GM, Welcome Back to the Dead Drop.

As you have seen me say many times, the most dangerous adversaries aren't the ones who break down your door, they're the ones you invite inside (just like vampires).

Since June 2025, cybercriminals have weaponized Remote Monitoring and Management (RMM) tools: legitimate IT software used by millions of administrators worldwide. According to the Arctic Wolf 2025 Threat Report, 59.4% of ransomware cases began with external remote access, with RMM tools involved in 36% of incident response cases.

Your security systems are designed to trust these tools. That's exactly why criminals use them.

The Criminal Playbook: Why RMM Tools Work

RMM software (ScreenConnect, AnyDesk, TeamViewer, PDQ Connect, N-able, SimpleHelp) allows IT administrators to remotely manage computers. Helpdesk staff use these tools legitimately every day to troubleshoot problems, push updates, and manage endpoints.

Criminals recognized something critical: portable RMM executables launch without installation and don't require administrator privileges. They bypass security controls even when risk management policies are in place.

Your security tools can't see the threat because they're trained to trust it.

Between 2022 and 2024, more than one third of intrusions ReliaQuest responded to involved RMM tools. CrowdStrike reported a 70% increase in adversaries exploiting them in 2024.

Why criminals love RMM tools:

Reduced Resource Development: Why develop custom malware when you can download enterprise-grade remote access software in seconds?

Host Security Bypass: Antivirus and EDR tools often fail to detect remote-access software because it uses legitimate certificates and exclusion paths.

Network Stealth: Many RMM tools provide end-to-end encryption and vendor-operated relay servers, eliminating the need for traditional command-and-control infrastructure.

Operational Flexibility: One application gives criminals credential harvesting, lateral movement, persistent access, and ransomware deployment capability.

The Phishing Playbook: Real-World Lures

These aren't poorly-written scam emails. These are professionally crafted messages exploiting specific psychological triggers.

Example 1: The IT Security Alert

From: IT Security Team [email protected] Subject: Urgent: Security Update Required by End of Day

Dear Team Member,

We have detected unusual activity on our network and are implementing mandatory security updates across all workstations.

Your device (Workstation-2847) requires immediate installation of our updated AnyDesk security monitoring software. Failure to complete this update by 5:00 PM today may result in temporary network access restrictions.

Click here to download the required update: [Install Security Update Now]

Installation takes 2-3 minutes. Our IT team will verify compliance automatically.

If you experience any issues, contact the Help Desk at ext. 4477.

IT Security Operations

Why This Works: Creates artificial urgency, uses your company's naming conventions, includes what appears to be your workstation ID, provides a "helpful" help desk number (which goes to the attackers), and positions malware as a security measure.

Example 2: The Email Overload "Help"

From: IT Helpdesk [email protected] Subject: RE: Email System Issue - Ticket #8847

Hi Jennifer,

We received your ticket regarding the large volume of emails flooding your inbox. We've identified this as a system-wide spam filter issue affecting approximately 30 users.

Please download and run the email filter agent: [Download Email Protection Tool - TeamViewer]

Once installed, one of our technicians (likely David from Level 2 support) will connect to verify the filter is working correctly. This should take 5-10 minutes.

Ticket Reference: HD-8847-SPAM Priority: High

IT Service Desk

Why This Works: The victim didn't submit a ticket, but criminals flooded their inbox first, so timing seems perfect. References an actual IT team member's name, provides ticket numbers, and positions malware as the solution to the problem they created.

Example 3: The "CEO" Emergency Request

From: Robert Chen [email protected] Subject: Urgent - Need you to handle something confidential

Sarah,

I'm in back-to-back meetings with the acquisition team all afternoon and my laptop is acting up. IT is swamped and I need to review the Q4 financials before the board call at 4 PM.

Can you help me out? I need you to install this remote access tool so I can pull the files from your machine:

[Download Secure Access - AnyDesk]

Once you install it, just reply with the access code it gives you and I'll grab what I need. Should only take a few minutes.

I really appreciate it. This deal is time-sensitive.

Robert

Sent from my iPhone

Why This Works: Appears from the CEO (spoofed or compromised email), creates urgency around business-critical situation, relies on employee's desire to help leadership, and informal tone makes it seem authentic.

The Pattern

Every example shares: urgency (limited time, consequences), authority (legitimate sources), problem-solution framing (creates then "solves" problems), legitimacy indicators (proper terminology, specific numbers), and low friction (installation "takes just minutes").

The criminals aren't targeting your technology. They're targeting your employees' psychology.

Case Study: Black Basta's Evolution

Black Basta ransomware was first identified in April 2022. As of May 2024, affiliates have impacted over 500 organizations globally, extorting $107 million in Bitcoin in 2023 alone.

