Common Social Engineering Lures Used to Deploy Remote Monitoring Management Tools for Initial Access

10 October 2025

By Mimecast Threat Research Team

Campaign Overview

The Mimecast Threat Research team continues to monitor threat actors increasingly abandoning traditional malware-laden email attachments in favour of legitimate Remote Monitoring and Management (RMM) tools to establish initial access. This strategic shift allows attackers to bypass many security controls since RMM software is commonly used by IT teams and often whitelisted in enterprise environments.

Campaigns demonstrate sophisticated social engineering approaches designed to trick users into installing RMM agents voluntarily. These operations employ diverse lures from fake payment receipts distributed through EverNote to fraudulent Zoom meeting invitations. Below are some of the campaigns we’ve observed over the last few months used to download a number of RMM tools.

Financial Lure

In this campaign a fake remittance advice and payment confirmation email is used to trick recipients into downloading malicious files. These campaigns impersonate legitimate financial communications by claiming payments have been processed via bank transfer and directing users to download "payment receipts" through file-sharing services like EverNote.

The lures leverage urgent business scenarios around financial transactions, exploiting the routine nature of payment processing communications that employees regularly handle.

Recipients are presented with seemingly legitimate PDF attachments containing payment documentation, but clicking these links ultimately leads to a RMM tool download rather than actual financial records. This social engineering approach exploits the trust and urgency typically associated with financial transaction confirmations, making users more likely to engage with the malicious content.

 

 
​Copyright Infringement Lure

Threat actors are leveraging fake copyright infringement notices impersonating prestigious law firms to trick recipients into downloading malicious content. These campaigns claim urgent legal action is required regarding copyrighted material violations and direct users to "secure links" to review complete reports and avoid penalties. The lures exploit fear of legal consequences and financial liability, making recipients more likely to click links believing they need to address legitimate copyright claims immediately.

Rather than accessing actual legal documents, victims are redirected to download a RMM tool that provide attackers persistent remote access to compromised systems. This social engineering approach combines the authority and urgency of legal threats with the perceived legitimacy of established law firm branding to maximize victim engagement.

E-Signature Lure
​
​Threat actors are exploiting electronic signature workflows by sending fake document signing invitations that impersonate legitimate e-signature platforms like Authentisign. These campaigns target recipients with urgent requests to sign business documents such as distribution agreements or transfer agreements, leveraging the routine nature of electronic document processing in modern business operations. Recipients clicking "START SIGNING" buttons are redirected to malicious webpages featuring fake CAPTCHA verification pages designed to evade automated security scanners and create a false sense of legitimacy.

The CAPTCHA implementation serves as obfuscation, blocking headless browsers and security tools while disabling inspection capabilities, before ultimately redirecting users to download RMM tools instead of accessing actual signature platforms. This multi-layered social engineering approach exploits the trust and time-sensitive nature of contract signing processes while implementing advanced anti-analysis measures to bypass security controls.

Zoom Meeting Lure

Threat actors are impersonating legitimate meeting organizers by sending fraudulent Zoom meeting invitations that appear to come from colleagues or business contacts. These campaigns leverage the ubiquity of video conferencing in modern business communications, using familiar names and official-looking Zoom meeting links to establish credibility with recipients. The fake invitations include "Accept/Reject" options that mimic legitimate calendar integration features, encouraging immediate user interaction without verification. Victims clicking these links are redirected to malicious sites that download a RMM tools, providing attackers persistent remote access to compromised systems. This social engineering approach exploits the routine and trusted nature of meeting invitations, making employees less likely to scrutinize links they perceive as standard business communications.

Fake ScreenConnect Security Alert Lure

In this campaign threat actors were targeting IT administrators and managed service providers with sophisticated fake ScreenConnect login alerts claiming unauthorized access from suspicious IP addresses. These campaigns impersonate legitimate ScreenConnect security notifications, displaying detailed account information including specific domains, user accounts, and geographic locations to establish credibility with technical personnel. The lures exploit IT professionals' heightened security awareness by presenting urgent scenarios requiring immediate "security review" actions that administrators would naturally prioritize. Rather than accessing actual ScreenConnect security dashboards, victims clicking "Review Security" links are redirected to credential harvesting pages designed to steal super administrator credentials. This social engineering approach specifically targets the elevated privileges of IT administrators, potentially providing attackers with broad access to multiple managed client environments.

