Skip to content
.ca
sign in
6 minhigh

Phishing-to-RMM Attacks: The Remote Access Blind Spot CISOs Can’t Ignore

Threat actors are increasingly leveraging phishing campaigns to deliver legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect and LogMeIn Rescue, bypassing traditional malware defenses. These attacks often utilize compromised domains, SEO injection, and VBS scripts to weaken endpoint controls (e.g., SmartScreen, Defender) before silently installing the RMM payload, creating significant visibility gaps for SOC teams.

Conf:highAnalyzed:2026-04-28reports

Authors: ANY.RUN

ActorsPhishing-to-RMM campaigns
PhishingLogMeIn RescueSocial EngineeringScreenConnectRMM

Source:ANY.RUN

IOCs · 17

Detection / Hunter

What Happened

Cyber attackers are tricking people into downloading legitimate remote access software by using fake Microsoft, Adobe, and OneDrive login pages. This affects organizations across various industries, especially those in the US, Canada, Europe, and Australia. This matters because the tools being installed are not technically viruses, making them much harder for standard security software to detect and block. Organizations should monitor for unusual downloads of remote access tools and investigate the context of how these tools are being installed on employee computers.

Key Takeaways

  • Threat actors are increasingly using phishing to deliver legitimate RMM tools (ScreenConnect, LogMeIn Rescue) to bypass traditional malware detection.
  • Attacks leverage trusted infrastructure, compromised websites, and SEO injection rather than newly registered domains.
  • Detection requires analyzing the full attack chain (phishing lure, download context, execution behavior) rather than relying solely on file or domain reputation.
  • Advanced delivery methods include VBS scripts that elevate privileges, disable SmartScreen, and weaken Microsoft Defender before silently installing RMM agents.

Affected Systems

  • Windows OS
  • Organizations using or allowing RMM tools (Education, Technology, Banking, Government, Manufacturing, Finance)

Attack Chain

The attack begins with a phishing email directing the victim to a fake software update or document portal (e.g., Adobe, OneDrive) hosted on compromised or abused legitimate infrastructure. The victim is tricked into downloading an executable or a VBS script disguised as a legitimate file. Upon execution, the VBS script elevates privileges, disables SmartScreen, and weakens Microsoft Defender. Finally, the script silently downloads and installs a legitimate RMM tool like ScreenConnect or LogMeIn Rescue via msiexec, granting the attacker persistent remote access.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: Yes
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: ANY.RUN, Suricata

ANY.RUN provides a Suricata rule (ID 84002229) and custom Threat Intelligence Lookup queries (e.g., threatName:"^phishing$" and threatName:"rmm-tool") to track these campaigns.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs may ignore the final RMM payload if it is a trusted, signed application, but they should catch the intermediate steps like VBS scripts spawning msiexec or modifying Defender settings. Network Visibility: Medium — Network traffic to legitimate RMM infrastructure (e.g., screenconnect.com) blends in with normal traffic, but the initial download from suspicious or compromised domains can be detected. Detection Difficulty: Hard — The use of legitimate RMM tools and compromised domains makes it difficult to distinguish malicious activity from normal IT administration without deep behavioral context.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • File Creation (Event ID 11)
  • Registry Modifications (Event ID 12/13/14)
  • Network Connections (Sysmon Event ID 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected execution of msiexec.exe spawned by script interpreters (wscript.exe, cscript.exe) installing known RMM software.Process CreationExecutionLow
Identify script executions (VBS) that are immediately followed by registry modifications targeting Windows Defender or SmartScreen.Process Creation, Registry ModificationsDefense EvasionLow
Monitor for RMM tools (ScreenConnect, LogMeIn) establishing network connections to unusual or newly observed remote subdomains.Network ConnectionsCommand and ControlMedium

Control Gaps

  • Domain reputation filtering (attackers use compromised/legitimate domains)
  • Signature-based AV (payloads are legitimate signed RMM tools)

Key Behavioral Indicators

  • VBS scripts modifying Defender/SmartScreen registry keys
  • Browsers downloading executables disguised as PDFs or standard software updates
  • msiexec.exe running with silent flags shortly after script execution

False Positive Assessment

  • High - Legitimate IT administrators frequently install and use RMM tools like ScreenConnect and LogMeIn Rescue, which will trigger behavioral alerts if not properly tuned to the organization's baseline.

Recommendations

Immediate Mitigation

  • Block execution of unauthorized RMM tools using AppLocker or WDAC.
  • Investigate recent installations of ScreenConnect, LogMeIn Rescue, and other RMM tools for unauthorized access.

Infrastructure Hardening

  • Implement strict application control policies to only allow approved RMM tools.
  • Restrict outbound network connections to known, approved RMM infrastructure.

User Protection

  • Configure endpoint security to block or aggressively prompt on the execution of VBS scripts downloaded from the internet.
  • Enable Tamper Protection in Microsoft Defender to prevent scripts from disabling AV.

Security Awareness

  • Train employees to recognize fake software update prompts and file-sharing portals (e.g., fake Adobe or OneDrive pages).
  • Educate users that legitimate documents (PDFs) should not require downloading an executable or script to view.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1036.005 - Masquerading: Match Legitimate Name or Location
  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1218.007 - System Binary Proxy Execution: Msiexec
  • T1219 - Remote Access Software

Additional IOCs

  • Ips:
    • 104[.]21[.]36[.]162 - Resolves to phishing domain antibotsl.com
    • 15[.]204[.]108[.]149 - Resolves to jtprotherapy.screenconnect.com
    • 51[.]89[.]242[.]48 - Hosts ScreenConnect MSI payload
  • Domains:
    • antibotsl[.]com - Phishing domain
    • vmail[.]app[.]n8n[.]cloud - Legitimate n8n cloud infrastructure abused for phishing
    • ldgroups[.]com - Phishing domain
    • rakteam[.]xyz - Phishing domain observed in campaign
    • tekkocaeli[.]com - Phishing domain observed in campaign
    • sewingshedstroud[.]co[.]uk - Phishing domain observed in campaign
    • cassablscq[.]com[.]es - Phishing domain observed in campaign
    • greenmedicare[.]com - Compromised domain used in attack chain
  • Urls:
    • hxxp://51[.]89[.]242[.]48:8040/Bin/ScreenConnect.ClientSetup.msi - Direct download URL for ScreenConnect payload
  • Command Lines:
    • Purpose: Silent installation of RMM tool | Tools: msiexec.exe | Stage: Execution | msiexec /i
  • Other:
    • suricataID:"84002229" - ANY.RUN Suricata rule ID for tracking this campaign

Related