The breach came through a tool you trust with everything.

The scenario:

Your RMM agent runs on every client machine. It has system-level access. It can execute scripts, install software, and modify configurations. 

Now imagine someone else has access to that console. Not through a vulnerability in the tool. Through a compromised technician credential. One account. Full access to every client endpoint you manage. 

The attack:

STAGE 1: TARGETING THE MSP

Attacker identifies the MSP as a high-value target (one MSP = hundreds of client endpoints).

Sends a targeted phishing email to a senior technician with RMM console access.

The email impersonates the RMM vendor’s support team requesting a password reset.

-

STAGE 2: CONSOLE COMPROMISE

Technician enters credentials on a cloned login page.

Attacker captures username, password, and MFA token (real-time relay).

Logs into the RMM console with full administrative access.

Has visibility and control over 2,300 endpoints across 47 client organisations.

-

STAGE 3: WEAPONISATION

Creates a scheduled script deployment targeting all managed endpoints.

Script disables Windows Defender, creates a local admin account, and opens a reverse shell.

Deploys during a maintenance window to blend in with legitimate activity.

Script executes on 1,847 endpoints within 45 minutes.

-

STAGE 4: RANSOMWARE DEPLOYMENT

Uses the reverse shells to deploy ransomware across all compromised endpoints simultaneously.

Encrypts data on 1,847 machines across 47 organisations in under 2 hours.

Demands separate ransoms from each affected client.

Total estimated damage: £4.2 million across all organisations.

What stopped it:

In this scenario, the deployment was partially stopped by one client’s network segmentation, which prevented lateral movement from the endpoint to their servers. The remaining 46 clients had flat networks and were fully compromised.