RMM Tools: A Double-Edged Sword for MSPs

Garry BloomGarry Bloom · Founder & Senior IT Manager
8 May 2026
5 min read
PhishingAttack
ITSecurity
ThreatIntelligence
RMM
MSP
Cybersecurity

Legitimate remote monitoring tools are being weaponized by threat actors—and it's happening more than you think.

The VENOMOUS#HELPER campaign has impacted 80+ organizations by abusing SimpleHelp and ScreenConnect RMM platforms. What makes this particularly dangerous:

  • No traditional malware – attackers rely solely on legitimately signed RMM tools to evade detection

  • Dual persistence – using TWO RMM tools ensures backup access if one is discovered

  • 277% YoY increase in RMM tool abuse while traditional hacking tool use dropped 53%

  • Blends with normal operations – RMM activity rarely triggers security alerts since IT teams use these tools daily

The attack starts with phishing emails impersonating the US Social Security Administration, targeting employees with access to sensitive systems or crypto assets.

What MSPs Need to Do Now

  • Implement application whitelisting to prevent unauthorized RMM installations

  • Enable detailed endpoint logging with strong SIEM/EDR monitoring

  • Foster "cyber paranoia" through security awareness training—especially for C-suite and non-technical staff

  • Monitor for unauthorized RMM tool installations across your client environments

As MSP professionals, we need to be vigilant about the very tools we trust. What controls do you have in place to prevent unauthorized RMM deployments?

#Cybersecurity #MSP #RMM #ThreatIntelligence #ITSecurity #PhishingAttack

Garry Bloom
Written by
Garry Bloom
Founder & Senior IT Manager · 25+ years in IT

Garry founded Computer Mechanics — the business behind IT Support Perth — in 1997. With more than 25 years in IT management and support across internal and external service environments, he leads the team's technical direction and its cybersecurity and managed-IT strategy for Perth businesses.

Meet the IT Support Perth team →
Garry Bloom
8 May 2026
5 min read
PhishingAttack
ITSecurity
ThreatIntelligence
RMM
MSP
Cybersecurity

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
When a ‘Legit’ Support Call Steals Your Login Session
CyberSecurity
ITSupportPerth

When a ‘Legit’ Support Call Steals Your Login Session

MFA was enabled — but a fake Xero support call led to a stolen browser session, email takeover, and full lockout. Learn how to prevent it with least privilege, Conditional Access, and phishing-resistant policies.

5 min read
1/30/2026