The breach notification arrives weeks after the damage is done. Your managed service provider's credentials were compromised in March. Attackers used them to map your internal network in April. By May, they had moved laterally through systems your MSP legitimately accesses. Your security team saw nothing unusual because every connection used valid credentials and matched expected vendor access patterns.

This scenario repeated across thousands of organizations in 2025. Trend Micro's 2026 predictions frame the shift: cybercrime is becoming fully industrialized, with supply chains as primary targets. Q1 2025 saw 2,289 ransomware victims, the highest quarterly count since tracking began. Supply chain attacks doubled, with attackers strategically researching which vendors serve multiple high-value targets before compromising them.

The regulatory response is concrete. The EU Cyber Resilience Act begins enforcing vulnerability reporting requirements on September 11, 2026. Organizations must report actively exploited vulnerabilities within 24 hours of becoming aware of them. For supply chain incidents that remain invisible for weeks, this timeline is unforgiving.

Why service supply chains became the primary target

Software supply chain attacks dominated headlines in previous years. Poisoned packages, compromised build systems, and malicious updates generated clear forensic evidence. Defenders learned to validate checksums, monitor repositories, and implement software bills of materials. These measures work because software artifacts are discrete and verifiable.

Service supply chains operate differently. Industry analysts predict attackers will target service providers more aggressively than software vendors in 2026. A managed service provider holds valid credentials to hundreds of customer environments. A cloud platform hosts infrastructure for thousands of organizations. A SaaS vendor integrates with entire business ecosystems. Compromising one service provider creates cascading access across all downstream customers.

The economics favor attackers. Instead of breaching individual organizations with mature security programs, they target smaller service providers with weaker defenses. One MSP compromise in Sweden impacted approximately 200 municipalities, multiple regional administrations, universities, and corporations. The attack disrupted platforms managing critical employee data across sectors. A single breach achieved what would have required 200+ individual intrusions.

This pattern repeated throughout 2025. Marks & Spencer suffered disruption traced to social engineering against a third-party contractor's employees, forcing manual logistics operations and estimated losses of £300 million. Asahi's breach halted production at 30 factories, targeting operational technology to paralyze manufacturing rather than stealing financial records. These attacks exploit trusted vendor relationships to bypass perimeter defenses entirely.

The technical problem: trust without verification

Traditional security models assume certain traffic is inherently trustworthy. Vendor credentials authenticate successfully. Connections originate from approved IP ranges. Commands execute through established management interfaces. Attackers exploit these same pathways.

The challenge is distinguishing malicious activity from legitimate vendor operations when both use identical technical methods. A managed service provider conducts routine maintenance: authenticate, check configurations, apply updates, verify functionality. An attacker with stolen MSP credentials follows a different sequence: authenticate, enumerate internal systems, test lateral movement paths, map network topology.

Both use legitimate protocols, respect rate limits, and operate during business hours. Both authenticate with valid tokens. Individual network flows appear normal. Alert systems configured to flag anomalies see nothing unusual because the activity falls within acceptable vendor behavior.

Detection systems relying on known-bad indicators fail because attackers use known-good tools. Systems depending on statistical anomalies fail because attacker activity deliberately mimics normal vendor patterns. Systems requiring manual correlation fail because reconnaissance and lateral movement occur days or weeks apart.

What attackers accomplish through compromised vendors

Reconnaissance through vendor access is methodical. Attackers query which internal systems exist, what services run on each endpoint, which accounts have elevated privileges, and where sensitive data resides. They spread this activity across days or weeks to avoid detection thresholds. Each individual query appears routine. The aggregate pattern reveals systematic mapping that produces actionable intelligence for subsequent phases.

Lateral movement through vendor credentials leverages established trust. Attackers authenticate as the vendor, access systems the vendor legitimately maintains, and execute commands the vendor could plausibly run. They move between endpoints the vendor normally connects to, use management tools the vendor regularly employs, and operate during timeframes when vendor activity is expected.

The timeline extends across weeks. Initial reconnaissance maps the environment. Days later, attackers test lateral movement to verify identified paths. Weeks later, they execute their primary objective: data exfiltration, ransomware deployment, or persistent access establishment. Each phase operates independently, separated by enough time that correlation becomes difficult.

Why this matters for 2026 specifically

Three factors converge. First, attack infrastructure matured throughout 2025. Techniques that were experimental in 2024 became operational and reproducible. Attackers no longer need specialized expertise to compromise service providers and leverage that access downstream.

Second, regulatory enforcement begins. The EU CRA's September 2026 reporting requirements create immediate compliance obligations. Organizations discovering supply chain compromises weeks after they occur face regulatory penalties for late reporting. The 24-hour reporting window from awareness assumes detection capabilities most organizations lack.

Third, service provider consolidation concentrated risk. Organizations rely on fewer vendors managing more critical functions. A handful of cloud platforms, SaaS vendors, and managed service providers handle the majority of external dependencies. Each compromise affects exponentially more downstream customers.

The statistics reflect this shift. Q1 2025's 2,289 ransomware victims represented a 126% year-over-year increase. Published figures underrepresent actual incident counts because organizations paying ransoms quickly are typically excluded from public leak sites.

What detection requires now

Defending against supply chain attacks requires identifying malicious intent within trusted channels. The solution is not more restrictive vendor access policies, which would prevent legitimate operations. It is not anomaly detection against vendor baselines, which becomes impractical as vendor patterns shift based on operational needs. It is not signature-based detection, which fails when attackers use legitimate tools.

Detection must recognize what activity is attempting to accomplish based on behavioral patterns rather than what it looks like at the surface level. When flows between endpoints follow reconnaissance patterns—systematic enumeration, service discovery, permission testing—that structure indicates malicious intent regardless of credential validity. When flows follow lateral movement patterns—authentication followed by exploration across endpoints—that structure indicates compromise regardless of whether the vendor occasionally accesses similar systems.

DeepTempo approaches this by analyzing sequences of network flows and identifying structural signatures of different intent types. The system learns what reconnaissance behavioral timelines look like, what lateral movement behavioral timelines look like, and what operational activity looks like, then classifies observed behavior accordingly. This works without maintaining vendor-specific baselines or depending on whether activity deviates from historical patterns.

The broader principle applies beyond any specific implementation: detection systems must evaluate what sequences of activity are trying to accomplish rather than whether individual events match known-bad patterns or exceed statistical thresholds. Supply chain attacks succeed precisely because they operate within approved patterns using legitimate credentials. The malicious intent exists in the structure and progression of activity, not in obvious technical artifacts.

Closing note

Supply chain attacks transitioned from sophisticated operations requiring significant resources to industrialized campaigns using reproducible methods throughout 2025. The infrastructure exists. The targeting is strategic. The volume is increasing. Organizations without detection capabilities that identify malicious intent within trusted channels will continue discovering compromises weeks after they occur, facing regulatory penalties and operational disruption.

The threat is not theoretical. The evidence is in production logs right now: reconnaissance behavioral timelines systematically mapping internal systems, lateral movement using compromised vendor credentials, and persistence establishment through legitimate management tools. The difference is whether detection systems can recognize these patterns when they execute through trusted pathways using valid credentials.

MITRE: Initial Access, Reconnaissance, Lateral Movement

Related reading:

Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!