Exploiting the Service Desk: How Threat Actors Abuse Your Most Trusted Relationships

As security solutions have evolved, attackers have been forced to shift their tactics to remain viable at scale. In recent years, this shift has become increasingly dependent on the exploitation of pre-established trust. Taking advantage of a user’s trust isn’t abnormal, or even new. However, the ways attackers take advantage of trust and authority are constantly evolving, resulting in malicious activity that blends into legitimate activity with increasing ease and credibility. This makes detection and containment increasingly complex by both average users and security solutions.   

Key Takeaways 

• Threat actors utilize a combination of new techniques and evolutions of old techniques to gain access to critical systems, steal data, and deploy ransomware. 

• The United States lost $21 billion through a number of these common attacks, accounting for a 37% increase from 2024 (FBI Internet Crime Report, 2025)  

• Common tactics include: tech support scams, business email compromise (BEC), personal data breaches, Fake CAPTCHA/ClickFix attacks, trusted remote access compromise, or malicious use of legitimate third-party software.  

• These attacks are effective. They are present in a large portion of incidents actioned by the Blackpoint SOC, marking a clear shift in attacker methodology towards tactics that are quieter, blend in with expected network traffic, and are difficult to identify and contain by traditional security solutions. 

• The use of these techniques is expected to rise in the coming months. Blackpoint APG assesses with high certainty that these attacks will continue to impact the healthcare, manufacturing, and MSP/SMB market as a whole. 

The Social Engineering of It All

Some of the most impactful publicly disclosed incidents in the past year sourced from social engineering over the phone. Scattered Spider, a threat group believed to be made up of teenagers and young adults from the United States and the United Kingdom, famously called the Help Desk of several large organizations, prepared with plausible explanations and details publicly available about the organization (such as manager names) and/or the person they’re impersonating. These incidents often made headlines and resulted in high impact ransomware attacks internationally. The FBI 2025 Internet Crime Report states that the United States lost a whopping $21 billion through tactics such as tech support scams, business email compromises, and personal data breaches, up 37% from 2024. 

While attackers have begun targeting Help Desk with these types of calls to gain access to highly privileged user accounts, attackers have targeted users by posing as Help Desk/IT Support for years. This highlights that the relationship between IT Support and end user can be exploited in either direction. There is an inherent trust present when a user gets a call from IT, making their stories and claims more impactful for the victim. Phone calls necessitate immediate response and minimize the amount of time that a user can think about the message they’re receiving, making phishing phone calls higher risk than traditional phishing over email.  

General awareness of scam calls requesting money has gone up in recent years, and more people are identifying them. Despite this, tech support scams simply looking to gain access to victim machines are harder for the average user to identify, especially in large organizations where they might not know everyone working in Help Desk, or when an organization contracts with a Managed Service Provider (MSP) or external Help Desk services. The thought process may mirror the following: 

“It’s just IT looking for access to their machine, doesn’t IT do that all the time? After all, how else are they supposed to fix the problem?”  

It’s easy to see how this may be difficult to identify, especially if attackers come armed with key bits of information about the organizations. 

The Shift Toward Trust-Based Cyber Attacks

Over the past year, the Blackpoint SOC has identified a shift in threat actor tradecraft, corroborated by external research. While attackers have always used social engineering in some capacity or another, a more dramatic reliance on exploiting trusted relationships is emerging, specifically to evade traditional detection by security software. 

Threat actors are increasing their reliance on: 

• Legitimate 3^rd party software (such as RMMs or productivity monitoring tools) 

• Misconfigured or vulnerable remote access software (such as SSL VPNs)  

• Lax user permissions, as seen in Fake CAPTCHA/ClickFix attacks 

RMM Abuse: Exploiting Legitimate Remote Management Tools

RMM tools enable MSPs to manage endpoints at scale, making common in most environments. Abuse of legitimate RMM tools accounted for 30.3% of all identifiable incidents actioned by the Blackpoint SOC in 2025, with ScreenConnect appearing in 71.5% of rogue RMM incidents alone. This activity has historically produced low-fidelity signals for standard security tooling, resulting in limited alerting. Although detection capabilities are improving, reliably distinguishing legitimate from malicious RMM use remains difficult for traditional security tools. 

SSL VPN Exploitation

SSL VPNs have the same issue. How do plug-and-play security solutions identify the difference between a legitimate user accessing the environment through the VPN from a malicious actor that compromised their account? That first login will look the same as any other (barring behavioral differences, such as the time of day). SSL VPN abuse accounted for 32.8% of all identifiable incidents, with SonicWall devices alone accounting for 59% of SSL VPN incidents observed by the SOC. When access to the environment is intended to use a given technology, it can make detecting malicious access via that technology a challenge.  

Fake CAPTCHA and ClickFix Attacks  

Fake CAPTCHA/ClickFix techniques were by far the most prevalent campaign of 2025, making up 57.7% of all identifiable incidents by the Blackpoint SOC. They may just look like a new verification challenge, and bank on a user’s permissions within an environment to be lax enough to execute the initial beaconing command. They don’t need to exploit a vulnerability or download malware for initial access, both of which can be noisy and easily detected by security software. Instead, they take advantage of a user’s inherent permissions and trick them into executing the commands for them. 