Fake Document Sharing Notification Lure

Threat actors are impersonating legitimate document sharing platforms by sending fake file sharing notifications that appear to come from colleagues or authority figures within organizations. These campaigns leverage trusted names like "Deputy Chief of Staff" and official-sounding document titles such as "ADVANCE NOTICE .docx" to create urgency and perceived legitimacy among recipients. The lures include warnings about external senders and prompts to "review the document promptly," mimicking genuine security notifications from platforms like Google Drive or SharePoint to lower suspicion. Rather than accessing actual shared documents, victims clicking "Open" buttons are redirected to malicious sites that download RMM tools, providing attackers persistent remote access to compromised systems.

These legitimate applications provide persistent remote-control capabilities while appearing as authorized business software, making detection significantly more challenging than traditional malware deployments. Industry research indicates this trend reflects the increasing effectiveness of email security solutions in detecting traditional malware, forcing threat actors to adopt more sophisticated legitimate tool abuse strategies The shift represents a fundamental change in attack methodology, moving from deploying malicious code to leveraging existing trusted software for malicious purposes.

Mimecast Protection

Mimecast's advanced threat detection capabilities have successfully identified and blocked these campaigns through multiple protection layers.

Detected IOCs

Download URL's

• hxxp://dl[.]dropbox[.]com/scl/fi/y8nwd9911fen2xlgm7ogi/Invoice_00299[.]zip?rlkey=pq8f9ui5fdxxg1bzvv4h8bd3v&st=m9m3youl&dl=0
• hxxps://store8[.]gofile[.]io/download/direct/7f0d3fca-f5d5-432b-a9ca-34b6a936f608/IntuitproPlugin3[.]0[.]exe
• hxxps://store8[.]gofile[.]io/download/direct/9f5a47f8-cb82-4955-b4dc-6d4dd480512b/IntuitPluginCore3[.]0[.]exe
• hxxps://store8[.]gofile[.]io/download/direct/b9f9f024-93fa-43db-8567-7aef21436c4b/IntuitPluginCore3[.]0[.]exe
• hxxps://store8[.]gofile[.]io/download/direct/42c735a7-0a8e-444e-8d55-252cb384557d/IntuitPluginCore3[.]0[.]exe
• hxxps://file-eu-par-2[.]gofile[.]io/download/direct/1ed0603c-12e1-43cf-b7c7-34b4fc94d12b/IntuitPluggin3[.]0[.]exe
• hxxps://store8[.]gofile[.]io/download/direct/1ed0603c-12e1-43cf-b7c7-34b4fc94d12b/IntuitPluggin3[.]0[.]exe
• hxxps://store8[.]gofile[.]io/download/direct/75309ae0-a457-4a96-9f63-1b969945e7ac/IntuitPluggin3[.]0[.]exe
• hxxps://bitbucket[.]org/thanksforusingourwebsite/serv/downloads/Statement-415322025[.]exe
• hxxps://podcast[.]zozaljubali[.]com/Remittance%20Advice_pdf[.]exe

Hosting Links

• hxxps://sptr[.]eomail6[.]com/f/a/
• hxxps://skyexchange[.]win/wp-scripts/dee54[.]php
• fn3699[.]kafinora[.]cyou
• fnback9636[.]site
• hxxps://docs[.]google[.]com/document/d/15zYZoGTgMCreSji6V4KJntdP0ZM0b3

Recommendations

RMM Security Management:

• Establish approved RMM tool policies and maintain strict allowlists of authorized remote access software
• Implement additional authentication requirements for RMM tool installations, requiring IT approval before deployment
• Monitor network traffic for unauthorized RMM communications and establish baselines for legitimate RMM usage patterns
• For MSPs, implement segregated RMM instances with limited cross-customer access and enhanced monitoring for super administrator account usage

User Security Awareness:

• Educate users on staff about the legitimate business use of RMM tools while emphasizing the need for IT approval before installation
• Conduct simulations incorporating RMM installation requests disguised as IT support or business communications
• Emphasize verification of communications through official channels, particularly those requesting software downloads

Organizations should immediately audit existing RMM deployments and implement enhanced monitoring for these legitimate tools being used for malicious purposes, as traditional signature-based detection may not identify this abuse pattern.