10 October 2025
Key Points
- Continued shift from traditional malware delivery to abuse of legitimate Remote Monitoring and Management (RMM) tools for initial access
- Campaigns targeting organizations across multiple industries using social engineering lures including fake payment receipts, meeting invitations, and tax documentation
- Popular RMM platforms being exploited include ScreenConnect (ConnectWise Control), LogMeIn Resolve, TeamViewer, and AnyDesk
- RMM abuse enables persistent remote access while blending with legitimate IT operations, evading traditional security controls
Campaign Overview
The Mimecast Threat Research team continues to monitor threat actors increasingly abandoning traditional malware-laden email attachments in favour of legitimate Remote Monitoring and Management (RMM) tools to establish initial access. This strategic shift allows attackers to bypass many security controls since RMM software is commonly used by IT teams and often whitelisted in enterprise environments.
Campaigns demonstrate sophisticated social engineering approaches designed to trick users into installing RMM agents voluntarily. These operations employ diverse lures from fake payment receipts distributed through EverNote to fraudulent Zoom meeting invitations. Below are some of the campaigns we’ve observed over the last few months used to download a number of RMM tools.
Financial Lure
In this campaign a fake remittance advice and payment confirmation email is used to trick recipients into downloading malicious files. These campaigns impersonate legitimate financial communications by claiming payments have been processed via bank transfer and directing users to download "payment receipts" through file-sharing services like EverNote.
The lures leverage urgent business scenarios around financial transactions, exploiting the routine nature of payment processing communications that employees regularly handle.
Recipients are presented with seemingly legitimate PDF attachments containing payment documentation, but clicking these links ultimately leads to a RMM tool download rather than actual financial records. This social engineering approach exploits the trust and urgency typically associated with financial transaction confirmations, making users more likely to engage with the malicious content.
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
