only survive the current wave of identity and supply chain attacks but will also emerge as the most trusted partners in the digital economy.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
