TLDR
Major 2025 breaches exposed critical gaps in traditional red team exercises. While organizations tested for technical vulnerabilities, real-world compromises succeeded through different attack paths.
The three patterns: third-party helpdesk social engineering (Marks & Spencer’s £300M ransomware attack), supply chain attacks (Salesloft Drift breach, Shai-Hulud NPM worm), and internet-exposed industrial systems with default passwords (critical infrastructure attacks).
Organizations entering 2026 need red team exercises that test these actual attack paths, not just automated vulnerability scans. Success requires shifting from compliance-driven testing to threat-informed scenarios based on how adversaries actually operate.
Introduction
Most organizations ran red team exercises in 2025. Many had clean pentest reports. Yet ransomware still encrypted their servers, supply chain compromises still exposed customer data, and operational systems still got manipulated by attackers using default passwords.
The pattern is consistent: breaches succeeded through attack paths that red team engagements don’t typically test.
While penetration testers were hunting for SQL injection and privilege escalation, Scattered Spider was calling IT helpdesks to reset passwords.[1] While security assessments focused on perimeter defenses, threat actors were stealing OAuth tokens from third-party marketing tools.[2] While vulnerability scans ran against web applications, hacktivists were logging into critical infrastructure with credentials like “admin/admin.”[3]
The gap isn’t in red team capability. The gap is in what we’re asking red teams to test.
Here are three breach patterns from 2025 that should reshape red team objectives for 2026.
Breach Lesson #1: Third-Party Helpdesk Compromise
What Happened:
In April 2025, Marks & Spencer suffered a ransomware attack that cost the retailer an estimated £300 million and knocked online sales offline for 46 days.[4] The attack didn’t exploit a software vulnerability or bypass firewalls.
Instead, attackers called M&S’s outsourced IT helpdesk, operated by Tata Consultancy Services, and convinced support staff to reset credentials for privileged accounts.[5]
The attackers impersonated legitimate employees, obtained password resets, and gained initial access that eventually led to encrypting VMware ESXi hosts across the entire infrastructure.[6] Similar attacks hit Co-op and Harrods using identical techniques during the same period.[7]
What Red Teams Usually Test:
Traditional red team exercises focus on technical exploitation: finding unpatched systems, testing endpoint detection, or attempting privilege escalation through software vulnerabilities.
They rarely include social engineering against third-party vendors. They almost never test whether outsourced helpdesk staff can be manipulated into resetting credentials for privileged accounts.
What to Test in 2026:
Give your red team this specific objective: “Gain domain admin access by compromising our third-party IT support channels without exploiting any software vulnerabilities.”
Success criteria includes:
- Can helpdesk staff verify identity before password resets?
- Can they reset privileged account credentials?
- Do such resets trigger security alerts?
You’re validating that your outsourced support contracts include security requirements, that verification procedures actually get followed, and that privileged account resets require secondary approval workflows that can’t be socially engineered.
Breach Lesson #2: Third-Party OAuth Token Compromise
What Happened:
Between August 8-18, 2025, threat actor UNC6395 compromised Salesloft’s Drift marketing platform and stole OAuth tokens that provided access to hundreds of organizations’ Salesforce environments.[8]
The attackers didn’t breach individual companies directly. Instead, they compromised Drift’s GitHub account as early as March 2025, conducted reconnaissance, then accessed Drift’s AWS environment to steal OAuth and refresh tokens.[9]
Major cybersecurity firms including Palo Alto Networks, Zscaler, Cloudflare, and Elastic were among the victims. Attackers mass-exfiltrated customer data, account records, and support cases. In several instances, they found credentials and API keys within the stolen Salesforce data, enabling further compromise.[10]
What Red Teams Usually Test:
Red team exercises typically focus on your organization’s own infrastructure and applications. They test whether your web applications are vulnerable, whether your cloud configurations are secure, or whether your employees fall for phishing.
They don’t test whether the third-party SaaS tools integrated with your CRM have been compromised. They don’t test whether stolen tokens from a vendor breach could provide backdoor access to your sensitive data.
What to Test in 2026:
Task your red team: “Identify which third-party integrations have OAuth access to our most sensitive systems (CRM, email, file storage, HRIS). Attempt to access those systems by simulating a compromised third-party token.”
Success criteria includes:
- Complete inventory of all OAuth-connected applications
- Documentation of what data each integration can access
- Whether security monitoring detects anomalous access patterns from legitimate integration tokens
You’re validating that you actually know which third-parties have privileged access, that you can revoke access quickly, and that you’d detect abuse of legitimate credentials.
Breach Lesson #3: Internet-Exposed OT Systems with Default Credentials
What Happened:
Throughout 2025, hacktivist groups and nation-state actors successfully compromised critical infrastructure by exploiting the simplest vulnerability: internet-connected operational technology (OT) systems protected only by default passwords.[11]
In April, attackers compromised a Norwegian dam’s control system using weak credentials, manipulating valves to increase water discharge by 497 liters per second. The attack persisted for four hours before detection.[12]
CISA issued multiple warnings about pro-Russia hacktivist groups exploiting default passwords on internet-facing SCADA systems, HMIs, and programmable logic controllers across water utilities and other critical infrastructure.[13]
These weren’t sophisticated attacks requiring zero-days or custom malware. Attackers simply scanned for exposed OT devices and logged in using factory-default credentials like “admin/admin” or manufacturer-set passwords that operators never changed.[14]
What Red Teams Usually Test:
Traditional penetration tests focus on IT networks, web applications, and corporate infrastructure.