Storm-1811 uses email bombing to fill victims' inboxes with spam, then contacts users via Microsoft Teams posing as IT staff. They guide victims through installing Quick Assist, AnyDesk, or TeamViewer. Once inside, they deploy credential harvesters, DarkGate, Zbot, and Black Basta ransomware. In December 2024, they hit BT Group's Conferencing division, stealing 500 GB of data.

The Cargo Theft Operation: Since June 2025, criminals have targeted trucking companies by posting fraudulent freight listings on load boards. When carriers inquire, they receive emails with malicious URLs leading to RMM tool installers. Once installed, attackers delete existing bookings, block dispatcher notifications, add their devices to phone systems, book loads under the victim's name, and coordinate physical cargo theft. Most stolen cargo: food and beverage products, sold online or shipped overseas.

The Refund Scam: Attackers connect to victims' systems, have them log into bank accounts, then modify the account summary to show a fake overpayment. They instruct victims to "refund" the excess amount. FBI data shows these scams caused over $1 billion in losses in 2022. CISA documented federal employees targeted with help desk-themed phishing leading to RMM installation and refund attempts.

The Psychology: Why These Attacks Work

The most successful fraud isn't about technology, it's about understanding human psychology.

The Authority Exploit: When someone calls claiming to be from your IT department, using correct internal terminology, your brain makes a split-second trust decision. You want to believe they're legitimate.

The Urgency Multiplier: Urgency short-circuits critical thinking. When you're in crisis mode, you're in compliance mode. You follow instructions. You click links. You download software.

The Legitimacy Shield: Because RMM tools are legitimate software, users are less suspicious. When your IT department uses TeamViewer, and a supposed IT person asks you to install TeamViewer, it doesn't trigger alarm bells.

The Reciprocity Trap: When "the CEO" needs your help urgently, saying no feels like insubordination. Criminals exploit our obligation to help authority figures.

The criminals aren't targeting your technology. They're targeting your psychology.

Threat Actor Landscape

TA583: Highly active threat actor conducting multiple campaigns daily, distributing ScreenConnect for account takeover and credential theft.

TA2725: Known for Brazilian banking malware, began delivering ScreenConnect in January 2025, targeting organizations in Mexico.

Storm-1811/Black Basta Affiliates: Uses social engineering to impersonate help desk employees, gaining access via RMM tools for ransomware deployment. Email bombing followed by "helpful" calls is their signature move.

Initial Access Brokers: Abuse 15-day free trials of RMM tools to create compromised machine networks, then sell access to ransomware operators and state-sponsored actors.

Black Basta has impacted at least 12 out of 16 critical infrastructure sectors across North America, Europe, and Australia, with the majority of attacks hitting healthcare, manufacturing, and construction.

Field Manual: Your Personal Defense Protocols

Know What You're Looking For

Email Red Flags:

• Urgent deadlines with threats of consequences

• Download links for .exe, .msi, or .zip files

• Sender addresses that don't quite match (check the actual email address, not just the display name)

• Unexpected requests from "IT," "management," or "vendors"

• Any message asking you to install software immediately

Communication Red Flags:

• Unsolicited calls from "tech support" or "IT help desk"

• Microsoft Teams messages from people you don't recognize claiming to be IT

• Phone numbers provided in emails rather than official company directories

• Pressure to act "right now" or "by end of day"

• Anyone asking for your computer's access code or ID number

On Your Computer:

• Programs you don't remember installing

• Remote access software running that you didn't open

• Your mouse cursor moving on its own

• Files or folders opening without your input

• Unexpected software installation prompts

The Verification Process: Your First Line of Defense

When someone asks you to install software, follow this process every single time:

Step 1: Stop Don't click anything. Don't download anything. Don't call any number provided in the message.

Step 2: Verify Independently

• If it's an email: Close it and contact your IT department through your company's official channels

• If it's a phone call: Hang up and call your IT department back using the number from your company directory

• If it's a Teams message: Close it and contact the person through a different method (phone, in-person)

Step 3: Ask These Questions When you contact IT through official channels, ask:

• "Did you send me a request to install [software name]?"

• "Is there a ticket number for this request?"

• "Is this software on our approved list?"

Step 4: Document Everything Write down:

• When you received the request

• Who it appeared to be from

• What they asked you to do

• What number or email they used

What To Do When You Get a Suspicious Request

If You Receive a Suspicious Email:

1. Don't click links or download attachments

2. Don't reply

3. Forward to IT security or use "Report Phishing" button

4. Delete after reporting

5. When unsure, ask IT (better 10 false alarms than one real threat)

If You Get a Suspicious Phone Call:

1. Don't provide any information or follow instructions

2. Tell the caller: "I need to verify this. What's your employee ID and ticket number?"

3. Hang up

4. Call your IT department using the official company number

5. Report the call

If Someone Messages You on Teams:

1. Don't click links or download anything

2. Verify by calling their office phone

3. If you don't know them, contact IT immediately

4. Screenshot the message before reporting

If You Think You've Been Compromised

Immediate Actions (Do These Right Now):

