Summary: Proofpoint’s report reveals that cybercriminals are increasingly using legitimate Remote Monitoring and Management (RMM) tools, such as ScreenConnect, as a first-stage payload in email campaigns. This trend marks a shift from traditional malware methods, exploiting the tools’ trusted status to gain initial access to victims’ systems. Additionally, the report highlights the need for organizations to enhance their defenses against such emerging threats.

Affected: Organizations potentially targeted by threat actors utilizing RMM tools

Keypoints :

• RMM tools like ScreenConnect, Fleetdeck, and Atera are increasingly utilized by attackers for initial system access.
• Threat actor TA583 and TA2725 have been active in deploying these tools through email campaigns, often using social engineering tactics.
• Recommendations for organizations include restricting unauthorized RMM tool installations, improving network defenses, and training users to recognize suspicious activities.