Back to Intelligence

Beyond Phishing: How Fake PayPal Alerts Are Weaponizing Legitimate RMM Tools

SA
Security Arsenal Team
February 26, 2026
5 min read

The Phish That Bites: Fake PayPal Alerts Deploying Malicious RMMs

In the constant cat-and-mouse game of cybersecurity, threat actors are increasingly favoring "tried and true" methods over complex zero-day exploits. Why? Because human psychology is often the easiest vulnerability to exploit.

Recently, security analysts have identified a sophisticated phishing campaign that abuses the trusted brand of PayPal. While phishing is nothing new, the endgame of this campaign is particularly concerning: the deployment of legitimate Remote Monitoring and Management (RMM) tools to take over corporate networks.

The Anatomy of the Attack

The Lure: Urgency and Trust

The attack begins with a classic social engineering hook. Victims receive an email masquerading as a critical security alert from PayPal. The message typically claims that an account has been limited or that an unusual transaction has occurred, triggering a sense of urgency that prompts the user to click immediately.

The Vector: Credential Harvesting

Clicking the link directs the victim to a convincing, yet fraudulent, login page. Here, the attacker's primary objective is to harvest valid credentials. Unlike brute-force attacks, which trigger multiple failed login alerts, these phishing attacks provide the attacker with legitimate credentials, allowing them to bypass basic authentication controls effortlessly.

The Pivot: Weaponizing Legitimate Tools

Once inside, the attackers do not immediately deploy traditional malware like ransomware or trojans. Instead, they pivot to installing legitimate RMM software—such as ScreenConnect, ConnectWise, or AnyDesk—often used by IT administrators for remote support.

This technique, often referred to as "living off the land" (or abusing dual-use tools), provides hackers with several advantages:

  1. Trust: RMM software is signed by legitimate vendors and is often whitelisted by antivirus and EDR solutions.
  2. Capability: These tools provide full remote control, file transfer, and command execution capabilities.
  3. Persistence: RMM agents are designed to survive reboots and maintain persistent connections, making them ideal for attackers to maintain a foothold in the network.

Technical Analysis and TTPs

The Threat Actor leverages the MITRE ATT&CK framework tactics effectively:

  • Initial Access (T1566): Phishing via malicious email attachments or links.
  • Credential Access (T1056): Input capture (keylogging) via fake web forms.
  • Execution (T1219): leveraging signed binary execution (RMM tools).

Because the attackers are using legitimate tools, detecting them based solely on file signatures is ineffective. Security teams must rely on behavioral analysis—detecting who is running the tool, when it was installed, and where it is connecting.

Threat Hunting and Detection

To identify this type of activity within your environment, you should look for unsolicited installations of RMM software or unusual network connections associated with these tools.

Hunt for Suspicious RMM Installations (KQL)

Use this query in Microsoft Sentinel or Defender 365 to find processes related to common RMM tools initiated by non-admin users or at unusual times.

Script / Code
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ (
    'AnyDesk.exe', 
    'screenconnect.clientsetup.exe', 
    'Splashtop_Streamer.exe', 
    'TakeControl.exe', 
    'RemoteDesktopManager.exe'
)
// Filter out known good administrative accounts if necessary
| where InitiatingProcessAccountName !in~ ("SYSTEM", "LocalAdmin", "ServiceAccount")
| project Timestamp, DeviceName, AccountName, FileName, InitiatingProcessAccountName, FolderPath
| order by Timestamp desc

Audit Installed RMM Software (PowerShell)

Run this script on endpoints to scan for installed software matching a known list of RMM vendors. This helps identify if an RMM tool was installed without the IT department's knowledge.

Script / Code
# List of known RMM software display names (partial matches)
$RMMKeywords = @("AnyDesk", "TeamViewer", "ScreenConnect", "ConnectWise", "Splashtop", "BeyondTrust", "Remote Desktop Manager")

# Get installed software from 64-bit registry
$InstalledSoftware = Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*"
# Get installed software from 32-bit registry
$InstalledSoftware += Get-ItemProperty "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"

# Filter for RMM keywords
$SuspiciousSoftware = $InstalledSoftware | Where-Object { 
    $_.DisplayName -ne $null -and 
    ($RMMKeywords | Where-Object { $_.DisplayName -match $_ })
}

if ($SuspiciousSoftware) {
    Write-Host "[ALERT] Found potentially unauthorized RMM software:" -ForegroundColor Red
    $SuspiciousSoftware | Select-Object DisplayName, DisplayVersion, InstallDate, Publisher | Format-Table -AutoSize
} else {
    Write-Host "[INFO] No common RMM software detected." -ForegroundColor Green
}

Mitigation Strategies

Defending against this threat requires a multi-layered approach that focuses on identity and application control rather than just malware detection.

  1. Implement Conditional Access Policies: Do not rely solely on passwords. Enforce Multi-Factor Authentication (MFA) for all users, especially for remote access tools. If an attacker steals credentials, MFA can still block their access.

  2. Application Allowlisting: Strictly control which applications can run on your endpoints. Ideally, RMM software should only be installable by specific administrative accounts or via software deployment tools like Intune or SCCM.

  3. URL Filtering and Phishing Resistance: Deploy email security gateways that can identify and block malicious links. Implement DMARC, SPF, and DKIM to prevent email spoofing.

  4. User Education: Train users to identify the signs of phishing. Remind them that legitimate services like PayPal rarely ask for login credentials via email links and that they should always navigate to the site manually.

  5. Network Segmentation: Restrict the ability of endpoints to communicate directly with the internet on non-standard ports often used by RMM tools unless explicitly authorized.

Conclusion

The abuse of fake PayPal notices to deploy RMM tools highlights a critical shift in attacker behavior. By using legitimate software, they blend into the noise of normal network traffic. Security teams must pivot from looking for "bad files" to looking for "bad behavior"—specifically, the unauthorized installation and use of remote administration tools.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectionphishingrmm-attackscredential-theftthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action