TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

RMM Abuse: When IT Convenience Bites Back

2026-03-05 · Read original ↗

ATT&CK techniques detected

9 predictions
T1219Remote Access Tools
98%
"rmm abuse : when it convenience bites back cybercrime is booming, and it ’ s cashing in on your trusted tools and software. that ’ s the reality of remote monitoring and management ( rmm ) abuse. and why the huntress 2026 cyber threat report reported a mind - blowing 277 % jump i…"
T1219Remote Access Tools
95%
"it ’ s an ideal path of least resistance for attackers to gain access and persist in business environments. attackers have realized that using pre - installed, legitimate software to launch attacks is more effective than trying to push custom malware past a firewall or endpoint d…"
T1219Remote Access Tools
95%
"it ’ s your toughest competition. download the huntress 2026 cyber threat report or the tl ; dr to better understand and stay ahead of rmm abuse in your own environment."
T1219Remote Access Tools
80%
"quickly spot unauthorized or unusual remote access activity. - people are a critical defense layer. security awareness training ( sat ), mindful it reviews, and a “ see something, say something ” culture help catch suspicious behavior before it turns into ransomware or data exfil…"
T1219Remote Access Tools
72%
"everyone deserves to know that a " party invite " doesn ’ t require administrative privileges to open. furthermore, encourage a culture of vigilance within your it and security teams. if an analyst sees something weird, they should feel comfortable speaking up. " see something, s…"
T1219Remote Access Tools
69%
"tools connect to? by fingerprinting approved tools, you can set up alerts for anything that doesn ' t match. if a new rmm shows up and the hash doesn ' t match your allow list, or if it tries to connect to an unknown server, you know it needs to be checked out asap. treat every r…"
T1219Remote Access Tools
49%
"##s in the name of business continuity. how rmm compromises play out it often begins with sneaky social engineering and phishing scams. users receive an email that looks authentic : think docusign request, a party invitation, or a dropbox link. it then prompts them to click a lin…"
T1566.002Spearphishing Link
36%
"that involved running enumeration commands and attempting defense evasion by disabling the huntress agent. since the credentials belonged to an it support technician, the threat actor would have gained access to all environments managed by the managed service provider ( msp ) if …"
T1219Remote Access Tools
35%
"this common security mistake : if a tool is approved, every instance of it is automatically trusted. but let ’ s consider a scenario where a remote employee uses an rmm to access their laptop from home. an administrator sees the traffic and assumes, " normal activity. " but this …"

Summary

Cybercrime and RMM abuse is up 277% as attackers exploit trusted tools for stealthy access. Learn how to shift from overtrust to verifying behavior and secure your network.