Many businesses know that their MSP or IT provider uses tools called Remote Monitoring and Management tools, often referred to as RMM tools. These tools are commonly used to help maintain systems, provide remote support, deploy updates, and manage security across client environments.
Because RMM tools are familiar in business environments, users may not immediately see them as suspicious. If someone receives an email that appears legitimate and is instructed to download or install a remote support tool, they may assume it is part of normal IT support. That trust is exactly what attackers are starting to abuse.
A recent article from The Hacker News, titled “Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools,” reported on a phishing campaign tracked as VENOMOUS#HELPER. According to the reporting, threat actors impersonated the Social Security Administration and tricked victims into downloading what appeared to be a statement. Instead, the download led to the use of legitimate RMM tools, including SimpleHelp and ScreenConnect, to establish persistent remote access to victim systems. The campaign reportedly affected more than 80 organizations, mostly in the United States.
So how could something like this happen?
The issue is not that RMM tools are malicious by themselves. In fact, they are important tools that IT teams and MSPs rely on every day. The issue is that attackers understand these tools are trusted. If an attacker can trick a user into installing one, or if the tool is already allowed within an organization’s security controls, the attacker may be able to gain remote access without using traditional malware.
This creates a difficult challenge for security teams. A legitimate RMM tool may not trigger the same alerts as a known malicious file. It may be signed, commonly used, and capable of blending in with normal IT activity. Once installed, it could allow the attacker to remotely interact with the computer, move through follow-on steps, or maintain access depending on the permissions available.
This is why businesses need to treat remote access tools as high-risk software. It is not enough to assume that because a tool is legitimate, it is safe in every situation. Organizations should know exactly which RMM tools are approved, who is allowed to install them, where they are allowed to run, and how they are monitored.
To help reduce this type of risk, businesses should consider controls such as application allowlisting, default-deny policies, and strong software approval processes. For example, tools like ThreatLocker can help prevent unapproved applications from running, writing to protected areas of the system, making unauthorized network connections, or modifying sensitive areas such as the registry. These types of controls can make it much harder for a phishing email to turn into a remote access incident.
There are also several practical steps businesses should take:
- Maintain a list of approved remote access and RMM tools.
- Block or alert on unauthorized RMM tools.
- Require administrative approval before remote access software can be installed.
- Train users not to install software from email links.
- Monitor endpoints for new services, remote access agents, and unusual outbound connections.
- Review whether current security tools can detect RMM abuse, not just malware.
The lesson is not that RMM tools are bad. They are necessary for modern IT and security operations. The lesson is that any tool capable of remote access should be treated as high risk, monitored closely, and limited to approved use cases.
Phishing has changed. Attackers are no longer only trying to steal passwords or trick users into opening malicious attachments. In many cases, they are trying to convince users to install tools that look normal, trusted, and useful. Businesses that want to stay ahead of this threat need to focus not only on stopping malware, but also on controlling which legitimate tools are allowed to run in their environment.