In the constant chess match between cybersecurity defenders and threat actors, social engineering remains the most reliable opening move for attackers. We often see high-profile breaches starting with a simple phishing email, but a recent campaign identified by researchers highlights a concerning evolution in this tactic. Attackers are now leveraging the ubiquity of PayPal—sending fake alerts and invoices—not just to drain bank accounts, but to hijack corporate environments using legitimate Remote Monitoring and Management (RMM) tools.
The Trap: From Inbox to Intrusion
The attack vector is deceptively simple yet highly effective. Users receive a convincing email notification masquerading as a PayPal security alert or an invoice receipt. The urgency of the message—"Your account has been limited" or "Payment confirmation"—drives the recipient to click a link. This leads them to a credential harvesting page designed to look identical to the official PayPal login portal.
Once the victim enters their credentials, the attackers immediately capture the data. However, unlike standard phishing operations that might stop at selling the credentials on the dark web, this campaign has a more sinister secondary objective: establishing a foothold inside the victim's network.
The Twist: Abusing Legitimate RMMs
The critical differentiator in this attack is the abuse of RMM software. RMM tools (such as ScreenConnect, AnyDesk, or ConnectWise) are standard fare for Managed Service Providers (MSPs) and internal IT departments. They allow administrators to remotely manage endpoints, troubleshoot issues, and execute scripts.
Because these tools are trusted and often whitelisted in security environments, they are the perfect vehicle for an attacker. Once the attackers have valid credentials, they manually log into the victim's environment or use automated scripts to download and install RMM agents. This allows them to bypass standard security controls. The EDR (Endpoint Detection and Response) system sees a signed, legitimate binary executing—it doesn't see malware.
Analysis: TTPs and the "Living Off the Land" Risk
From a Threat Hunting perspective, the Tactics, Techniques, and Procedures (TTPs) observed here represent a "Living Off the Land" (LotL) approach. The attackers are:
- Initial Access: Phishing (Social Engineering).
- Execution: Installing legitimate software via command-line or script.
- Persistence: The RMM agent maintains a persistent connection to a command-and-control (C2) server managed by the attacker.
The danger lies in the ambiguity of the signal. Distinguishing between a legitimate IT admin installing an RMM for support and an attacker doing the same via stolen credentials is difficult without contextual data. The attack chain relies on the lack of strict application control policies regarding administrative tools.
Detection and Threat Hunting
To detect this type of activity, Security Arsenal analysts recommend hunting for RMM software installations initiated by unusual parent processes (like a web browser or email client) rather than standard deployment tools.
KQL Query (Microsoft Sentinel/Defender):
DeviceProcessEvents
| where Timestamp > ago(7d)
// Common RMM executables - add your specific vendors here
| where FileName in~ ("AnyDesk.exe", "connectwisecontrol.exe", "tvw64.exe", "ScreenConnect.WindowsClient.exe", "splashtop.exe")
// Look for installation initiated by browsers or email clients
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "outlook.exe", "winword.exe")
| project Timestamp, DeviceName, AccountName, FileName, InitiatingProcessFileName, FolderPath
**PowerShell Script for Audit:**
You can run this script on endpoints to identify if common RMM software is present and when it was installed.
# Define common RMM display names
$RMMKeywords = @("*AnyDesk*", "*TeamViewer*", "*ConnectWise*", "*ScreenConnect*", "*Splashtop*", "*LogMeIn*")
Get-WmiObject -Class Win32_Product |
Where-Object {
$RMMKeywords | ForEach-Object { $_.Name -like $_ }
} |
Select-Object Name, Version, InstallDate
Mitigation Strategies
Stopping this threat requires a layered defense that focuses on identity hygiene and application control.
-
Enforce Conditional Access: Do not rely solely on passwords. Implement Conditional Access policies (e.g., via Azure AD) that require MFA for access from unfamiliar locations or devices. This stops attackers from using stolen credentials immediately.
-
Strict Application Control: Use AppLocker or Windows Defender Application Control (WDAC) to explicitly whitelist which RMM software is permitted in your environment. Block all other RMM executables by default.
-
User Awareness Training: Train finance and administrative teams specifically on invoice fraud and phishing alerts mimicking financial platforms.
-
Monitor for Admin Logins: Set up alerts for new RMM console logins or the addition of new devices to your existing RMM platform.
Conclusion
The abuse of legitimate RMM tools turns our own management infrastructure against us. By combining credential theft with trusted administrative binaries, attackers are effectively bypassing traditional signature-based defenses. Vigilance requires not just watching for known bad files, but monitoring for known good files doing unexpected things.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.