← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.675
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Threat actors are exploiting legitimate remote monitoring and management (RMM) software to infiltrate enterprise environments, with confirmed impact across more than 80 organizations. Attackers deliver signed, trusted RMM binaries through phishing lures impersonating Zoom, Google Meet, and Microsoft Teams, giving them persistent, broad network access that blends into normal IT operations. Because the tools themselves are legitimate, standard allowlisting and signature-based defenses do not flag the activity, leaving organizations exposed to data theft, lateral movement, and prolonged undetected access.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Unknown — not attributed in available reporting
TTP Sophistication
HIGH
8 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Unspecified legitimate RMM tools (two named in full article); enterprise environments with RMM deployments
Are You Exposed?
⚠
Your industry is targeted by Unknown — not attributed in available reporting → Heightened risk
⚠
You use products/services from Unspecified legitimate RMM tools (two named in full article); enterprise environments with RMM deployments → Assess exposure
⚠
8 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Attackers who establish access through trusted RMM tools have the same reach as your own IT team — they can move across systems, access sensitive data, and maintain that access for weeks or months before detection. A compromise of this type can expose confidential business data, disrupt IT operations, and create liability under data protection regulations if personal or regulated data is accessed. Because the tools involved are designed for legitimate use and trusted by your security stack, the time-to-detection is significantly longer than a typical intrusion, increasing the potential scope and cost of a breach.
You Are Affected If
You have one or more RMM tools deployed in your environment (any vendor) and do not maintain a verified inventory of authorized installations and active sessions
Your endpoint security or application control policy allowlists RMM binaries by signature or file hash without restricting which user accounts or processes may launch them
Your email or collaboration platform (Teams, Zoom, Google Meet) does not inspect or block executable payloads and links to executables delivered via direct message or meeting invite
You lack behavioral detection rules in your SIEM or EDR specifically covering T1219 (remote access software abuse) — signature-only detection will not catch this campaign
Remote IT administration sessions are not correlated against change management tickets, meaning unauthorized sessions would not trigger an alert
Board Talking Points
Attackers are using the same remote IT management tools your own team uses to access company systems — because the tools are legitimate, standard security controls do not flag them.
Security teams should audit all remote management tool deployments and implement behavioral monitoring within 30 days; this is a detection and access-control problem, not a software patch.
Organizations that take no action remain exposed to prolonged, undetected access — this campaign has already affected more than 80 organizations across enterprise environments.
Technical Analysis
Attackers are abusing at least two legitimate, signed RMM tools (named in the full Netskope report) to establish persistent remote access following phishing-based initial delivery.
The attack chain maps to T1566 /T1566.001 /T1566.002 (phishing, spearphishing attachment/link), T1105 (ingress tool transfer), T1036 /T1036.005 (masquerading, matching legitimate names), T1078 (valid accounts), and T1219 (remote access software).
Because the RMM binaries are legitimately signed, endpoint detection relying on code signing or allowlisting is bypassed by design.
CWE-494 (Download of Code Without Integrity Check) applies where the delivery mechanism lacks integrity verification. CWE-506 (Embedded Malicious Code) applicability is uncertain from available reporting, the binaries appear to be abused as-is rather than trojanized; this distinction should be confirmed against the full Netskope and Dark Reading articles before use in formal risk documentation. Qualitative severity rating (high) is set editorially based on scope and impact; CVSS vector scoring is not confirmed from available source stubs and is not applicable to this campaign-type threat activity. No CVE identifier is associated with this campaign, this is an abuse-of-legitimate-tools pattern, not a software vulnerability. No patch exists to remediate the root cause; mitigations are detection and access-control focused. Primary sources: Netskope blog (direct campaign analysis), Huntress, Intel 471, and Immersive Labs (RMM misuse tradecraft).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to senior IR leadership, legal counsel, and potentially CISA (per CISA reporting guidelines) if unauthorized RMM sessions are confirmed on endpoints with access to PII, PHI, or financial data (triggering breach notification obligations under HIPAA, GDPR, or state privacy laws), if lateral movement beyond the initial endpoint is detected, or if the team lacks the forensic capacity to image and analyze affected endpoints before evidence is lost.
