Phishing campaign exploits RMM tools for stealthy access

KnowBe4 Threat Labs has detailed a phishing campaign that uses stolen credentials and legitimate remote monitoring and management software to gain persistent access to corporate systems.

The group said attackers start with emails that mimic routine workplace messages, then shift quickly into remote access operations that blend into normal IT activity. The campaign avoids traditional malware delivery and uses tools that many organisations already trust, according to the researchers.

Two-wave attack

KnowBe4 described the activity as a "dual-vector" campaign. The first stage targets users with a convincing email that looks like an invitation or notification. The message directs recipients to a spoofed sign-in page that resembles legitimate services. Victims enter real work credentials.

Attackers then use those credentials to log in through normal channels. KnowBe4 said this approach can reduce the likelihood of immediate alerts that rely on malware detection or suspicious file activity.

The second stage involves deploying Remote Monitoring & Management software. KnowBe4 said the attackers install RMM tools and configure them for unattended operation. The researchers said the tools can run quietly in the background and provide ongoing remote access.

KnowBe4 linked the campaign to lures that impersonate Greenvelope, a legitimate invitation service used for corporate events. The researchers also described multiple phishing landing pages that impersonate well-known email and technology providers.

Trusted tooling

KnowBe4 said the campaign reflects a broader shift in intrusion methods. Attackers increasingly rely on legitimate services and commercially available tools rather than deploying custom malware, the firm said.

The researchers highlighted GoTo Resolve and LogMeIn as the RMM products deployed in the activity they analysed. They said the attackers used a file named "GreenVelopeCard.exe" as part of the follow-on stage. KnowBe4 described the file as an orchestrator that sets configuration parameters for the RMM installation.

KnowBe4 said the file was legitimately signed by GoTo Technologies USA, LLC. The company said signed software can pass checks that focus on file reputation and signatures.

The researchers said the campaign then sought elevated permissions. KnowBe4 described steps that included changes to Windows service settings, the creation of hidden scheduled tasks through Windows COM APIs, and the use of Windows Service Control Manager to launch components in a way that inherits operating system trust.

Network signals

KnowBe4 said the attackers used official infrastructure associated with the RMM product. The researchers said this choice makes network traffic harder to distinguish from normal business operations because it uses expected domains and encrypted HTTPS.

KnowBe4 listed multiple endpoints observed in the activity, including "dumpster.console.gotoresolve.com" and "dumpster.dev01-console.gotoresolve.com". The researchers also noted a fallback domain, "settings.cc", which they said delivered updated configuration scripts.

Defensive steps

KnowBe4 urged security teams to focus on unauthorised use of trusted IT tools as well as phishing prevention. The company said defenders should monitor for unexpected RMM installations and for abnormal usage patterns in remote access tooling.

The researchers also recommended hunting for indicators of compromise in affected environments and blocking identified command-and-control domains at the network perimeter.

The report framed user behaviour as an important signal in modern incident detection and response, alongside threat intelligence and security telemetry. It also argued that the time between credential theft and system access has shortened.

KnowBe4 said organisations should expect continued use of RMM tooling in intrusion chains as attackers adopt automation and reuse methods across campaigns.