Most people think of cyberattacks as something obvious: a virus, ransomware or some sketchy file that antivirus software swoops in and blocks. Unfortunately, that’s no longer how many modern attacks work.
Some of the most successful breaches we’re seeing today don’t involve traditional malware at all. I write this post now because our team and tools have identified and blocked attacks like these at multiple clients over the past month
Instead, attackers are abusing legitimate IT tools — the same remote support software many businesses already trust — and quietly turning them into backdoors.
Let me explain what’s happening, why it works so well and what your organization should be doing about it.
The New Trick: Using Legitimate Tools Against You
In recent phishing campaigns, attackers have been targeting employees with realistic looking emails. These messages often pose as:
- IT support requests
- Event or contract documents
- System updates
- Requests that appear to come from a coworker or vendor
These emails encourage the employee to click a link or download software. On the surface, nothing looks suspicious. The software is real, well-known and widely used by IT teams, including tools like LogMeIn, Resolve or ScreenConnect.
Once installed, the attacker doesn’t need malware.
They’ve just been handed remote control of the computer.
From a security standpoint, this is incredibly dangerous because everything that happens next looks like normal IT activity. Antivirus tools often stay quiet. Firewalls don’t raise alarms. Logs look clean at first glance.
This is what security professionals mean when we say attackers are hiding in plain sight
Why This Strategy Works So Well
Remote monitoring and support tools are powerful by design. They are meant to:
- Allow full remote access
- Transfer files
- Run scripts
- Stay persistent after reboots
They normally have elevated permissions and are often allowed through security controls because, frankly, IT needs them.
Attackers know this.
And to be very clear: this is not a vulnerability in the software itself. The tools are working exactly as designed. The weakness is in how easy it is to trick a well-intentioned user into installing something that feels safe.
Once attackers are inside, they may not act right away. They often sit quietly, observing systems and learning your environment. In some cases, they sell that access to other criminals. In others, they eventually deploy data theft or ransomware tools.
By the time something obvious happens, the damage is already done.
TL;DR:
Attackers are sneaking into networks by abusing trusted remote IT tools instead of using malware. If employees can install software freely and remote access isn’t tightly monitored, hackers can get in and stay hidden
What This Means for Your Business
This type of attack changes a core assumption many organizations still rely on:
“If it’s trusted software, it must be safe.”
That assumption no longer holds.
Security today isn’t just about blocking bad files. It’s about making sure the right tools are being used by the right people for the right reasons.
If an employee can install remote access software without oversight, that’s a risk.
If IT usage isn’t being monitored closely, that’s a risk.
If teams assume security tools will always catch the bad stuff automatically, that’s a risk.
How Organizations Can Protect Themselves
The good news is that stopping these attacks doesn’t require panic or massive disruption. It requires discipline, visibility and education.
Here are the key steps we recommend.
1. Train Employees Like They’re Part of the Security Team
Your employees, unfortunately, are often the cause of cybersecurity problems but they can also serve as the first line of defense.
Regular security awareness training and phishing simulations are critical. Employees should be taught to pause when they see requests to download software or click unexpected links — even if the email looks legitimate.
A simple rule works well: If you didn’t ask for it, verify it before acting.
That verification could be a phone call, a Teams message or checking with IT.
2. Limit Who Can Install Software
Most users do not need the ability to install software on their work devices.
Applying the principle of least privilege dramatically reduces risk. When software installations require approval or are handled through managed systems, accidental installs of malicious or misused tools drop sharply.
This one change alone stops many of these attacks cold.
3. Actively Control Remote Access Tools
Organizations should maintain a clear list of approved remote support tools. Anything outside that list should be blocked or removed.
For tools that are approved, additional safeguards matter:
- Require multi-factor authentication
- Restrict where logins can come from
- Monitor logs for unusual behavior
Remote access should never be “set it and forget it.”
4. Watch Behavior, Not Just Malware
Modern cybersecurity is about behavioral monitoring.
Advanced endpoint security solutions can flag when legitimate software starts behaving in suspicious ways, such as connecting to unknown external systems or running scripts across multiple machines.
This allows IT teams to detect abuse early, before real damage occurs.
5. Segment Your Network
If an attacker does get in, network segmentation limits how far they can go.
Sensitive systems and critical data should be isolated so one compromised machine doesn’t lead to a full-scale breach.
Think of it like fire doors in a building. They don’t prevent every fire, but they keep a bad situation from becoming a disaster.
The Big Takeaway
Cybersecurity threats don’t always look like threats anymore.
Some of the most effective attacks today rely on legitimate tools, familiar workflows and human trust. That makes them harder to spot and even more important to prepare for.
At KaufmanIT, we believe strong security comes from pairing smart technology with informed people and good processes. When organizations understand how these attacks work and take proactive steps, they drastically reduce their risk.
If you’re not sure what remote access tools are running in your environment or how well they’re monitored, that’s a conversation worth having now — before someone else starts that conversation for you.