1
Step 1: Containment — Audit all RMM tools currently authorized and deployed across your environment against your software inventory. Identify RMM binaries running outside approved change windows, on endpoints where IT did not initiate a session, or under accounts that should not execute RMM software. Suspend unauthorized sessions immediately and isolate affected endpoints pending investigation. (Cite: NIST AC-17 — Remote Access / CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.3 — Address Unauthorized Software / D3-UAP — User Account Permissions)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: isolate affected systems to prevent attacker lateral movement while preserving evidence; choose containment strategy based on potential damage and need for evidence preservation.
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
NIST CM-8 (System Component Inventory)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
Compensating Control
Run the following PowerShell on all Windows endpoints (or distribute via GPO logon script): `Get-Process | Where-Object {$_.Name -match 'atera|screenconnect|anydesk|connectwise|splashtop|netsupport|zoho|datto|kaseya'} | Select-Object Name,Id,Path,StartTime,@{n='Owner';e={(Get-WmiObject Win32_Process -Filter "ProcessId=$($_.Id)").GetOwner().User}} | Export-Csv C:\IR\rmm_audit.csv`. Cross-reference output against your approved RMM vendor list and IT change tickets. Immediately terminate processes not matching approved tools: `Stop-Process -Id <PID> -Force`. For network isolation on Windows without EDR, use: `netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound` on suspect hosts.
Preserve Evidence
BEFORE isolating, capture: (1) Full process tree snapshot showing parent-child relationships — specifically look for RMM binary spawned by user-context processes (explorer.exe, outlook.exe, teams.exe, zoom.exe) rather than SYSTEM or IT admin accounts, using `Get-WmiObject Win32_Process | Select ProcessId,ParentProcessId,Name,CommandLine,ExecutablePath | Export-Csv C:\IR\proctree.csv`; (2) Active network connections from the RMM process: `netstat -anob > C:\IR\netstat_$(hostname).txt`; (3) RMM binary file path, SHA-256 hash (`Get-FileHash <path> -Algorithm SHA256`), and digital signature details (`Get-AuthenticodeSignature <path>`) to distinguish legitimate signed binary from trojanized variant; (4) Windows Security Event Log entries for Event ID 4688 (Process Creation) and Event ID 4624/4625 (Logon Success/Failure) filtered to the RMM process name and the user account running it.
2
Step 2: Detection — Query endpoint telemetry and EDR logs for RMM binary executions spawned by user-context processes (browser, email client, collaboration app installer) rather than IT admin accounts or system processes. Cross-reference process creation events against your authorized RMM software inventory. Review email gateway logs for phishing lures impersonating Zoom, Google Meet, or Microsoft Teams delivering executables or links to RMM installers (T1566, T1566.001, T1566.002). Check network logs for outbound RMM relay traffic to cloud infrastructure outside your approved vendor list (T1219). Correlate all RMM process executions against ITSM change records — no ticket, no authorized session. (Cite: NIST AU-2 — Event Logging / NIST AU-6 — Audit Record Review, Analysis, and Reporting / NIST AU-12 — Audit Record Generation / CIS 8.2 — Collect Audit Logs / D3-LAM — Local Account Monitoring / D3-SFA — System File Analysis)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate indicators across multiple log sources; use attack vector knowledge (phishing lures impersonating Zoom/Teams/Meet) to scope detection queries and establish scope of compromise.
