Attackers are increasingly deploying legitimate IT administration tools in place of custom malware, according to recent research from Microsoft Threat Intelligence. The researchers identified a campaign that targeted 29,000 users across 10,000 organizations, 95% of which were in the US.
Microsoft observed the shift in deployment method across multiple tax-themed phishing campaigns in early 2026, where attackers consistently delivered Remote Monitoring and Management (RMM) tools such as ScreenConnect, SimpleHelp, and Datto as final payloads.
The campaigns, documented in an advisory published by Microsoft March 19, 2026, used common tax-season lures including W-2 forms, Form 1099 notifications, IRS messages, and requests from accountants.
Microsoft’s data shows financial services (19%), technology (18%), and retail (15%) as the top targeted sectors
While such social engineering techniques appear every year ahead of the April 15 US tax deadline, the payloads used in this year’s campaigns were concerning because they relied on legitimate signed software instead of traditional malware loaders or trojans.
This reflects a wider change in attacker tactics. Rather than developing malware that risks detection by EDR tools, attackers install legitimate remote administration software that already includes remote desktop access, command execution, file transfer, and persistence features.
Legitimate Admin Tools Now a Post-Compromise Standard
Microsoft identified multiple campaigns where attackers rotated between different RMM tools depending on availability and detection risk. In some IRS-themed phishing campaigns, attackers delivered ScreenConnect, while in others they switched to SimpleHelp.
Microsoft noted some attackers appear to be moving toward SimpleHelp after ConnectWise revoked code-signing certificates linked to ScreenConnect abuse, highlighting how software providers are beginning to take action against the misuse of legitimate IT tools in cyberattacks.
Microsoft warned that this tactical shift is not limited to a single campaign, but that it is indicative of a broader trendacross the threat landscape.
Remote management tools are attractive to attackers because they are signed applications, often trusted by security controls, and their network traffic typically blends in with legitimate administrative activity. This makes detection significantly more difficult than traditional malware C2 traffic.
Microsoft recommends that organizations audit which remote administration tools are present in their environment, implement allowlists or blocklists for approved tools, enforce MFA, and treat any unexpected RMM installation as a high-priority security alert.
