A new wave of phishing campaigns is targeting corporate employees through fake video meeting invites. Using Zoom, Microsoft Teams, and Google Meet, the attacks lead victims to a payload that infects their devices with remote access software.
Netskope Threat Labs, which identified and tracked the campaigns, found that trust combined with busy work schedules is one of the two key levers exploited in this attack. The other is urgency. The attack even instructs victims to ignore security alerts when downloading the file, relying on the assumption that busy workers are less likely to perform due diligence. The fake sites heighten this urgency with timers or participant counts, and some simulate audio cues or chat messages to suggest the meeting has already started.
Redirects to malicious domains occur seamlessly, evading email filters tuned to detect obvious spam.
How the Meeting-Based Attack Unfolds
Phishing emails arrive disguised as standard internal meeting invites, often using a spoofed executive name to add credibility. Clicking the link takes the victim to a convincing replica of the real platform. When attempting to join the call, a pop-up claims there is a compatibility issue and instructs the user to download a mandatory update. That download comes from a typo-squatted domain such as zoom-meet.us, where the real payload waits disguised as a routine software patch.
The downloaded file is not a patch. Netskope researchers identified the payloads as three legitimate remote monitoring and management tools: Datto RMM, LogMeIn Unattended, and ScreenConnect. Files arrive with names like GoogleMeet.exe or ZoomWorkspaceinstallersetup.msi, each carrying a valid digital signature from a trusted authority. This legitimacy allows them to pass through antivirus filters and endpoint detection tools that IT teams have preapproved for remote support use.
Once installed, the RMM agent gives attackers full administrative remote access, including screen viewing, file transfers, and shell execution, without triggering the alerts that custom malware typically would. From that position, they can quietly exfiltrate data, identify high-value targets on the network, or deploy ransomware across endpoints.
Defending Against the New Threat
Defending against this threat requires addressing both technology and employee behavior. Security training should be updated to cover fake meeting invite scenarios specifically, teaching staff to verify invites through the application directly or via a known contact, and never to download software prompted by an email link.
On the technical side, Netskope recommends several procedural and strategic shifts. To prevent unauthorized access through legitimate tools, strict application allowlisting can block unsanctioned RMM tools from executing. Cloud access security brokers can inspect traffic to phishing domains and block RMM payloads before installation.
If accounts are compromised, multi-factor authentication across email and collaboration platforms can limit the damage.
Keeping video conferencing applications up to date also removes the pretext. An employee who knows their Zoom client is current has one less reason to trust a pop-up claiming otherwise.
Adding to the UC Cyberthreats
This campaign illustrates how attackers are evolving beyond crude phishing pages toward attacks that closely mirror the actual workflows of their targets. By embedding the threat within a routine business action and applying time pressure, they reduce the opportunity for a victim to pause and question what is happening.
As video conferencing has become critical business infrastructure, it has also become a reliable attack surface. Netskope’s research suggests that threat actors are actively tracking shifts in how organizations operate and adapting their methods accordingly.
Organizations that rely on legacy detection tools or treat phishing training as a one-time exercise are particularly exposed. The potential cost of a successful RMM implant is significant. Matching defenses to the current threat requires layered controls, updated training, and behavioral monitoring working together rather than relying on any single solution.