NIST SI-4 (System Monitoring)
NIST AU-2 (Event Logging)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Deploy Sysmon with SwiftOnSecurity config (https://github.com/SwiftOnSecurity/sysmon-config) and enable Event ID 1 (Process Create) and Event ID 3 (Network Connection). Use this Sigma-compatible query logic targeting Sysmon Event ID 1: filter where `ParentImage` matches `*\outlook.exe`, `*\chrome.exe`, `*\msedge.exe`, `*\teams.exe`, `*\zoom.exe` AND `Image` matches known RMM binary names. For email phishing detection without a gateway: search Exchange/M365 message trace or on-prem mail logs for sender domains spoofing zoom.us, meet.google.com, or microsoft.com delivering `.exe`, `.msi`, or `.zip` attachments, or URLs containing RMM vendor download domains (e.g., `get.screenconnect.com`, `anydesk.com/download`). For network detection without SIEM: run Wireshark/tcpdump on egress firewall capturing outbound TCP 443 to cloud relay domains (e.g., `*.screenconnect.com`, `relay.atera.com`, `*.anydesk.com`) from endpoints where IT did not initiate a session.
Preserve Evidence
BEFORE concluding detection scope: (1) Export email gateway or M365 message trace logs filtered to the 72-hour window prior to first RMM execution, searching sender display names containing 'Zoom', 'Google Meet', or 'Microsoft Teams' with attachment types `.exe/.msi/.zip` or URL bodies matching RMM vendor download paths; (2) Sysmon Event ID 1 logs showing full command-line arguments of the RMM installer — installer command lines often include embedded session tokens or tenant IDs that identify the attacker's RMM account; (3) DNS query logs (Windows DNS debug log or Zeek `dns.log`) for resolution of attacker-controlled RMM relay infrastructure outside your approved vendor list; (4) Browser download history from affected user profiles (`%LOCALAPPDATA%\Google\Chrome\User Data\Default\History`, Edge equivalent) to confirm the phishing delivery URL and identify other endpoints that may have visited the same lure.
3
Step 3: Eradication — Remove all unauthorized RMM tool installations identified during detection (T1219). Revoke active sessions and rotate credentials for any accounts that interacted with unauthorized RMM processes (T1078). If trojanized binaries are found rather than legitimately abused tools, treat as full compromise: isolate, image, and rebuild affected endpoints. Verify binary integrity against vendor-published hashes before re-approving any RMM tool. Apply D3-FMBV file magic byte verification to confirm binary authenticity. Update the software inventory to reflect removals. (Cite: NIST AC-2 — Account Management / NIST AC-6 — Least Privilege / CIS 2.3 — Address Unauthorized Software / CIS 6.2 — Establish an Access Revoking Process / D3-CRO — Credential Rotation / D3-FMBV — File Magic Byte Verification)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: eliminate components of the incident (malicious code, unauthorized accounts/access) and mitigate vulnerabilities that were exploited; confirm eradication before recovery.
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AC-2 (Account Management)
CIS 2.3 (Address Unauthorized Software)
CIS 5.3 (Disable Dormant Accounts)
Compensating Control
For uninstallation: run `wmic product where "name like '%AnyDesk%'" call uninstall` (substitute RMM product name) and confirm removal with `Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where DisplayName -match '<RMM_NAME>'`. For binary integrity verification without enterprise tooling: download vendor-published SHA-256 hashes from the official vendor advisory page and compare using `Get-FileHash <binary_path> -Algorithm SHA256`. For credential rotation on a 2-person team: prioritize accounts where Event ID 4624 (Logon) was recorded from the RMM process; use `net user <username> /domain` to enumerate group memberships before rotating, then reset via `Set-ADAccountPassword`. For imaging prior to rebuild: use free tool `FTK Imager Lite` (portable, no install required) to capture a forensic image before wiping.
Preserve Evidence
BEFORE removing artifacts: (1) Capture RMM installation directory contents and file hashes — common paths include `%PROGRAMFILES%\<RMM_Vendor>\`, `%APPDATA%\<RMM_Vendor>\`, and `%LOCALAPPDATA%\Temp\` (phishing-delivered installers frequently stage here); (2) Export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for RMM-related entries; (3) Record all Windows Security Event ID 4648 (Explicit Credential Logon) and Event ID 4672 (Special Privileges Assigned) events associated with accounts that had active RMM sessions during the unauthorized window; (4) Capture the RMM session/connection log files stored locally by the tool — AnyDesk logs at `%APPDATA%\AnyDesk\ad_svc.trace`, ConnectWise ScreenConnect at `%PROGRAMDATA%\ScreenConnect Client\logs\` — these contain attacker session timestamps and relay server addresses.
