CyberWire Daily Two RMMs walk into a phish… [Research Saturday]
21 snips
Nov 22, 2025 In this engaging discussion, Alex Berninger, Senior Manager of Intelligence at Red Canary, and Mike Wylie, Director of Threat Hunting at Zscaler, dive into the underbelly of phishing campaigns exploiting remote monitoring tools. They reveal four clever lures used by attackers, including fake browser updates and meeting invites. The duo emphasizes the stealthy nature of RMM tool abuse and outlines effective detection strategies. Their insights highlight the growing sophistication of threats and the necessity for vigilant monitoring of authorized RMM usage.
AI Snips
Chapters
Transcript
Episode notes
Legitimacy As A Stealth Mechanism
- RMM tools give attackers a veneer of legitimacy that aids stealth and persistence.
- They let adversaries blend in as IT or vendors and move laterally within networks.
Trusted Hosting Evades Simple Blocks
- Attackers host signed legitimate RMM binaries on trusted services like GitHub and Cloudflare R2.
- This makes blocking based on domains or signatures ineffective because the files come from reputable platforms.
Teach Users To Verify Lures
- Educate users to validate unexpected invites, e‑invites, and government forms before interacting.
- Teach users that Chrome updates rarely surface via random webpages and to verify update sources.