New research from Red Canary and Zscaler shows phishing lures now drop RMM tools like ITarian and Atera, giving attackers admin-level access for malware and ransomware campaigns.
Phishing emails used to be easy to spot, often filled with typos and strange formatting. That is no longer the case. New research from Red Canary and Zscaler shows how convincing attackers have become, luring people with fake Chrome updates, malicious but real-looking Teams or Zoom invites, party e-cards, and even government forms that look real enough to trick employees.
According to researchers, these campaigns are different from others because of the use of remote monitoring and management (RMM) tools. Instead of delivering a typical piece of malware, the attackers are now using these lures to install RMM tools such as ITarian, PDQ, SimpleHelp, and Atera.
For your information, these programs are used by IT administrators to maintain systems, but malicious threat actors are now using these tools to have the same access as the administrators. This allows them to install additional payloads or even carry out ransomware attacks.
Fake Chrome Update
Looking at the campaigns themselves, Red Canary and Zscaler documented four main lures. The most common is the fake browser update, where compromised websites inject malicious JavaScript that presents a convincing update prompt.
According to Red Canary’s blog post shared with Hackread.com, in one case, clicking “Update Chrome” led users to download a signed ITarian installer, which later launched a chain of malicious activity.
Microsoft Teams, Zoom Updates and Party Invitations
Another tactic noted by researchers is the meeting invite, where fake Teams or Zoom updates are delivered via Atera or PDQ tools. These installers were even named to match the original applications, like “MicrosoftTeams.msi.”
Researchers also saw campaigns using party invitations, hosting on platforms like Cloudflare R2 storage, and tax-related government forms that carried installers disguised as IRS documents. In several incidents, attackers successfully deployed two different RMM tools, giving them backup access.
Alex Berninger, Senior Manager of Intelligence at Red Canary, says that phishing is no longer about spotting broken English in an email. “Adversaries are now using highly polished lures like fake browser updates, meeting invites, and even government forms that are nearly impossible to distinguish from the real thing,” he explained.
He stressed that while user education helps, it is unrealistic to expect employees to catch every trick. Instead, companies need layered defences, including network monitoring, endpoint detection, and strict controls over which RMM tools are allowed.
Protect Yourself and Your Company’s Data
To lower the risk of falling for these lures, start with employee awareness. Staff should know how to spot suspicious emails and malicious files. Only install software from official sources, and avoid opening attachments or clicking links in emails from unknown senders.
If there is any doubt, scan the file or link with a service like VirusTotal before opening it. And above all, rely on common sense, as simple caution and good judgment go a long way in keeping both people and companies safe.
