Threat Research

Phishing-to-RMM Attacks: The Remote Access Blind Spot CISOs Can’t Ignore 

AnyRun
Phishing-to-RMM Attacks: The Remote Access Blind Spot CISOs Can’t Ignore 
Phishing-to-RMM campaigns are using fake Microsoft, Adobe, and OneDrive pages to deliver legitimate remote management tools like ScreenConnect and LogMeIn Rescue, creating a visibility gap for SOC teams because the payload and infrastructure can appear trusted. The article explains how these attacks bypass reputation-based detection, increase dwell time and delayed containment risk, and shows how ANY.RUN helps teams trace the full attack chain and investigate related activity. #ScreenConnect #LogMeInRescue #Microsoft #Adobe #OneDrive #ANYRUN

Keypoints

  • Attackers are using phishing pages impersonating Microsoft, Adobe, and OneDrive to distribute legitimate RMM tools instead of obvious malware.
  • ScreenConnect and LogMeIn Rescue are highlighted as tools that can be abused to gain remote access while appearing benign.
  • These campaigns create a visibility gap because the payload, hosting infrastructure, and user download action may all look legitimate.
  • Organizations already allowing RMM software are especially at risk because detection and containment become harder.
  • Affected regions and sectors include the United States, Canada, Europe, Australia, and industries such as Education, Technology, Banking, Government, Manufacturing, and Finance.
  • Threat actors also use more advanced delivery methods, including VBS scripts, privilege escalation, SmartScreen disabling, and Defender weakening.
  • Effective detection requires correlating the full attack chain, including the lure, payload, execution, RMM installation, and outbound connections.

MITRE Techniques

  • [T1566 ] Phishing – Used to deliver fake Microsoft, Adobe, and OneDrive pages that lure users into downloading RMM installers (‘attackers are using phishing to deliver legitimate remote management tools’).
  • [T1105 ] Ingress Tool Transfer – The victim is prompted to download payloads such as Adobesetup.exe and ScreenConnect.ClientSetup.exe from the phishing pages (‘the user is prompted to download Adobesetup.exe’, ‘they receive ScreenConnect.ClientSetup.exe’).
  • [T1219 ] Remote Access Software – Legitimate remote administration tools like ScreenConnect, LogMeIn Rescue, Datto RMM, and others are abused for unauthorized remote access (‘gain remote access to victims’ devices’, ‘turning the endpoint into a system with unattended RMM access’).
  • [T1027 ] Obfuscated Files or Information – The attack disguises the real payload behind benign-looking filenames and document lures (‘a PDF document’, ‘behind that name is ScreenConnect’).
  • [T1112 ] Modify Registry – The script weakens security controls by changing system protections such as SmartScreen and Defender (‘disable SmartScreen, and weaken Microsoft Defender protections’).
  • [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – The VBS script attempts to elevate privileges through UAC (‘the script attempts to elevate privileges through UAC’).
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – Attackers weaken Microsoft Defender and disable SmartScreen to reduce detection (‘disable SmartScreen, and weaken Microsoft Defender protections’).
  • [T1059.005 ] Command and Scripting Interpreter: Visual Basic – A VBS script is used as the delivery and execution vehicle (‘the page delivers a VBS script’).
  • [T1218 ] System Binary Proxy Execution – The installer is run quietly via msiexec to execute the RMM payload (‘runs a quiet installation via msiexec’).
  • [T1071 ] Application Layer Protocol – The attacker’s infrastructure and downloads involve normal web traffic and legitimate hosting/services such as n8n.cloud and ScreenConnect infrastructure (‘the phishing landing page is hosted on the legitimate n8n.cloud platform’, ‘outbound connections to remote access infrastructure’).
  • [T1036 ] Masquerading – Files and pages are disguised as legitimate products or documents, such as Adobe Acrobat Reader DC, Microsoft Store, and a PDF lure (‘impersonating Microsoft Store and Adobe Acrobat Reader DC’, ‘disguised as a PDF document’).
  • [T1135 ] Network Share Discovery – Not explicitly mentioned.

Indicators of Compromise

  • [File names ] Delivered payloads and installers – Adobesetup.exe, ScreenConnect.ClientSetup.exe, and other installer names mentioned in the campaigns
  • [Domains / URLs ] Phishing and hosting infrastructure – vmail.app.n8n.cloud, n8n.cloud, and other legitimate-looking hosting locations used for the lure
  • [Tool names ] Abused remote management software – ScreenConnect, LogMeIn Rescue, Datto RMM, ITarian, Action1 RMM, NetSupport, Syncro, MeshAgent, SimpleHelp, RustDesk, and Splashtop
  • [Query strings ] Threat hunting query in ANY.RUN TI Lookup – threatName:”^phishing$” and threatName:”rmm-tool”
  • [Suricata alert / analysis ID ] Public analysis reference – suricataID:”84002229”
  • [Web content themes ] Impersonated services and lures – Microsoft Store, Adobe Acrobat Reader DC, Microsoft OneDrive, and Adobe document download prompts

Read more: https://any.run/cybersecurity-blog/rmm-blind-spot-for-cisos/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint