Netskope Threat Labs reports RMM payloads in meeting invite phishing

Netskope Threat Labs reports phishing campaigns that use fake meeting invitations to distribute digitally signed Runtime Memory Manager (RMM) tools, enabling attackers to obtain remote administrative access and persist on corporate endpoints via typo-squatted domains and update prompts.

Research Overview

Netskope Threat Labs tracked multiple campaigns that imitate mainstream video conferencing services to lure corporate users. The attacks direct targets to lookalike domains and prompt a download presented as a required update.

Key Findings

Phishing pages recreate the appearance of Zoom, Microsoft Teams, and Google Meet to increase perceived legitimacy and to prompt immediate user action. Attackers present an application-update flow that leads users to execute distributed binaries.

Investigators identified digitally signed remote monitoring and management agents used as the delivered payloads, including Datto RMM, LogMeIn, and ScreenConnect. Because the binaries are signed and align with expected installer names, they can evade some signature-based detections and blend with normal enterprise traffic.

Technical Breakdown

Victims download executables or Memory Semantics Interconnect (MSI) installers renamed to resemble legitimate clients; examples include names approximating Zoom or Google Meet installers. The delivered files are legitimate RMM agents, which provide remote shell, file transfer, and remote-control capabilities when activated.

Attackers leverage those native RMM functions to establish persistent administrative presence on compromised hosts. The RMM infrastructure can also be used to distribute additional payloads across an environment from a single foothold.

Threat Analysis

With administrative access via RMM agents, actors can perform data collection, credential theft, and lateral movement using built-in management features. The use of signed, common-management tools increases the chance that initial compromise will not generate immediate alerts from signature-based controls.

Operational Impact

Security teams may face detection gaps because the payloads are legitimate, signed management agents and can match allowed software policies. The campaigns exploit the common practice of joining frequent meetings and the expectation of timely updates, creating a user-driven installation vector.

Once an endpoint is controlled, attackers can use the RMM’s deployment functions to scale actions across many systems, turning one compromised machine into a broader operational issue. Monitoring of installation sources, domain reputation, and anomalous use of management tools can help identify this pattern of activity.

Enterprises should assess exposure to meeting-invite phishing that delivers signed RMM agents and review controls around trusted software and update flows. This “Blog Signals brief” is a fact-based summary of the vendor blog.