These three techniques all heavily rely on one thing: trust. The inherent trust in these systems is what makes their abuse harder to detect. 

Modern Kill Chains: A Real-World Example

The Blackpoint SOC responded to suspicious domain enumeration on an end user’s host. Further analysis revealed the recent launch of Quick Assist and an abnormal executable download, which was revealed to be a renamed version of the AnyDesk RMM tool. The threat actor then downloaded a Remote Access Trojan (RAT) through evasive PowerShell commands and began interacting with files on the host. The SOC isolated the host to prevent successful lateral movement in the environment, additional payload retrieval, or data exfiltration. The compromised user was disabled.  

Through discussions with the client, the SOC confirmed that the user had received a phone call from an individual posing as Microsoft support who directed the user to provide them access to the host.  

In this incident, the threat actor abused several points of trust and authority to evade detection. First, they took advantage of the trust and authority Microsoft has for users by assuming their name. Second, they used various legitimate remote access tools to gain and establish persistence on the host without triggering security solutions. Only after they achieved persistence did they begin pulling payloads (a higher risk activity), enabling them to remain undetected for as long as possible. 

Cyber Threat Intelligence Assessment: Attacks That Blend In 

Threat intelligence analysis shows that attackers are deliberately prioritizing techniques that blend into normal administrative behavior to extend dwell time and avoid detection.

Social engineering and other attack techniques have always relied on exploiting trusted relationships. However, defenders are observing new techniques designed to take advantage of those relationships. Analysis of incidents actioned by the Blackpoint SOC, as well as broader industry reporting, indicate that threat actors are ramping up their attacks on trusted relationships not only for users, but also against Help Desk, and against security software itself.  

This trend is reflected in their increase of RMM abuse, tech support scams (targeting both help desk and users), initial access through valid account compromise/remote access tooling exploitation, and the explosion of Fake CAPTCHA/ClickFix/Malicious Copy Paste lures.  

Attacks exploiting these trusted relationships to trick users or evade detection were present in a significant portion of incidents actioned by the Blackpoint SOC. Additional details can be found in our 2026 Annual Threat Report.  

The security industry is adapting to meet these new techniques, with some antivirus and endpoint security solutions creating detections for Fake CAPTCHA style lures and commonly abused RMMs. However, these capabilities remain limited at the time of writing. Out of the box security tools frequently struggle to distinguish between authorized RMM activity and unauthorized use at scale with high fidelity, particularly when multiple legitimate RMM tools are present.   

Large organizations and managed service providers (MSPs) are especially at risk due to the scale and distributed nature of operations. Manufacturing (11.5%), Healthcare (10.3%) and MSPs (8.4%) were the most frequently targeted sectors observed by the Blackpoint SOC. Employees are less likely to personally recognize every IT support person employed in an organization over the phone, which increases the chances of a successful impersonation-based scam. The increasing availability of LLMs lowers the barrier for threat actors to impersonate trusted individuals based on a publicly available social media or other online sources  

The Blackpoint APG assesses that an increase in tech support scams targeting SMBs and the MSP market is moderately likely in the next 12 months. Additionally, there is a high probability that RMM abuse, malicious copy/paste lures, and initial access via established remote access methods will continue to increase as threat actors prioritize techniques that blend into normal administrative activity. 

Modern Attacks Require Modern Defense 

Defending against trust-based attacks requires organizations to assume that legitimate tools and trusted relationships can be abused and to implement controls that verify identity, constrain access, and detect abnormal behavior.

• Implement a way to verify who you’re talking to, such as an employee ID or unique identifier. 

• Ensure employees know the authorized mechanisms through which IT will contact them and access their machine. 

• Focus on behavior. Harden your end hosts through app whitelisting. Audit the programs on hosts in your environment. Decide what is authorized and what is not. This enables faster identification and containment of malicious activity.  

• Lock down user permissions. Enforce security through least privilege through GPOs. The average employee has no need for CMD, PowerShell, or accessing the Run Dialog box.  

• Ensure you have a data loss prevention plan (DLP) and incident response plan (IRP). Ensure everyone knows their roles and responsibilities in that plan. Additional guidance regarding incident response plan implementation, including best practices, can be found under NIST SP 800-61 Rev.3.  

• Back up critical systems regularly and store immutable backups separate from production. Restrict access to backup infrastructure by restricting inbound traffic and enforcing phish-resistant MFA. Conduct regular testing of backups and practice restoration procedures. 

How Blackpoint Detects and Stops Trust-Based Attacks

Instead of relying on mutable IOCs, the Blackpoint SOC focuses on attacker tradecraft, investigating activity based on common activity in a client environment and performing historical analysis on a user-by-user basis. This enables Blackpoint to rapidly identify what’s normal and what’s not, allowing us to make rapid containment decisions with clarity and precision. This minimizes threat actor access to the environment, mitigates damage, and moves the needle further left of boom.