TL;DR: Credential harvesting pages, spoofed OnlyOffice and Teams lures, benign conversation starters, and RMM payloads were used against academics and policy experts from June to August 2025 as Proofpoint tracked UNK_SmudgedSerpent, with TTP overlap across TA453, TA455, and TA450. The pattern shows how phishing, identity deception, and remote tooling can converge into a flexible access path that security teams must treat as a governance problem, not just an email problem.
NHIMG editorial — based on content published by Proofpoint: LLMjacking? No, UNK_SmudgedSerpent phishing and remote management tool abuse against academics and policy experts
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: What breaks when phishing moves from a lure to credential capture and remote access?
A: The main failure is assuming phishing ends at password theft.
Q: Why do attacker-controlled login pages remain effective against identity programmes?
A: They work because the attack starts before authentication, by shaping the target’s trust in the brand and the session.
Q: What do security teams get wrong about remote support tools?
A: Teams often treat remote support tools as neutral utilities, but they become high-risk when an attacker uses user consent to gain interactive control of an endpoint.
Practitioner guidance
- Block the trust handoff in email threads Flag repeated back-and-forth conversations that transition from benign discussion to links, file shares, or login prompts, especially when the sender changes tone or urgency after the first reply.
- Detect brand-spoofed login redirects Correlate OnlyOffice, Microsoft 365, and Teams impersonation pages with intermediate attacker domains, then alert when the visible brand and final destination do not match.
- Restrict unsanctioned RMM installation paths Only allow RMM deployment from approved software channels, and quarantine MSI loaders that introduce PDQConnect, ISL Online, or similar remote-admin tooling outside standard IT workflows.
What's in the full report
Proofpoint's full report covers the operational detail this post intentionally leaves for the source:
- The full infection-chain timeline across June to August 2025, including the sequence of persona changes and lure topics.
- Domain and infrastructure indicators, including the health-themed hosts and OnlyOffice-style delivery paths used in the campaign.
- File-level artefacts and loader behaviour, including the ZIP, MSI, and RMM deployment chain.
- Comparative TTP mapping against TA453, TA455, and TA450 for teams building detection logic.
👉 Read Proofpoint's analysis of the UNK_SmudgedSerpent phishing and RMM chain →
Iran-linked phishing and RMM use: what identity teams should watch?
Explore further
Identity deception has become a full access chain, not a single phishing event. This campaign combined conversation lures, credential theft, and remote administration tooling into one sequence, which means defenders cannot evaluate each stage in isolation. The governance problem is not simply whether a user clicked. It is whether the identity programme treats the handoff from trust to credential capture to remote execution as one continuous risk path, which is the only way to reduce operator dwell time.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly identity exposure is actually remediated in practice.
A question worth separating out:
Q: How should organisations respond when phishing moves from single emails to fabricated threads?
A: Treat the conversation itself as an attack surface. Verify sender identity, address consistency, and business context before acting on payment or credential requests. Mailbox controls should flag improbable participant domains, mismatched thread history, and sudden topic changes that do not fit the organisation's normal communication patterns.
👉 Read our full editorial: Iran-linked phishing clusters blur into a new credential theft actor