4
Step 4: Recovery — Validate that no persistent access mechanisms (scheduled tasks, registry run keys, service installations) were established by the RMM tool during unauthorized sessions. Apply D3-SICA system init config analysis to review startup configuration changes made during the unauthorized access window. Monitor for re-establishment of outbound RMM connections from previously affected endpoints for at least 30 days using AU-6 audit record review. Confirm that phishing lure delivery paths (email, collaboration platform messages) have been blocked at the gateway. Retain all relevant audit logs per your defined retention policy to support post-incident analysis. (Cite: NIST AU-6 — Audit Record Review, Analysis, and Reporting / NIST AU-11 — Audit Record Retention / NIST AC-17 — Remote Access / CIS 4.4 — Implement and Manage a Firewall on Servers / CIS 4.5 — Implement and Manage a Firewall on End-User Devices / D3-SICA — System Init Config Analysis)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: restore systems to normal operations, confirm no residual attacker access, and implement additional monitoring to detect recurrence before closing the incident.
NIST IR-4 (Incident Handling)
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST CM-8 (System Component Inventory)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Persistence sweep without EDR: run `schtasks /query /fo LIST /v > C:\IR\scheduled_tasks.txt` and review for tasks created during the unauthorized RMM session window; check `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`, `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`, and `HKLM\SYSTEM\CurrentControlSet\Services` using `reg export` for offline review. For service-based persistence: `Get-WmiObject Win32_Service | Where-Object {$_.PathName -match '<RMM_name>'} | Select Name,State,PathName`. For 30-day outbound monitoring without SIEM: configure a firewall deny rule for known attacker RMM relay domains/IPs with logging enabled, and set a daily cron/scheduled task to parse firewall logs for hits: `Select-String -Path C:\Windows\System32\LogFiles\Firewall\pfirewall.log -Pattern '<relay_domain>'`. Deploy free YARA rule matching RMM binary characteristics to scan new files in `%TEMP%` and `%APPDATA%` weekly.
Preserve Evidence
BEFORE declaring recovery complete: (1) Run Autoruns (Sysinternals, portable) on all previously affected endpoints and export full results to CSV — specifically review the Scheduled Tasks, Services, and Logon tabs for entries with timestamps correlating to the unauthorized RMM session window; (2) Query Windows System Event Log Event ID 7045 (New Service Installed) and Task Scheduler Event Log (Microsoft-Windows-TaskScheduler/Operational) Event ID 106 (Task Registered) for the incident timeframe; (3) Confirm email gateway or M365 rules are in place blocking delivery of executables from domains spoofing zoom.us, google.com (meet subdomains), and microsoft.com — export the current block rule list as a configuration artifact; (4) Verify that the attacker's RMM tenant/account has been reported to the RMM vendor for deactivation and document the vendor ticket number.
5
Step 5: Post-Incident — This campaign exploits the gap between allowlisting legitimate binaries and monitoring how those binaries are used. Implement behavioral controls: restrict RMM execution to dedicated IT admin accounts (AC-6 least privilege, AC-5 separation of duties) and require MFA for all RMM-initiated remote access sessions. Establish a formal RMM software inventory with change-ticket correlation required for every remote session. Enforce MFA on all remote network access and administrative accounts. Restrict standard user accounts from executing RMM binaries entirely using account permission controls. Review and close T1219 detection gaps in your SIEM. (Cite: NIST AC-5 — Separation of Duties / NIST AC-6 — Least Privilege / NIST AC-17 — Remote Access / CIS 5.1 — Establish and Maintain an Inventory of Accounts / CIS 5.4 — Restrict Administrator Privileges to Dedicated Administrator Accounts / CIS 6.4 — Require MFA for Remote Network Access / CIS 6.5 — Require MFA for Administrative Access / D3-MFA — Multi-factor Authentication / D3-UAP — User Account Permissions)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: conduct lessons-learned review, update detection and response capabilities, and share intelligence to prevent recurrence; update IR plan with controls that address the specific gap exploited.
