Your IT Helpdesk Tools Could Be a Hacker’s Key

The most trusted software in your IT department just became your biggest security nightmare. Security researchers at Intel471 found that threat actors are increasingly leveraging legitimate remote monitoring and management (RMM) applications to infiltrate and move through networks. Abnormal Security researchers also found a phishing campaign has already targeted hundreds of organizations across multiple sectors. The twist is what stings, these are not malicious programs, they are the exact same tools your IT team uses every day to keep your systems running.

The perfect digital disguise nobody saw coming

Remote monitoring and management tools have become a weapon of choice for cybercriminals, and the numbers are staggering. Arctic Wolf’s 2025 Threat Report found that 59.4% of ransomware cases investigated began with external remote access. RMM tools showed up in 36% of incident response cases over a single quarter. Arctic Wolf also observed malicious usage of 32 different RMM tools during their investigations.

Why are these attacks so effective? Because spotting malicious activity inside RMM traffic is hard, detecting malicious actions using RMM tools is difficult when the same software is woven into daily IT workflows. Traditional malware trips alarms. RMM is on your allowlist, so it rarely raises flags. Abusing RMM tools offers a distinct advantage over custom remote access tools from threat actors.

Weaponizing Video Conference Software

The attack, reported by Abnormal Security, begins with a phishing email dressed up as routine business chatter or a friendly nudge. Fake Zoom meeting invitations are commonly used as lures, timed to topics people already expect, tax season, calendar updates, etc.

Attackers hijack ongoing email threads that already contain genuine Zoom invitations, then slip in malicious links. The emails feature familiar branding, and they come from compromised legitimate accounts, which makes them feel safe. Click the link, and you are redirected to a malicious site that prompts a download. It looks like a video conferencing update. It is not. It is RMM software.

From there the attack moves fast. Once downloaded, threat actors can use the RMM tool’s functionality to gain broad system access, bypass controls, browse files, establish persistence, and exfiltrate data. Then comes the hop, the attackers have been observed pivoting to lateral phishing that abuses the compromised environment to target more people inside the organization.

The explosion that security experts did not see coming

Since 2024, Proofpoint researchers noticed an increase in this type of attack. Cybercriminals can acquire access to these tools through forums, encrypted messaging apps, and anonymous web pages. Some of these offerings are focused on resale, advertising domain-admin level access to networks across the globe.

The wider picture is not pretty. Between 2022 and 2024, more than one third of the intrusions ReliaQuest responded to involved RMM tools, all perpetrated by cybercriminals deploying ransomware or intending to. Impacted organizations spanned sectors and regions worldwide. And it is not fading, ReliaQuest predicted that abuse of RMM software, and commercial tools in general, will not decrease over the long term.

IT security just became everyone’s problem

This is another example of trusted business tools being turned into weapons. Organizations are urged to monitor for unauthorized installations and suspicious usage patterns of RMM tools, and organizations should update training programs to raise awareness of legitimate software abuse during phishing attacks. Because the next Zoom link might not be a meeting, it might be a handover of your critical data.