Cyber threats don't always start with a sophisticated hack. Increasingly, attackers are simply walking in through the front door — using stolen credentials to log into your network through the same remote access tools your employees use every day.
Our security partner, Blackpoint Cyber, recently published an important research article titled "Seeing Through the Tunnel: Leveraging SIEM Detections to Expose Malicious SSL VPN Authentications" by analysts Caden Toellner and Nevan Beal. The findings are a clear signal that businesses of all sizes need to take a hard look at how their remote access is secured and monitored. Here is what the research found, and what it means for you.
The Attack Pattern: A Stolen Key, Not a Broken Lock
SSL VPN (Secure Sockets Layer Virtual Private Network) technology allows employees to connect to a company's internal network remotely — from home, a hotel, or anywhere with an internet connection. It is a legitimate, widely used business tool.
The problem is that attackers have figured out they do not need to break through your firewall. They just need a stolen username and password. Blackpoint's Security Operations Center (SOC) is seeing a sharp and sustained increase in attackers targeting businesses through SSL VPN as their primary way in. In many cases, the login itself looks completely normal. The attacker authenticates as a known employee, and the system lets them in.
What happens next is where things move fast.
Seven Minutes: The Window That Defines the Outcome
In a real incident investigated by Blackpoint's SOC, analysts detected a compromised user account logging into a client's network through a SonicWall SSL VPN. The login was routed through a Virtual Private Server (VPS) hosted by Vultr, a commercial cloud provider — a technique attackers use to make their traffic appear as though it is coming from a domestic location rather than a foreign one, making it harder to flag as suspicious.
Within seven minutes of that first login, the attacker had already begun scanning the internal network and moving toward high-value systems — file servers, the Hyper-V host, and the Domain Controller.
Seven minutes. That is the entire window between an attacker authenticating and actively working to compromise your most critical infrastructure.
This is why traditional detection methods often fall short. By the time an alert is triggered based on unusual internal activity, the attacker may already be deep inside the network.
Stolen Credentials Do Not Expire
One of the more troubling findings from Blackpoint's research involves what happens after the initial intrusion is contained. Stolen credentials do not simply disappear once an incident is resolved. They circulate, get reused, and become a persistent liability.
In the same client environment, a second intrusion occurred thirteen days later — this time through a different compromised user account, originating from a similar attacker-controlled network. This was not a coincidence. It was a deliberate follow-on attempt by the same threat actor.
Blackpoint's SIEM detected the suspicious authentication before the intrusion could take hold, and the environment was contained once again. But the lesson is clear: resolving a single compromised account is not the end of the threat. Once a credential-based attack targets your organization, the window of exposure stays open until every affected identity has been identified and secured.
The Double Extortion Threat
When attackers gain this level of access, their endgame is rarely just locking up your data. Blackpoint's research points to a two-stage threat increasingly common in these types of intrusions: double extortion.
First, attackers quietly steal sensitive business data — client records, financial files, employee information. Then they encrypt your systems, bringing operations to a halt. The leverage of a potential data leak is used alongside the ransom demand, compounding the financial and reputational pressure on the business.
This pattern means that even if you have reliable data backups, you are not fully protected. The stolen data can still be published or sold if demands are not met.
What Blackpoint Is Doing About It
In response to this growing threat, Blackpoint has expanded its platform to ingest SSL VPN authentication logs — including from SonicWall devices — directly into its SIEM (Security Information and Event Management) system. This gives Blackpoint's SOC analysts real-time visibility into authentication activity the moment it happens, not after the attacker has already moved laterally through the network.
In both incidents described in their research, the environments were fully contained with no impact beyond the initially compromised accounts — a direct result of detecting the threat at the authentication layer before it could escalate.
What Your Business Should Be Doing
Blackpoint's research outlines several practical steps businesses should take to reduce their exposure. Here is what those recommendations mean in plain terms:
Treat VPN access as a critical security boundary. Remote access is not a convenience feature — it is one of the most targeted entry points in your entire network. It deserves the same level of investment and oversight as your most sensitive internal systems.
Operate as though credentials will eventually be compromised. No password policy is perfect. Assume that at some point, an employee's credentials will be stolen through phishing, a data breach, or a malware infection. The goal is to make sure your systems catch misuse the moment it happens, not weeks later.
Do not wait for internal alerts to trigger a response. If your security tools only alert you after an attacker has already started moving through the network, you are already behind. Detection needs to happen at the point of entry — the login itself.
Enrich your login data with context. A login from an unusual IP address, a known malicious hosting provider, or an unexpected geography should raise immediate flags. Raw authentication logs alone are not enough; that data needs to be cross-referenced against threat intelligence to be actionable.
Audit who has VPN access — and remove what is not needed. Former employees, dormant service accounts, and over-permissioned users are easy targets. Regular access reviews reduce the attack surface before an attacker can exploit it.
Talk to Core Integrated Technologies About Your VPN Security Posture
The incidents in Blackpoint's research did not result in ransomware or data loss — because the right detection capabilities were in place at the right time. That outcome is not guaranteed without proper monitoring and response.
If you are unsure whether your SSL VPN is being actively monitored, or whether your organization would be able to detect and contain a credential-based intrusion within a seven-minute window, that is a conversation worth having now.
Core Integrated Technologies partners with Blackpoint Cyber to deliver managed detection and response services built around exactly this kind of real-world threat intelligence. We help businesses in Jamestown and across Tennessee understand where their exposure lies and put the right protections in place before an incident occurs.
Contact Core Integrated Technologies today to discuss your VPN security posture and find out what an attacker could do with access to your network right now.
This post is based on original research published by Blackpoint Cyber on June 9, 2026. Read the full article: "Seeing Through the Tunnel: Leveraging SIEM Detections to Expose Malicious SSL VPN Authentications" by Caden Toellner and Nevan Beal.
