Active phishing campaigns monitored by Netskope Threat Labs are leveraging high-frequency video conferencing workflows as an infection vector.

Attack chain:
- Pixel-perfect spoofed Zoom / Teams / Meet page
- “Mandatory update” prompt
- Deployment of signed RMM agent (Datto, LogMeIn, ScreenConnect)
- Administrative persistence & lateral movement

Key concern: Abuse of legitimate, digitally signed RMM binaries to evade signature-based controls and blend into sanctioned enterprise traffic.
Detection challenge:
Distinguishing authorized RMM activity from malicious post-exploitation.

Source: https://www.netskope.com/blog/attackers-weaponize-signed-rmm-tools-via-zoom-meet-teams-lures

Are you enforcing strict RMM allowlists and monitoring outbound C2-like behavior within approved tools?
Engage below.

Follow @technadu for threat intelligence coverage.

#ThreatIntel #RMMAbuse #LivingOffTheLand #EDR #SOC #BlueTeam #Phishing #EnterpriseSecurity #ZeroTrust #IncidentResponse #CyberDefense #SecurityResearch