Malicious actors exploit Zoom and Teams to deploy remote access tools

Attackers are abusing trust in virtual meeting platforms to trick employees into installing legitimate remote management software that grants full system access.

What happened

A surge in phishing campaigns is targeting corporate employees using fake meeting invitations that impersonate popular video platforms, including Zoom, Microsoft Teams, and Google Meet. According to CyberPress, the emails urge recipients to join urgent meetings and direct them to convincing phishing pages designed to look like real conferencing interfaces, complete with simulated participant lists that appear to update live. When users attempt to join, they are told their application is outdated and must install a required update, which redirects them to typo-squatted domains such as zoom-meet.us. The downloaded file is presented as legitimate software, often a digitally signed executable or MSI installer, allowing attackers to establish remote access without deploying traditional malware files.

Going deeper

Phishing sites designed to mimic legitimate meeting platforms use official branding and familiar layouts to create urgency and pressure victims into joining fake calls. When users attempt to enter the meeting, they receive a message claiming a compatibility issue or required update, prompting them to download software that secretly installs remote monitoring and management (RMM) tools such as Datto RMM, LogMeIn Unattended, or ScreenConnect. RMM tools are legitimate IT administration programs used for remote support, and because they are digitally signed and commonly trusted in enterprise environments, security systems may not flag them as malicious. Once installed, attackers gain remote control of the device, enabling file transfers, command execution, and movement across connected systems without deploying traditional malware.

What was said

Threat researchers tracking the campaign found that the phishing pages used realistic design tactics such as simulated participant activity and countdown timers to create urgency and appear legitimate. The analysis stated that attackers are “leveraging legitimate RMM tools to gain remote access, avoiding traditional malware detection mechanisms,” and warned that the campaign exploits user trust in everyday video conferencing and collaboration platforms. The findings were published in February 2026 as part of an investigation into phishing activity abusing online meeting services, however no public responses from major platform providers were included in the reporting.

In the know

Similar tactics have recently been observed in campaigns abusing Microsoft Teams invitations themselves. In a separate phishing operation, attackers used legitimate Teams guest invites to send fake billing alerts that appeared to come from official Microsoft notification emails, successfully bypassing many email security controls. Instead of delivering malware directly, victims were prompted to call attacker-controlled phone numbers, shifting the attack into voice phishing, where traditional defenses are weaker.

The big picture

The activity points to security risks associated with the widespread use of collaboration platforms such as Zoom, Microsoft Teams, and Google Meet, which are now core workplace communication tools. Research from Metrigy, cited by TechTarget, found that 41% of organizations rely on multiple meeting platforms, increasing the volume of daily collaboration activity, while reporting referenced by Forbes noted that large enterprises generate hundreds of millions of collaboration messages each year, creating constant streams of trusted invitations and notifications. Analysts say attackers are disguising access requests as routine meeting updates instead of sending traditional malware, a tactic supported by findings from Paubox showing that misconfigurations and trusted communication platforms continue to enable breaches, placing greater pressure on organizations to verify identities, train users, and monitor remote access activity rather than relying only on file-based threat detection.

FAQs

Why are attackers using legitimate remote management tools instead of custom malware?

Legitimate RMM tools are digitally signed and commonly approved within enterprise environments, making them less likely to be blocked by antivirus or endpoint detection systems.

How does the fake update tactic increase success rates?

Users expect software updates for collaboration platforms, so a prompt requesting an update appears routine, especially when tied to an urgent meeting scenario.

What is typo squatting in this context?

Typo squatting involves registering domain names that closely resemble legitimate brands, such as zoom-meet.us, to trick users into believing they are interacting with an official site.

How can organizations detect malicious RMM activity?

Security teams can monitor for unusual administrative access, unexpected outbound connections to RMM infrastructure, and deviations from normal usage patterns rather than relying only on signature-based detection.

Why are collaboration platforms particularly attractive targets?

Video conferencing tools are high-trust, high-frequency platforms used across all levels of an organization, increasing the likelihood that users will act quickly without verifying authenticity.