Phishing Campaigns Targeting Video Conference Tools Distributing RMM Tools
Netskope Threat Labs is reporting on active phishing campaigns that exploit fake video conference invitations to deliver malicious payloads disguised as mandatory software updates. These campaigns target major platforms like Zoom, Microsoft Teams, and Google Meet.
In these attacks, users are lured into believing they need to install an update to join a meeting. The phishing sites closely mimic legitimate conferencing tools and often display convincing features, such as participant lists that appear live. Victims are prompted to download a payload—usually a digitally signed remote monitoring and management (RMM) tool like Datto RMM, LogMeIn, or ScreenConnect—under the guise of a software upgrade.
This tactic allows attackers to gain administrative access to victim machines without raising suspicions, as the downloaded tools appear legitimate and may already be trusted within corporate environments. Once the attacker has remote access, they can engage in various malicious activities, such as collecting sensitive data or distributing more harmful malware throughout the network, turning a single breach into a wider corporate compromise.
This situation is particularly concerning for organizations that rely on video conferencing for communication. With remote work becoming the norm, attackers have found a method that exploits this environment’s urgency and reliance on trusted platforms. The integration of digitally signed RMM tools into these attacks significantly lowers the likelihood of detection by traditional security measures.
Organizations should enhance their monitoring frameworks through threat intelligence and SIEM solutions to effectively recognize and respond to such phishing threats. Consistent training on identifying phishing attempts is critical to reducing risk.
Currently, there are no specific Indicators of Compromise (IOCs) mentioned, but organizations are encouraged to monitor for any unusual activities linked to RMM tools like LogMeIn and Datto, particularly those that might not follow expected usage patterns.
Click here for the full article
