ConnectWise ScreenConnect, Datto RMM, and SimpleHelp are being deployed as post-compromise persistence mechanisms in the IRS-impersonation phishing campaign documented by Microsoft Threat Intelligence. Attackers leverage the signed, trusted status of these RMM tools to evade EDR detection after credential harvesting via AiTM PhaaS platforms. No vulnerability in these products is exploited; the risk is unauthorized installation by attackers. Organizations should audit all RMM installations for instances not provisioned by IT, enforce application allowlisting to block unapproved RMM binaries, and alert on RMM processes spawned from user-level or browser parent processes.