TL;DR: Credential harvesting pages, spoofed OnlyOffice and Teams lures, benign conversation starters, and RMM payloads were used against academics and policy experts from June to August 2025 as Proofpoint tracked UNK_SmudgedSerpent, with TTP overlap across TA453, TA455, and TA450. The pattern shows how phishing, identity deception, and remote tooling can converge into a flexible access path that security teams must treat as a governance problem, not just an email problem.
At a glance
What this is: This is an analysis of a phishing cluster that blended social engineering, credential theft, and RMM delivery to target academics and policy experts.
Why it matters: It matters because identity teams must govern the handoff from lure to credential capture to remote access, where email security, account protection, and device control all intersect.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read Proofpoint's analysis of the UNK_SmudgedSerpent phishing and RMM chain
Context
This campaign is a reminder that phishing is no longer just an inbox problem. The real governance issue starts when a human target is induced to trust a conversation, a login page, or a file-hosting link that then becomes the entry point for credential theft and remote access.
For identity programmes, the lesson is that access control cannot stop at authentication. When attackers move from social engineering to harvested credentials and then to RMM tools, the boundary between email security, account protection, and device-level execution collapses into one identity attack chain.
The article also shows why attribution should remain cautious. Overlapping tactics with TA453, TA455, and TA450 may indicate shared tradecraft, shared infrastructure, or simple imitation, but the practitioner takeaway is the same: the lure, credential page, and remote tool all need to be treated as a single access workflow.
Key questions
Q: What breaks when phishing moves from a lure to credential capture and remote access?
A: The main failure is assuming phishing ends at password theft. In reality, a successful lure can become a complete access workflow when the attacker uses the same conversation to capture credentials, deliver remote-admin tooling, and maintain interactive control. Defenders need to model the full chain, not just the login event.
Q: Why do attacker-controlled login pages remain effective against identity programmes?
A: They work because the attack starts before authentication, by shaping the target’s trust in the brand and the session. A phishing-resistant login factor helps, but it does not remove the risk created by a convincing redirect chain, a preloaded page, or a familiar collaboration workflow used as a lure.
Q: What do security teams get wrong about remote support tools?
A: Teams often treat remote support tools as neutral utilities, but they become high-risk when an attacker uses user consent to gain interactive control of an endpoint. The mistake is focusing only on the tool’s legitimacy instead of the context in which it is invoked. Approval, verification, and logging matter as much as allow-listing.
Q: How should organisations respond when phishing moves from single emails to fabricated threads?
A: Treat the conversation itself as an attack surface. Verify sender identity, address consistency, and business context before acting on payment or credential requests. Mailbox controls should flag improbable participant domains, mismatched thread history, and sudden topic changes that do not fit the organisation's normal communication patterns.
Technical breakdown
How benign-conversation phishing becomes an identity entry point
The first stage is social trust, not malware. Attackers open with a plausible, topical conversation so the target is more likely to continue the thread and accept a follow-up link. Once the target engages, the campaign shifts from relationship-building to credential capture, often by impersonating a familiar collaboration service or file portal. The technical point is that the attacker is not trying to break authentication immediately. They are engineering the victim into initiating the access path, which makes the later credential event look routine to both the user and monitoring systems.
Practical implication: Treat repeated conversational lures as precursor activity and feed them into user-awareness and detection workflows before any login attempt occurs.
Why spoofed OnlyOffice and Microsoft pages work so well
The campaign relied on layered deception, with URLs that looked like OnlyOffice or Microsoft but actually redirected to attacker-controlled domains. The page often preloaded a target’s details, which makes the prompt feel personalized and lowers suspicion. From an identity perspective, this is session manipulation by familiarity: the attacker borrows a trusted brand, a known workflow, and a believable object to make the credential submission feel safe. The important detail is that the security failure begins before the password is typed, because the user has already accepted the legitimacy of the session boundary.
Practical implication: Monitor for brand-spoofed login pages and redirect chains, and validate that phishing-resistant authentication is paired with page-level detection, not used alone.
How RMM tools turn a successful click into remote execution
After credential harvesting, the actor delivered archives and MSI loaders that installed PDQConnect and later ISL Online. RMM tools are legitimate administration software, which means their abuse does not always look like conventional malware delivery. Once installed, they can give an operator interactive control, file transfer capability, and persistence under the guise of authorised support activity. In this case, the RMM stage matters because it turns a single successful lure into hands-on-keyboard access without requiring custom payloads at every step.
Practical implication: Restrict RMM installation paths, alert on unsanctioned RMM binaries, and treat remote-admin tooling as a privileged execution channel.
Threat narrative
Attacker objective: The attacker sought to capture credentials and convert that trust into remote interactive access for espionage-style follow-on activity.
- Entry began with a benign political or professional conversation that encouraged the target to reply and click a spoofed collaboration link. Credential access followed when the attacker presented a preloaded Microsoft-style login page or other credential-harvesting page disguised as OnlyOffice. Escalation occurred when the target was pushed toward archive files and MSI loaders that installed RMM software, creating remote control over the endpoint. Impact was achieved through interactive access, follow-on phishing in the same thread, and suspected hands-on-keyboard use of the remote management tools.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity deception has become a full access chain, not a single phishing event. This campaign combined conversation lures, credential theft, and remote administration tooling into one sequence, which means defenders cannot evaluate each stage in isolation. The governance problem is not simply whether a user clicked. It is whether the identity programme treats the handoff from trust to credential capture to remote execution as one continuous risk path, which is the only way to reduce operator dwell time.
