Phishing Attack Leverages Stolen Credentials for LogMeIn RMM Deployment

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Researchers at KnowBe4 Threat Labs have detailed a two-stage phishing attack that exploits stolen email credentials to deploy LogMeIn Resolve RMM software, achieving persistent and hidden access to Windows systems. The attack begins with a Greenvelope-themed phishing email designed to harvest login details, followed by the deployment of RMM tools via a signed executable.

Why This Matters

Traditional security models focus on preventing malware execution, but this attack demonstrates a shift towards weaponizing legitimate IT administration tools. This bypasses many security perimeters, as RMM software is often trusted and allowed through firewalls, making detection difficult and potentially leading to significant data breaches or ransomware deployment – the cost of which averaged $4.35 million per incident in 2022 according to IBM’s Cost of a Data Breach Report.

Key Insights

• Dual-Vector Attack: The campaign uses a two-stage process: credential theft followed by RMM deployment.
• RMM Weaponization: Attackers are leveraging trusted RMM tools like LogMeIn Resolve as a backdoor, bypassing traditional security controls.
• Signed Executable: The malicious “GreenVelopeCard.exe” is digitally signed, increasing its likelihood of bypassing security solutions.

Practical Applications

• Use Case: Managed Service Providers (MSPs) could be targeted to gain access to multiple client networks through compromised credentials.
• Pitfall: Overly permissive RMM configurations, granting excessive privileges, can facilitate widespread compromise once access is gained.

References:

• https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html