1. Disconnect from the internet: Unplug your ethernet cable or turn off WiFi

2. Don't try to fix it: Don't delete anything, don't run antivirus scans, don't restart your computer

3. Contact IT immediately: Use your phone to call IT (not the potentially compromised computer)

4. Don't use the computer: Don't log into any accounts, don't check email, don't access any files

What to Tell IT:

• "I think my computer may be compromised"

• When you first noticed something wrong

• What software you may have installed

• Whether you provided any passwords or access codes

• Whether you logged into any accounts (especially banking or email)

After IT Secures Your Computer:

Change your passwords from a clean device (not the compromised one):

1. Email password first (this controls everything else)

2. Banking and financial accounts

3. Work VPN or network access

4. Any other sensitive accounts

Use strong, unique passwords for each account. If you gave anyone remote access to your computer while you were logged into accounts, assume those accounts are compromised.

Building Your Personal Security Habits

Before Installing Any Software:

• Ask yourself: "Did I initiate this request, or did someone contact me?"

• If someone contacted you, it's suspicious until verified

• IT will never ask you to install software via email or cold call

• Urgent deadlines are a manipulation tactic, not a legitimate IT practice

When Someone Asks for Remote Access:

• Only provide remote access if YOU initiated the support request through official channels

• Never give remote access to someone who contacted you first

• Never share access codes over phone, email, or chat unless you called them

• Legitimate IT will have your information; they won't ask you for codes

Daily Practices:

• Hover over links before clicking to see the actual destination

• Check sender email addresses carefully (look for misspellings like "micros0ft.com")

• Question urgency (real emergencies are rare; fake urgency is common in scams)

• Trust your instincts (if something feels off, it probably is)

• When in doubt, verify through a separate channel

Create Your Verification Checklist:

Keep this near your computer:

• ✓ Did I request this support?

• ✓ Did I verify through official channels?

• ✓ Did IT confirm this is legitimate?

• ✓ Is this software on my company's approved list?

• ✓ Have I documented this request?

If you can't check all five boxes, don't proceed.

What IT Will Never Ask You To Do

Save this list. Legitimate IT support will NEVER:

• Ask you to install software via unsolicited email

• Call you out of the blue asking you to download remote access tools

• Request your password or verification codes

• Pressure you with artificial deadlines

• Threaten consequences if you don't act immediately

• Ask you to log into your bank account while they're connected

• Provide phone numbers in emails instead of official directories

• Message you on Teams from accounts you don't recognize

If someone claiming to be IT does any of these things, it's a scam.

Teaching Others

You're not just protecting yourself. Share this knowledge:

• Forward this briefing to colleagues who handle sensitive information

• Talk to family members who may be targeted (especially parents or grandparents)

• If you see a colleague falling for a scam, speak up (better to be wrong than silent)

• Create a culture where questioning suspicious requests is normal and encouraged

Remember: Criminals count on you being too embarrassed to verify, too busy to question, or too intimidated to push back. Don't give them that advantage.

The Fraudfather Bottom Line

The weaponization of RMM tools represents a fundamental shift in the threat landscape. Criminals learned that the most effective way to breach your network isn't to break your security, it's to use the tools your security already trusts.

CrowdStrike reported a 70% increase in adversaries exploiting RMM tools in 2024, including Scattered Spider, LockBit, Iran's Static Kitten, and North Korea's Famous Chollima. This isn't a passing trend. This is the new operational standard for cyber-enabled crime.

Your Action Plan:

1. Audit Now: Identify every RMM tool in your environment

2. Establish Policy: Create explicit authorization lists and usage procedures

3. Deploy Detection: Implement network and endpoint monitoring

4. Train Personnel: Educate employees using the phishing examples in this briefing

5. Verify Everything: Treat every unexpected "IT support" contact as potentially hostile until verified through independent channels

The criminals targeting you aren't breaking in through sophisticated zero-day exploits. They're calling your employees, pretending to be IT support, asking them to download legitimate software. They're posting fake freight listings. They're flooding inboxes with spam and then "helpfully" offering to fix the problem.

They understand something critical: the human element is both your greatest strength and your most exploitable vulnerability.

Train your team to recognize psychological manipulation techniques: urgency, authority, problem-solution framing, reciprocity, and legitimacy indicators. When someone creates urgency around a request to install software, that's not efficiency. That's a red flag.

Monitor. Verify. Act.

In my two decades hunting these adversaries, I've learned that the organizations that survive aren't the ones with the most expensive security tools; they're the ones that understand how criminals actually operate and build defenses accordingly.

Don't give them the keys. Don't invite them inside. Don't trust, verify.

Stay sharp. Trust slowly. Verify everything.

Trusted Resources

Report Suspicious Activity:

• FBI IC3: ic3.gov

• CISA: cisa.gov/report

Technical Guidance:

• CISA Advisory on RMM Abuse: cisa.gov/news-events/cybersecurity-advisories/aa23-025a