If you thought phishing attacks couldn’t get any sneakier, think again.
Phishing remains the most commonly reported cybercrime in the United States. According to the FBI’s Internet Crime Complaint Center (IC3), phishing and spoofing consistently top the list of reported cyber offenses each year, impacting hundreds of thousands of individuals and businesses.¹ At the same time, threat actors are evolving their tactics. One of the fastest-growing trends in modern cyberattacks is the abuse of legitimate Remote Monitoring and Management (RMM) tools.
What’s old is new again. Cybercriminals are increasingly leveraging legitimate remote access software to infiltrate networks, maintain persistence, and move laterally without triggering traditional antivirus alarms. In this post, we’ll break down how these phishing campaigns work, why RMM tools are such an attractive target, and how small and mid-sized businesses can protect themselves.
Ultimately, this is exactly why a proactive cybersecurity strategy matters.
What is RMM (Remote Monitoring and Management)?
Remote Monitoring and Management (RMM) software allows IT teams to monitor endpoints, deploy updates, troubleshoot issues, and provide remote support without requiring users to physically hand over their machines.
If you’ve ever used tools like TeamViewer, like so many of our clients, or similar remote access platforms at home, you’ve experienced a simplified version of what enterprise-grade RMM software does. For managed IT providers like BP/IT, RMM platforms are foundational. They allow us to:
- Monitor device health across an entire organization
- Push security patches and updates
- Troubleshoot systems remotely
- Maintain productivity without disruption
These tools are powerful. And that power is precisely what makes them attractive to attackers.
Security researchers often refer to this technique as “living off the land” — when threat actors use legitimate administrative tools already trusted by the system to avoid detection.² Instead of dropping obvious malware, attackers install software that looks completely normal.
Unfortunately, that power cuts both ways.
How Are the Bad Guys Abusing RMM Tools in Phishing Attacks?
Modern phishing campaigns have shifted beyond simple credential theft. While harvesting usernames and passwords is still common, attackers increasingly aim to trick users into downloading and installing legitimate remote access tools.
Why?
Because once installed, an RMM tool effectively becomes a skeleton key.
According to the Verizon Data Breach Investigations Report, over 80 percent of breaches involve the human element, including phishing and social engineering.³ Attackers know users are trained to be cautious about entering passwords. But they are often less suspicious about downloading a “viewer,” “statement,” or “meeting file.”
We’ve recently seen phishing campaigns impersonating government agencies, including the Social Security Administration, encouraging users to download files with names like:
- SSA_eStatement.exe
- SSA-Statement-Viewer.exe
We’ve also seen similar tactics disguised as meeting invites or shared document downloads.
Here’s the problem: RMM software is not inherently malicious. It is widely used in legitimate business environments. Basic antivirus solutions often won’t flag these installers because they are real programs used by IT teams every day.
Once installed, attackers can:
- Access the machine remotely at any time
- Run applications invisibly in the background
- Escalate privileges
- Deploy ransomware
- Move laterally across the network
The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned about threat actors abusing legitimate remote management tools to establish persistent access inside business environments.⁴
In other words, this isn’t theoretical. It’s happening now.
Why Your Traditional Security Tools Often Miss This
Many small businesses rely on basic antivirus solutions. Those tools are effective at catching known malware signatures. But they are not designed to detect behavioral anomalies or unusual activity patterns.
If an attacker installs a legitimate RMM tool, antivirus sees a valid application. It does not see intent.
That’s where Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) solutions become critical.
Modern EDR solutions monitor behavior — not just files. They look for patterns such as:
- A suspicious email followed by an RMM installation
- Remote access sessions initiated from unusual locations
- Administrative privilege escalation
- Lateral movement between endpoints
Behavioral detection is what stops “living off the land” attacks.
At BP/IT, our managed cybersecurity stack includes EDR and MDR tools such as Huntress, which are specifically built to identify unusual behavior patterns and investigate suspicious activity before damage spreads. In several recent cases, behavioral monitoring flagged suspicious RMM installations, isolated endpoints, and alerted our team before ransomware or data exfiltration could occur.
That is the difference between reactive IT support and proactive threat hunting.
How Small and Mid-Sized Businesses Can Protect Themselves
Phishing prevention still starts with awareness. Basic guidance remains important:
- Verify sender email addresses carefully
- Inspect URLs before clicking
- Be cautious of unexpected downloads
- Never run executable files from unknown sources
But here’s the hard truth: users must get it right every time. Attackers only need to succeed once.
To truly protect your business from RMM abuse and modern phishing attacks, you need:
- Behavioral-based EDR protection
- Managed detection and response with human oversight
- 24/7 monitoring and alerting
- Endpoint isolation capability
- A clear incident response plan
This is especially important for small and mid-sized businesses that may not have an in-house security operations center.
The FBI continues to report billions of dollars in losses annually due to cybercrime.¹ Small businesses are increasingly targeted because attackers assume defenses are weaker.
The good news? BP/IT can do all this for you. And more!
Final Thoughts: Proactive Security Is No Longer Optional
Cybercriminals are getting more and more clever. The line between legitimate business tools and weaponized access is becoming increasingly blurred.
Phishing attacks are no longer just about stealing passwords. They’re about gaining persistent, invisible control over your systems.
If your organization is relying solely on traditional antivirus or hasn’t evaluated its cybersecurity stack recently, now is the time.
At BP/IT, we combine remote monitoring and management, behavioral endpoint protection, managed threat detection, and real human oversight to protect Portland-area businesses from evolving cyber threats. And if there is a solution, we will find it. Fast.
Not sure if your current protections stack up?
Schedule a free tech evaluation and let’s make sure your business isn’t one click away from compromise.
In the meantime — double-check those download prompts.
Works Cited
- Federal Bureau of Investigation. Internet Crime Report. FBI Internet Crime Complaint Center (IC3). https://www.ic3.gov
- Microsoft Security Blog. “Living off the land: Using legitimate tools for malicious purposes.” Microsoft Threat Intelligence reports.
- Verizon. 2024 Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/reports/dbir/
- Cybersecurity and Infrastructure Security Agency (CISA). “Threat actors leveraging legitimate remote access tools.” https://www.cisa.gov
