Phishing Crews Pivot to Signed RMM Binaries to Slip Past Endpoint Defenses

Attackers are increasingly weaponizing legitimate remote monitoring and management (RMM) tools as the payload of choice in phishing campaigns. Because products like ConnectWise ScreenConnect, AnyDesk, Atera, and similar utilities ship with valid code-signing certificates and are routinely tolerated on managed endpoints, they sail past EDR heuristics and application allowlists that would flag a custom implant. The phish typically delivers an installer or signed MSI that quietly enrolls the victim machine into an attacker-controlled tenant, granting persistent interactive access without dropping recognizable malware.

Once the RMM agent is resident, operators get full hands-on-keyboard control: file transfer, command execution, and screen takeover, all over channels that look like normal IT administration traffic. That tradecraft compresses the gap between initial access and follow-on objectives — credential theft, lateral movement, or handoff to ransomware affiliates — while leaving telemetry that blends into the noise of legitimate helpdesk activity.

Defensively, the implication is that signature trust and vendor reputation are no longer reliable signals. Detection has to shift toward inventory-driven controls: an explicit allowlist of sanctioned RMM vendors and tenants, alerting on any unsanctioned RMM process or outbound connection to non-corporate RMM cloud endpoints, and treating unexpected installs of these binaries as incident-grade events rather than IT clutter.