Phishing-to-RMM Attacks: The Remote Access Blind Spot CISOs Can’t Ignore 

ANY.RUN observed a rise in phishing-to-RMM campaigns where threat actors use phishing pages that impersonate trusted vendors (Microsoft, Adobe, OneDrive) to trick users into installing legitimate remote-management tools (ScreenConnect, LogMeIn Rescue, Datto RMM, etc.). Because the payloads and infrastructure often appear legitimate, these campaigns create a visibility gap for SOCs — enabling unauthorized remote access, longer dwell times, and increased lateral movement risk — and require detection based on full attack-chain context (phishing lure, download context, execution behavior, RMM install, and outbound connections) rather than reputation alone.