How do attackers use legitimate RMM tools as backdoors after phishing steals credentials?

What should security teams do to stop RMM-based backdoor access from stolen login credentials?

Attackers increasingly avoid custom malware. They instead abuse tools that IT teams already trust. Remote monitoring and management (RMM) software is a prime target because it is designed for remote access, runs persistently, and often looks normal in logs.

KnowBe4 Threat Labs documented a dual‑vector campaign that starts with credential theft and ends with long-term remote control. The core idea is simple: steal valid credentials, then use those credentials to install or activate legitimate RMM tooling. That turns an administrative asset into a durable backdoor.

Phase 1: Credential harvesting through realistic lures

The intrusion begins with a phishing email that looks like an invitation from Greenvelope, a real US-based invitation service used for corporate events and weddings. That context lowers suspicion because invitations feel routine, time-sensitive, and socially “safe.”

When a target clicks, they are routed to a convincing fake login page. The objective is not immediate damage. The objective is access—valid credentials that can pass standard authentication checks and blend into normal sign-in activity.

Key point: the stolen password is a step, not the end state. The attacker’s end state is remote persistence that survives reboots and supports hands-on control.

Phase 2: RMM token creation and persistent access

After the attacker captures credentials, they use them to generate legitimate RMM access tokens. Those tokens enable authenticated use of the RMM product—often without triggering traditional “malware” detections.

In the observed activity, a file named “GreenVelopeCard.exe” was used as part of the delivery chain to establish persistent remote access. The more important detail is not the filename. The important detail is the tactic: the attacker installs or activates a signed, trusted remote administration tool and then operates through it.

Because the RMM software is legitimately signed by a trusted vendor, many defenses that focus on signature-based malware detection may not fire. From the endpoint’s perspective, a known tool is running as designed. From the defender’s perspective, that “normal” tool is now the attacker’s remote keyboard.

Why this tactic works so well

This approach exploits a common security gap: controls often treat “legitimate IT software” as inherently safe. In reality, RMM is high-risk software because it can:

• Provide interactive remote sessions and command execution.
• Maintain persistence through services, scheduled tasks, or agents.
• Generate activity that resembles IT support workflows.
• Evade simplistic detection models that equate “signed” with “benign.”

In other words, the attacker does not need a novel payload if they can repurpose a tool that already has permission to do everything they want.

Prevention: reduce human risk and tighten RMM controls

KnowBe4’s guidance emphasizes that security teams cannot rely on slow, periodic awareness training alone. The threat evolves quickly, and the defensive response must be continuous and measurable.

Human Risk Management (HRM) helps by connecting three streams of data:

• Behavioral signals (how users respond to lures and warnings)
• Product telemetry (what actually happens on endpoints and in email)
• Real-time threat intelligence (current attacker techniques and indicators)

That combined view supports per-user risk scoring and targeted interventions. It also supports automation: apply stronger controls to higher-risk users and deliver training that matches real failure modes, not generic advice.

A practical training tactic is to convert real attacker patterns into simulation. If “Greenvelope-style invitations” are being abused, build a simulated campaign that mirrors that look and flow, then coach users on the specific cues: sender anomalies, domain mismatches, unexpected login prompts, and unusual authentication flows.

Immediate defensive actions for RMM-based backdoors

To reduce risk quickly, prioritize actions that detect and disrupt the second phase, because that is where persistence is created.

• Scan endpoints for known indicators of compromise (IOCs) tied to the campaign and any related artifacts.
• Block known command-and-control (C2) domains and suspicious redirect infrastructure associated with the phishing chain.
• Monitor for unauthorized RMM installs, new RMM services, and unexpected RMM agent check-ins.
• Alert on abnormal RMM usage patterns, such as first-time RMM execution on a device, out-of-hours sessions, unusual geolocation, or new admin token creation.
• Restrict RMM by policy: allowlisted tools only, approved installers only, and enforced MFA for any RMM console access.

For deeper technical context, refer to KnowBe4’s write-up: “The Skeleton Key: How Attackers Weaponize Trusted RMM Tools for Backdoor Access.”