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-4 (System Monitoring)
NIST AU-2 (Event Logging)
NIST CM-8 (System Component Inventory)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
For behavioral application control without enterprise tooling: use Windows AppLocker (available on Windows 10/11 Pro and Enterprise) to create a rule set that allows RMM binaries ONLY when executed by accounts in the IT Admins security group — configure via `secpol.msc` > Application Control Policies > AppLocker > Executable Rules, set condition to publisher (leveraging the signed binary's certificate) AND user group restriction. For change-ticket correlation on a small team: create a shared spreadsheet (or git-tracked YAML file) as the RMM session registry — require IT staff to log session start/end, endpoint, and ticket number before initiating any RMM session, and configure your RMM tool's audit log export to run nightly for comparison. Implement the MITRE ATT&CK T1219 Sigma rule (available at https://github.com/SigmaHQ/sigma — search `remote_access_software`) against Sysmon logs to close the detection gap identified in this incident.
Preserve Evidence
For the lessons-learned record: (1) Compile the full timeline from phishing email delivery timestamp through RMM binary execution, unauthorized session activity, and detection — sourced from email gateway logs, Sysmon Event ID 1, and RMM tool audit logs; (2) Document the specific RMM vendor names and tenant/session IDs used by the attacker (extracted from RMM trace logs during eradication) to support threat intelligence sharing with sector ISACs or CISA; (3) Record the MITRE ATT&CK technique gaps identified: T1219 (Remote Access Software), T1566 (Phishing — specifically T1566.002 Spearphishing Link if delivered via URL), and T1053/T1547 persistence techniques — document which detections fired and which did not, as the primary output for SIEM rule improvement.
Recovery Guidance
Before returning any affected endpoint to production, validate that all RMM-related persistence mechanisms (scheduled tasks via Event ID 106, services via Event ID 7045, registry run keys) have been removed and confirmed clean by Autoruns scan. Maintain enhanced outbound network monitoring specifically for known RMM relay infrastructure (cloud-hosted relay domains for AnyDesk, ScreenConnect, Atera, and similar tools) on all previously affected endpoints for a minimum of 30 days, as threat actors in this campaign have demonstrated re-access capability through re-phishing the same users. Confirm with the RMM vendor that the attacker's tenant or license account has been disabled and obtain written confirmation as a record artifact.
Key Forensic Artifacts
RMM tool trace/session logs stored locally on affected endpoints (e.g., AnyDesk: %APPDATA%\AnyDesk\ad_svc.trace; ScreenConnect: %PROGRAMDATA%\ScreenConnect Client\logs\) — contain attacker session timestamps, relay server hostnames, and remote IP addresses used during unauthorized access.
Sysmon Event ID 1 (Process Creation) entries showing the full command line of the RMM installer binary, including any embedded session tokens, tenant IDs, or relay configuration parameters passed as arguments — these directly identify the attacker's RMM account.
Email gateway or M365 message trace logs capturing the phishing lure delivery: sender address, spoofed display name (Zoom/Google Meet/Microsoft Teams), attachment name or URL, and recipient list — establishes full blast radius of the phishing campaign.
Browser download history from affected user profiles (%LOCALAPPDATA%\Google\Chrome\User Data\Default\History or equivalent Edge/Firefox paths) containing the URL from which the RMM binary was downloaded — identifies the attacker's staging infrastructure.
Windows Security Event Log Event ID 4688 (Process Creation with command line logging enabled) and Sysmon Event ID 3 (Network Connection) correlated by PID to the RMM process — maps the full execution chain from phishing lure to RMM execution and captures all outbound relay connections made during unauthorized sessions.
