Ready to see Keep Aware in action?
Schedule a personalized demo today and see how Keep Aware can protect your organization's biggest workplace.
Misused legitimate remote administration tools remain one of the hardest threats to detect. They don’t rely on custom malware, exploit kits, or obvious red flags—instead, they blend in with everyday IT operations. To traditional security controls, these tools often look indistinguishable from normal administrative activity.
This attack highlights how attackers continue to weaponize legitimate software—and why browser-level visibility is critical for modern detection and response.
Attack Overview: LogMeIn HackTool Drive-By Download
In late 2025, a Keep Aware customer was reviewing activity in their Mimecast Targeted Threat Protection (TTP) admin portal when they noticed a blocked phishing email.
Email security prevented delivery, but a user subsequently pulled it from the blocked queue and followed the phishing email’s link, ultimately leading to the auto-download of a remote administration tool commonly used by IT teams. Attackers use this tactic to remotely gain control of a victim’s device, and by using a legitimate tool, the incident could go unnoticed by endpoint and network controls.
What made this attack notable wasn’t just a user still following the phishing link, despite it being flagged by email security; it was what we’ve seen repeatedly around this same file and delivery pattern—and the visibility BDR provides to security teams to quickly investigate incidents and suspicious activity.
This wasn’t an isolated occurrence. We’ve observed similar cases where a legitimate remote access tool executable was automatically downloaded after a user followed a phishing email lure. This tactic has circulated in the cybersecurity landscape for years because the tool can blend seamlessly with normal IT operations. A similar attack occurred late last year, originating from a fake Social Security Administration site downloaded to a business device but delivered via a personal email account.
Why These Attacks Are Difficult to Detect
Attackers favor legitimate remote admin tools because they:
- Are trusted and widely used in enterprise environments
- Rarely trigger antivirus or file reputation-based blocks
- Can appear operationally identical to real IT activity
In this case, and many like it, we’ve observed these tools being:
- Delivered via phishing emails
- Downloaded from newly registered websites (often < 2 months old)
- Hosted on domains uncommon to the victim organization
- Protected by a CAPTCHA challenge
- Automatically downloaded as executable files
How Keep Aware Surfaced Risk in Real Time
Keep Aware, our Browser Detection and Response (BDR) extension, flagged the download event as suspicious in real time, surfacing risk to the security team despite the file being a legitimate remote admin tool. Signals such as a newly registered domain, CAPTCHA-protected access, and suspicious EXE download originating from an email platform provided critical context—allowing analysts to quickly assess intent, not just file reputation.
With Keep Aware’s browser visibility, security teams can see:
- The exact URL the user browsed to versus from which the download originated
- Whether the domain was new or previously unseen in your organization
- User’s browsing activity leading up to the download
- File metadata and browser-level download events tied directly to the user’s session
BDR provided crucial insight into this attack and alerted the security team to the suspicious activity. For analysts and responders, this context is invaluable and a huge time saver.
Why Browser Visibility Matters for Modern Response and Prevention
Traditional controls answer “Was this blocked?” and “Is this a known-malicious IOC?”
BDR answers “What actually happened in the browser?”
That difference matters. Browser telemetry helps teams:
- Understand evolving delivery techniques
- Hunt for similar prior activity
- Build stronger detection logic around behavior outside of traditional controls
Legitimate-tools-turned-malicious won’t stop being a problem. But with browser-level insight, security teams don’t have to treat them as invisible. See how Keep Aware helps teams cut through the noise and provides actionable insights into investigations.
IOCs
IOCs are redacted to protect our customers’ privacy and anonymity.