Even when organizations include OT in scope, red teams typically test network segmentation between IT and OT—not whether operational systems are directly exposed to the internet with default credentials.
The assumption is that no organization would leave critical control systems internet-accessible with factory passwords. But 2025 proved that assumption catastrophically wrong.
What to Test in 2026:
Direct your red team: “Identify all internet-facing OT devices (PLCs, HMIs, SCADA systems, industrial controllers) and attempt access using default credentials and common password lists.”
Success criteria includes:
- Complete inventory of exposed OT systems
- Documentation of which use default/weak passwords
- Whether security monitoring detects authentication attempts against these systems
You’re validating that your organization actually knows what OT devices are internet-accessible, that default credentials have been changed, and that you have monitoring in place to detect brute-force attempts against industrial control systems.
Shifting Red Team Objectives for 2026
The common thread across these 2025 breaches: attackers succeeded by exploiting trust relationships, third-party integrations, and operational blindspots rather than sophisticated technical vulnerabilities.
Organizations with mature vulnerability management programs and current patches still got compromised. The reason? Red team exercises weren’t testing the right attack paths.
Working with your red team provider means shifting from compliance-driven testing to threat-informed scenarios. Instead of asking “can you get in?”, ask “can you get in the way Scattered Spider got into M&S?”
Instead of testing for OWASP Top 10 vulnerabilities, test whether a compromised third-party OAuth token would trigger alerts. Instead of focusing solely on IT infrastructure, validate that internet-exposed OT systems aren’t sitting behind default passwords.
This requires red team providers who understand real adversary behavior—not just automated scanning tools or generic penetration testing playbooks.
Teams with offensive cyber operations backgrounds, whether military or commercial, bring experience with how actual threat actors operate: the social engineering tactics they use, the trust relationships they exploit, and the operational blindspots they target.
These scenarios reflect what Satine’s team tests based on patterns we’ve observed from both nation-state actors and criminal groups throughout 2025.
References
[1] BleepingComputer. “Marks & Spencer breach linked to Scattered Spider ransomware attack.” https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
[2] Cybersecurity Dive. “Palo Alto Networks, Zscaler customers impacted by supply chain attacks.” https://www.cybersecuritydive.com/news/palo-alto-networks-zscaler-supply-chain-attacks/758990/
[3] FastNetMon. “CISA warns of hacktivist DDoS attacks on critical infrastructure OT systems.” https://fastnetmon.com/2025/12/12/cisa-warns-of-hacktivist-ddos-attacks-on-critical-infrastructure-ot-systems/
[4] BlackFog. “Marks & Spencer Breach: How A Ransomware Attack Crippled a UK Retail Giant.” https://www.blackfog.com/marks-and-spencer-ransomware-attack/
[5] Specops Software. “M&S ransomware hack: Service Desk & Active Directory security lessons.” https://specopssoft.com/blog/marks-spencer-ransomware-active-directory/
[6] AMP CUS Cyber. “How Scattered Spider Compromised Marks & Spencer’s Network: Key Findings And Lessons Learned.” https://www.ampcuscyber.com/shadowopsintel/how-scattered-spider-compromised-marks-spencers-network-key-findings-and-lessons-learned/
[7] The Hacker News. “Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages.” https://thehackernews.com/2025/06/scattered-spider-behind-cyberattacks-on.html
[8] Dark Reading. “Zscaler, Palo Alto Networks Hacked via Salesloft Drift.” https://www.darkreading.com/cyberattacks-data-breaches/zscaler-palo-alto-networks-breached-salesloft-drift
[9] TechTarget. “News brief: Salesloft Drift breach update and timeline.” https://www.techtarget.com/searchsecurity/news/366630934/News-brief-Salesloft-Drift-breach-update-and-timeline
[10] Palo Alto Networks. “Salesforce-Connected Third-Party Drift Application Incident Response.” https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/
[11] FastNetMon. “CISA warns of hacktivist DDoS attacks on critical infrastructure OT systems.” https://fastnetmon.com/2025/12/12/cisa-warns-of-hacktivist-ddos-attacks-on-critical-infrastructure-ot-systems/
[12] Industrial Cyber. “Lake Risevatnet dam hack exposes industrial cyber gaps as weak passwords risk critical infrastructure attacks.” https://industrialcyber.co/industrial-cyber-attacks/lake-risevatnet-dam-hack-exposes-industrial-cyber-gaps-as-weak-passwords-risk-critical-infrastructure-attacks/
[13] IBM. “Cyberattack on American Water: A warning to critical infrastructure.” https://www.ibm.com/think/news/cyberattack-on-american-water-warning-critical-infrastructure
[14] SecurityWeek. “CISA Urges Manufacturers to Eliminate Default Passwords After Recent ICS Attacks.” https://www.securityweek.com/cisa-urges-manufacturers-to-eliminate-default-passwords-after-recent-ics-attacks/