Phishing Attack Uses Stolen Credentials to Weaponize LogMeIn Resolve RMM for Stealthy Persistent Access

Phishing Isn’t Just Stealing Passwords Anymore — It’s Installing “Trusted” Remote Access

A new campaign documented by The Hacker News highlights a shift defenders keep seeing in real environments: attackers don’t need bespoke malware to gain durable control. They can steal credentials, then deploy legitimate IT tooling that looks “normal” on paper and blends into standard remote support workflows.

Researchers describe a two-wave operation that starts with credential harvesting and ends with persistent remote access via Remote Monitoring and Management (RMM) software—specifically LogMeIn Resolve (formerly GoTo Resolve) deployed in a way designed to be silent and resilient on Windows.

From an operational risk standpoint, this matters because it collapses the time between “user clicked” and “attacker has an always-on foothold,” while also reducing the number of obvious malware indicators many teams still rely on.

What Happened: Two-Stage Phishing → Credential Theft → Legitimate RMM Backdoor
Wave 1: Fake invitations designed to harvest email credentials

The campaign begins with phishing emails disguised as invitations from Greenvelope, a legitimate invitation platform. The lure is built to feel routine and low-friction—exactly the kind of social engineering that slips through both human suspicion and some email controls.

Clicking the link leads to credential-harvesting pages targeting common email accounts (including Microsoft Outlook, Yahoo, and AOL). Once credentials are captured, the campaign pivots immediately from “phish” to “remote takeover.”

Wave 2: Weaponizing LogMeIn Resolve RMM for persistent access

After obtaining a victim’s email login, the threat actor registers with LogMeIn using the compromised email to generate RMM access tokens. Those tokens are then used via a follow-on executable (“GreenVelopeCard.exe”) to silently install the RMM agent and bind it to attacker-controlled access.

KnowBe4’s Threat Lab analysis adds important operational detail: the installer is legitimately signed (attributed to GoTo Technologies USA, LLC) and contains embedded configuration used to automate the installation and enable unattended operation. This is a key reason these intrusions can evade older “malware-first” detection patterns.

Why This Works: “Living Off Trusted Tools” Beats “Dropping Malware”

This is the core lesson defenders should extract:

Credentials are now the delivery mechanism
Once attackers have valid credentials, they can impersonate legitimate users, authenticate to legitimate services, and pull down legitimate software. In many environments, that sequence doesn’t trip alarms fast enough.

Signed binaries and legitimate infrastructure reduce obvious red flags
The campaign uses a signed executable and installs mainstream RMM tooling. KnowBe4 notes that the resulting command-and-control traffic can look like normal vendor traffic, making simplistic blocking strategies unreliable without context-aware monitoring.

Persistence is engineered, not improvised
The reported behavior includes modifying service settings to run with elevated permissions and using scheduled tasks to keep the tool alive even if a user terminates it. That’s not “remote support abuse” as an afterthought—that’s persistence by design.

Defensive Priorities: What Security Teams Should Do Differently

The wrong response is treating this as “just another phishing story.” The right response is updating controls around identity, remote tooling, and endpoint persistence as one integrated problem.

1) Treat unauthorized RMM as an incident, not an IT nuisance

The Hacker News reporting is explicit: organizations should monitor for unauthorized RMM installations and anomalous usage patterns.
Operationally, that means:

Maintain an approved RMM inventory (what’s allowed, where, and why)

Alert on new/first-seen RMM agents and remote-control modules on endpoints

Correlate any RMM installation event with the user, device, time, and preceding email activity

2) Tighten identity controls where credential theft turns into immediate access

When credential theft is the pivot point, hardening identity reduces blast radius:

Enforce phishing-resistant MFA where feasible for email and admin consoles

Apply conditional access (device health, geo-velocity, risk-based sign-in)

Monitor for suspicious sign-ins followed by rapid “tooling changes” on endpoints

3) Detect persistence behaviors, not just malware files

The campaign’s persistence behaviors (service changes, scheduled task creation) are durable signals that often outlive the initial phishing event.
Prioritize detections for:

New scheduled tasks tied to remote-access tooling

Service configuration changes that increase privileges or survivability

Unattended remote access enablement outside change windows

4) Assume “normal-looking” tools can be attacker-operated

RMM is a business tool. That’s the problem. Defenders need to shift from “is this tool malicious?” to “is this tool being used maliciously?”

InfoSight Perspective: Reduce Exposure Windows by Measuring the Right Signals

Most organizations still measure phishing defense like a training metric. Attackers measure it like a stopwatch: time-to-credential, time-to-install, time-to-persist.

InfoSight’s approach focuses on shrinking the window between intrusion and containment by treating identity events and endpoint events as one chain:

Continuous visibility into changes that create real control gaps (new remote access tooling, persistence mechanisms, unusual execution patterns) tied to operational impact, not just alerts.

Quantifiable remediation performance: track how long risky access paths stay open after detection, and drive that MTTR down with owner-based accountability and repeatable playbooks.

Threat-led monitoring and response via managed detection and response (MDR/SOCaaS) to catch the “quiet phase” where legitimate tools are doing illegitimate work.

This is the practical takeaway: if defenders only watch for malware, they miss attacks that succeed by using software admins already trust.

Key Takeaways for Leaders

Phishing campaigns are increasingly built to produce persistent remote access, not just mailbox compromise.

Stolen credentials plus legitimate RMM equals a stealthy foothold that can evade legacy detections.

Security programs need an explicit control objective: no unauthorized remote management tooling, and fast containment when it appears.