Got questions? Schedule a call with us!

The Attacks Hitting Big Companies Are Now Coming for You

by Levi Durfee

Every year, SentinelOne publishes a threat report. It’s written for enterprise security teams — the kind of people who manage rooms full of servers and speak exclusively in acronyms. Most small business owners would (understandably) never read it.

We did. And there’s a lot in there that matters to you.

The headline finding isn’t about any specific piece of malware or any particular hacker group. It’s simpler than that: attackers have automated their targeting. Techniques that used to require significant time and skill to deploy against a single large target can now be run against thousands of businesses simultaneously — including small ones.

The “we’re too small to be worth targeting” era is over. Here’s what’s replaced it, and what you can do about it.

Hackers Aren’t Breaking In — They’re Logging In

The old image of a hacker frantically typing to breach a firewall is mostly fiction at this point. In 2025, the most common way attackers got into organizations wasn’t through some dramatic exploit. It was by logging in with stolen credentials and blending in like a normal employee.

The report calls this the “Identity Paradox.” Organizations have more data about who’s logging in than ever before — and attackers are still getting through, because a stolen username and password looks identical to a legitimate one.

For small businesses, this plays out in familiar ways. A phishing email tricks an employee into entering their Microsoft 365 or Google Workspace credentials on a fake login page. The attacker logs in, reads emails, accesses shared files, and sometimes sits quietly for weeks before doing anything noticeable.

Multi-factor authentication helps — but it’s not a complete fix. Sophisticated phishing attacks can capture the session cookie your browser stores after you’ve already authenticated, which lets an attacker impersonate you without ever needing your second factor. We saw a real version of this when one of our customers nearly fell for a fake Apple security alert.

What this means for you: Weak or reused passwords are still one of the most common entry points. A good password manager — we use and recommend Keeper — eliminates password reuse across your team and makes strong, unique credentials the default. Pair that with MFA on every account that supports it, and you’ve closed the easiest door attackers walk through.

Your IT Tools Can Be Used Against You

This one surprised us when we saw how widespread it’s become.

Attackers are increasingly using legitimate remote access software — the same tools IT teams use every day — to maintain access after they’ve gotten in. Tools like AnyDesk, ScreenConnect, and even Microsoft’s own Quick Assist have been used to establish persistent footholds that don’t trigger malware alerts, because they aren’t malware. They’re real, signed, trusted applications.

The attack usually starts with a phone call or a Teams message. Someone impersonates IT support, creates a sense of urgency (“your account has been flagged — I need to connect to your machine right now”), and walks an employee through installing a remote access tool. Once that’s done, the attacker has ongoing access to the machine, often configured to survive reboots.

What this means for you: Endpoint protection that monitors behavior — not just known malware signatures — is what catches this kind of activity. SentinelOne, which powers NerdSec’s endpoint protection, is specifically designed to detect when legitimate tools are being used in illegitimate ways. On the human side: train your team to verify any remote access request through a separate channel before granting it. A quick call to IT using a known number goes a long way.

Patching Is More Urgent Than It Used to Be

The window between a vulnerability being discovered and attackers exploiting it at scale has collapsed. AI-assisted tools now let attackers scan the entire internet and weaponize newly disclosed vulnerabilities within hours of them going public.

That changes the math on patching. A slow update cycle used to be an acceptable risk for many small businesses. That’s no longer the case for anything internet-facing.

The report highlights something we’ve seen ourselves: servers that are fully patched at the operating system level but running outdated third-party software — old plugins, legacy integrations, forgotten web apps — that haven’t been touched in years. Attackers look for exactly these. In one case the report cites, a server running a ten-year-old UI library was breached even though the underlying OS was completely current. We’ve seen the same pattern with WordPress sites, as we wrote about in our malware removal case study.

What this means for you: Keep everything updated — not just Windows or macOS, but plugins, browser extensions, web apps, and any software your business runs that touches the internet. NerdSec’s Network Monitor scans your environment and surfaces devices and services that may be outdated or exposed, so you’re not finding out about a problem after the fact.

Threats Don’t Need to Touch Your Machine to Do Damage

The report tracks over 1,000 fake job applications tied to state-sponsored hackers attempting to get hired at Western tech companies. These aren’t technical exploits — they’re people applying for jobs, passing background checks, and using their legitimate access to steal data.

That’s an extreme example. But the underlying principle shows up at every scale. Most small business breaches don’t start with sophisticated malware. They start with an email, a phone call, or a fake login page. Someone clicks something they shouldn’t. Someone calls the number on a fake security alert. Someone hands over their credentials to what looks like their bank.

Technical controls stop a lot. But they don’t stop someone who’s been convinced to hand over the keys.

This is also where DNS filtering earns its keep. When an employee clicks a phishing link, the first thing that happens is a DNS request — their device asks where that domain lives. A Secure DNS service that recognizes the domain as malicious blocks that request before the page ever loads. No page, no payload, no problem. It’s one of the simplest and highest-leverage protections available, and as we’ve written before, it’s one of the most overlooked by small businesses.

What this means for you: Security awareness for your team is not optional anymore. It doesn’t need to be elaborate — it just needs to be consistent. The customer who called us after nearly falling for the fake Apple alert did the right thing because they’d been trained to pause and verify before acting. That instinct is worth more than almost any technical control. Combine it with Secure DNS and you’ve got both the human and the network layer working together.

Automated Attacks Don’t Clock Out

One of the more sobering sections of the report describes how automation has changed the pace of attacks. In one incident, malware escalated from initial access to full system control in roughly 30 milliseconds. In another, a tool went from download to persistent installation in 49 seconds.

These aren’t windows that leave room for a human to catch and respond in time.

In one case the report describes, an attacker maintained access to a compromised account for 71 days — nearly two and a half months — because their activity was subtle enough to avoid any manual review. The breach was only caught when an automated detection system flagged the pattern.

Human review of logs simply can’t keep up with this volume and pace. That’s not a criticism — it’s just the reality of what automation has done to the threat landscape.

What this means for you: This is why continuous, automated monitoring matters. NerdSec’s logging and monitoring uses AI to analyze activity in real time and surface anomalies — so something that would take a human analyst weeks to notice gets flagged immediately. You don’t need a security operations center. You need a system that’s watching when you’re not.

The SentinelOne report is 70 pages of detailed analysis aimed at enterprise defenders. But the underlying message isn’t complicated: attackers are faster, more automated, and less discriminating about target size than they used to be.

The good news is that the fundamentals still work. Strong passwords. Endpoint protection. DNS filtering that blocks malicious domains before they load. Monitoring that catches anomalies automatically. And a team that knows when to stop and ask questions.

If you’re not sure where your business stands, start for free — no credit card required. Or schedule a call and we’ll walk through it with you.