Phishing-resistant authentication does not eliminate workflow impersonation risk. The attacker succeeded by borrowing the look and feel of collaboration and file-sharing services before any authentication decision was made. That means identity architecture must account for pre-authentication trust signals, not only login strength. For practitioners, the control boundary needs to include brand abuse, redirect chains, and file-hosting deception because that is where the target’s decision is shaped.
Remote management tools are privileged identity channels when attackers control the deployment path. PDQConnect and ISL Online are ordinary administration tools, but in attacker hands they become remote execution and persistence mechanisms. This is a classic NHI governance issue in disguise: legitimate software is being used as an access broker. Practitioners should treat sanctioned remote tools as part of privileged-access governance, not just endpoint software inventory.
UNCERTAIN attribution does not reduce the governance lesson. The overlapping TTPs across TA453, TA455, and TA450 show how adversaries borrow one another’s tradecraft, infrastructure themes, and lure styles. That ambiguity matters for intelligence teams, but it does not change the defensive response. The practical conclusion is to build controls against the pattern of identity abuse, not against a single named cluster.
Conversational phishing creates a social engineering dwell window that outlasts the first message. The attackers kept the same thread alive after the initial response, adjusted the lure when suspicion rose, and then changed delivery methods. That persistence shows the value of treating email threads as a living attack surface. Identity teams should assume the attacker will adapt within the same conversation until the target disengages.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly identity exposure is actually remediated in practice.
- That gap is explored further in Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which is the right next step when phishing becomes an access-lifecycle problem.
What this signals
Identity abuse is increasingly threaded through ordinary collaboration behaviour. For practitioners, that means email security, IAM, and endpoint control can no longer operate as separate response lanes. The practical shift is to correlate conversation patterns, login prompts, and remote-tool deployment as a single event path, then feed it into your identity telemetry and incident workflows.
With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, access abuse scales quickly once a foothold is established. That statistic is a reminder that identity programmes need to be built for blast-radius reduction, not only prevention. In campaigns like this, a compromised account or remote tool becomes more dangerous when downstream privileges are broad and poorly segmented.
The operational signal to watch is not just a single suspicious email, but the combination of brand impersonation, thread persistence, and any move toward remote-admin software. That combination points to a blended identity and execution threat that should be handled as an access-control event, not just a malware event.
For practitioners
- Block the trust handoff in email threads Flag repeated back-and-forth conversations that transition from benign discussion to links, file shares, or login prompts, especially when the sender changes tone or urgency after the first reply.
- Detect brand-spoofed login redirects Correlate OnlyOffice, Microsoft 365, and Teams impersonation pages with intermediate attacker domains, then alert when the visible brand and final destination do not match.
- Restrict unsanctioned RMM installation paths Only allow RMM deployment from approved software channels, and quarantine MSI loaders that introduce PDQConnect, ISL Online, or similar remote-admin tooling outside standard IT workflows.
- Treat remote-admin tools as privileged channels Apply privileged-access monitoring to any endpoint that can receive remote control software, because once an attacker installs it, the session behaves like elevated access rather than ordinary malware.
Key takeaways
- This campaign shows how phishing, credential theft, and remote administration can merge into one identity abuse chain.
- The evidence points to a flexible operator pattern that adapts within the same thread, which makes email-only defences insufficient.
- The most effective control point is the handoff from trusted conversation to credential page to remote tooling, where governance gaps become exploitable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 Initial Access; TA0006 Credential Access; TA0002 Execution; TA0003 Persistence | The article tracks phishing, credential harvesting, and RMM deployment as an attack chain. |
| NIST CSF 2.0 | PR.AC-1 | Phishing and impersonation undermine identity assurance and access control. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential harvesting and password reuse make authenticator management central here. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Credential abuse and access path exposure map to core NHI governance failures. |
| NIST Zero Trust (SP 800-207) | 3.1 | The campaign exploits trust in network and application boundaries. |
Map conversation lures, credential capture, and RMM installation to ATT&CK and tune detections across the whole chain.
Key terms
- Conversational phishing: A social engineering tactic that begins with a benign or topical exchange and gradually moves the target toward clicking a link, sharing credentials, or opening a file. The attack gains power from trust built in the conversation, not from a malicious attachment alone.
- Remote Monitoring and Management: Remote Monitoring and Management, or RMM, is software used to administer devices and systems from afar. In this context it becomes a high-risk control plane because it can reach many assets at once and often carries enough privilege to change configuration, suppress alerts, or trigger operational actions.
- Credential Harvesting: Credential harvesting is the collection of secrets, tokens, keys, or certificates from a compromised workload. In container environments, it often targets file paths, environment variables, service account tokens, and metadata services because those locations frequently hold reusable identity material.
What's in the full report
Proofpoint's full report covers the operational detail this post intentionally leaves for the source:
- The full infection-chain timeline across June to August 2025, including the sequence of persona changes and lure topics.
- Domain and infrastructure indicators, including the health-themed hosts and OnlyOffice-style delivery paths used in the campaign.
- File-level artefacts and loader behaviour, including the ZIP, MSI, and RMM deployment chain.
- Comparative TTP mapping against TA453, TA455, and TA450 for teams building detection logic.
👉 Proofpoint's full report covers the infection chain, infrastructure, and TTP overlap in detail.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org