Detection Guidance
Detection for this campaign must be behavioral, not signature-based.
The RMM binaries are legitimately signed — binary allowlisting and signature checks will not fire.
Use the following KB-grounded detection approach:
1.
Process lineage analysis (T1219 , T1036.005 ): Alert on RMM binary executions where the parent process is a user-context application (browser, email client, Teams or Zoom installer process). IT-initiated RMM sessions should originate from system or admin-context processes, not from collaboration tool installers. Log this using AU-2 event logging and AU-12 audit record generation. D3-SFA (System File Analysis) supports monitoring system executables for anomalous execution context.
2. Software inventory cross-reference (T1219 ): Every RMM binary execution on an endpoint must match an entry in your CIS 2.1 authorized software inventory and a corresponding ITSM change ticket. Executions with no matching inventory entry or change record are unauthorized by definition. Alert immediately. This directly applies CIS 2.3 (Address Unauthorized Software).
3. Account context validation (T1078 ): Use AU-6 (Audit Record Review, Analysis, and Reporting) to cross-reference RMM process execution events against account type. RMM execution under standard user accounts — not dedicated IT admin accounts — is a high-confidence indicator of abuse. D3-LAM (Local Account Monitoring) provides the countermeasure framework for detecting unauthorized local account activity in this context.
4. Outbound network traffic filtering (T1219 ): Monitor for outbound connections from RMM processes to cloud relay infrastructure belonging to RMM vendors not present on your approved vendor list. NIST AC-4 (Information Flow Enforcement) governs controlling information flows between systems — use this control to frame firewall and proxy rules blocking unapproved RMM relay destinations. CIS 4.4 and CIS 4.5 (Implement and Manage a Firewall on Servers and End-User Devices) operationalize the blocking layer.
5. Email gateway monitoring (T1566 , T1566.001 , T1566.002 ): Inspect inbound email for messages impersonating Zoom, Google Meet, or Microsoft Teams that deliver executable attachments or links to executable downloads. AU-2 event logging should capture email gateway alert events. D3-PBWSAM (Proxy-based Web Server Access Mediation) and D3-EBWSAM (Endpoint-based Web Server Access Mediation) both apply to mediate access to web-hosted RMM installer payloads delivered via phishing links.
6. Startup persistence review (post-execution): After any flagged RMM execution, apply D3-SICA (System Init Config Analysis) to review whether the tool registered scheduled tasks, registry run keys, or services. AU-14 (Session Audit) supports recording session activity during the unauthorized access window for forensic review.
ATT&CK technique coverage to validate in your SIEM: T1219 (Remote Access Software), T1566 / T1566.001 / T1566.002 (Phishing), T1036.005 (Masquerading — Match Legitimate Name or Location), T1078 (Valid Accounts), T1105 (Ingress Tool Transfer).
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 url
Type Value Enrichment Context Conf.
🔗 URL
Not available from source stubs
VT
US
Campaign-specific IOCs (hashes, C2 domains, delivery URLs) are referenced in the full Netskope blog post but are not present in the source data provided. Consult https://www.netskope.com/blog/attackers-weaponize-signed-rmm-tools-via-zoom-meet-teams-lures directly for current indicators.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: RMM Tool Abuse Hits 80+ Organizations: Attackers Turn Trusted Software Into Phis
let malicious_urls = dynamic(["Not available from source stubs"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious file download
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileOriginUrl != ""
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1566
T1566.002
T1105
T1036
T1078
T1566.001
+2
AT-2
CA-7
SC-7
SI-3
SI-4
SI-8
+6
MITRE ATT&CK Mapping
T1566
Phishing
initial-access
T1105
Ingress Tool Transfer
command-and-control
T1036
Masquerading
defense-evasion
T1078
Valid Accounts
defense-evasion
T1566.001
Spearphishing Attachment
initial-access
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1219
Remote Access Tools
command-and-control
Guidance Disclaimer
