Legitimate Remote Access Tools: How Attackers Use Them Against You — And Why Most Small Businesses Never See It Coming

Legitimate remote access tools — software like AnyDesk, ScreenConnect, and TeamViewer — are now one of the most reliable entry points for attackers targeting small and mid-sized businesses. These legitimate remote access tools don’t trigger antivirus alerts. They pass through firewalls without question. And because your own IT team uses them daily, their traffic looks completely normal — even when it isn’t. CISA and FBI advisories from 2023 and 2024 confirm this technique is growing fast, and businesses that have never audited what remote software is running on their endpoints are paying for it.

1. What “Living Off the Land” Actually Means in 2025
2. The Tool Chain: How Attackers Stack Remote Software
3. Who Gets Hit: Why Small Businesses Are the Target
4. Real Examples From CISA and FBI Reporting
5. Why Your Alerts Are Not Firing
6. Building a Defense Posture That Can See These Attacks
7. What to Ask Your IT Firm Right Now

What “Living Off the Land” Actually Means in 2025

“Living off the land” describes an attacker technique where the threat actor avoids introducing new, detectable malware and instead uses tools already present on the target system. In earlier years, this typically meant abusing built-in Windows utilities like PowerShell or the Windows Management Framework. By 2024 and into 2025, the technique had evolved significantly.

Attackers now chain together commercially licensed or freely available legitimate remote access tools to accomplish the same goals — persistence, lateral movement, credential harvesting, and data exfiltration — that custom malware used to handle. The difference is that these legitimate remote access tools are trusted by the operating system, trusted by antivirus engines, and often trusted by network firewalls because the businesses themselves installed them.

A January 2024 joint advisory from CISA, the NSA, and partner agencies across Australia, Canada, the United Kingdom, and New Zealand called this out directly, warning that “malicious actors are increasingly using legitimate remote access software as a living-off-the-land technique.” The advisory named AnyDesk, ScreenConnect (now ConnectWise ScreenConnect), TeamViewer, Atera, Splashtop, and others as documented vehicles for attacker persistence after an initial compromise.

How Attackers Chain Legitimate Remote Access Tools: The Four Stages

The sequence typically unfolds in four stages. Understanding each one is what separates businesses that detect these intrusions from businesses that discover them three months later.

Stage 1 — Initial Access. The attacker gains a foothold through a phishing email, a compromised credential purchased on a dark web marketplace, or an exposed remote desktop connection. This first access point is often noisy and detectable — but it only needs to survive for minutes.

Stage 2 — Drop a Second Remote Tool. While inside via the initial access method, the attacker installs a second set of legitimate remote access tools — ones they control. Because this software is commercially signed and recognized, endpoint protection tools frequently allow the installation without flagging it. The attacker now has a persistent backdoor that looks identical to a normal IT support session.

Stage 3 — Abandon the Noisy Entry Point. The attacker disconnects from the initial, potentially detectable access vector and re-enters exclusively through the newly installed legitimate remote access tools. From a network log perspective, this traffic is indistinguishable from your actual IT vendor connecting to help a user.

Stage 4 — Lateral Movement and Objective. Using the trusted remote session, the attacker moves through the network — accessing file servers, cloud storage credentials, email accounts, and financial systems. Because the traffic is encrypted and originates from a trusted application, most alert systems stay completely silent throughout this phase.

Who Gets Hit: Why Small Businesses Are the Target

Larger organizations have invested heavily in detecting exactly this kind of behavior. They run behavioral analytics platforms, maintain dedicated security teams, and audit every remote access tool deployed across their environment. Small businesses almost never do.

The FBI’s Internet Crime Complaint Center 2023 annual report recorded $12.5 billion in cybercrime losses — a 22% increase over 2022. Business email compromise and data breach incidents affecting businesses under 100 employees represented a disproportionate share of the case volume. For a small business, the financial loss per incident is often existential in a way it simply isn’t for a larger organization with a dedicated incident response budget and insurance that actually pays out.

Small businesses are specifically attractive for these attacks involving legitimate remote access tools for three compounding reasons.

• They frequently have multiple legitimate remote access tools installed by different IT vendors over the years, with no current inventory of what is actually running.
• They often share administrative credentials across tools, meaning access to one system rapidly becomes access to all systems.
• Their network traffic baselines are rarely documented, so an attacker’s anomalous connections don’t stand out against any known-normal pattern.

Real Examples From CISA and FBI Reporting

The January 2024 CISA advisory was not theoretical. It documented specific observed attacker behaviors tied to both nation-state and financially motivated threat groups. Several patterns are worth understanding in plain language.

The “dual tool” technique. CISA observed actors installing both AnyDesk and ScreenConnect — two widely trusted legitimate remote access tools — on compromised systems. Not because they needed both, but because the redundancy ensured persistence even if one tool was discovered and removed. Removing one legitimate tool left the attacker fully operational through the second.

Abuse of trial or free-tier licenses. Several documented intrusions involved attackers registering free or trial accounts with legitimate remote access tool vendors and using those accounts to control compromised endpoints. From the victim’s network perspective, the traffic was indistinguishable from any paying customer using the same software. The attacker’s account was shut down after the intrusion — leaving almost no forensic trail at the vendor level.

Atera and similar remote monitoring platforms. Atera is a platform designed for IT service providers to monitor and manage client endpoints. CISA documented cases where attackers installed Atera agents on compromised systems, giving themselves the same level of access a professional IT firm would have — including the ability to deploy scripts, install software, and access files across the entire endpoint — without triggering a single antivirus alert.

The ConnectWise ScreenConnect vulnerability (CVE-2024-1709). In February 2024, a critical authentication bypass vulnerability in ConnectWise ScreenConnect was disclosed and almost immediately exploited at scale. CISA added it to the Known Exploited Vulnerabilities catalog within days. Organizations running self-hosted instances that had not patched were fully compromised in many cases within 48 hours of public disclosure. This is the case where even a well-managed legitimate remote access tool became an attacker entry point — because the underlying software wasn’t kept current.

For the full list of observed tools and advisory language, the original CISA Advisory AA24-038A is publicly available and worth reviewing with your IT leadership.

Why Your Alerts Are Not Firing

Here is the question most business owners find genuinely uncomfortable: if an attacker was moving through your network right now using legitimate remote access tools, would anything catch it? For most small businesses, the honest answer is no.

Antivirus and basic endpoint protection work by identifying known malicious code. AnyDesk, TeamViewer, and ScreenConnect are not malicious code. Their signatures are trusted by every major security vendor. Installing and running these legitimate remote access tools produces no antivirus alert — that is by design.

Firewall rules in most small business environments explicitly allow legitimate remote access tool traffic because the IT team depends on it. An attacker using the same tool traverses the same approved firewall rule without any special privilege required.

Email filtering catches phishing attempts — but once an attacker is inside and operating through a legitimate tool, email filtering has no visibility into endpoint activity. The two systems don’t communicate in most small business configurations.

The gap isn’t in the quality of any individual tool. It’s the absence of a layer that watches behavior rather than signatures — one that asks: “Why is ScreenConnect connecting to an endpoint that has never used it before, at 2:14 AM, and immediately transferring a large archive file?” That behavioral layer is what separates businesses that detect these intrusions early from businesses that find out three months later when the damage is already done.

Building a Defense Posture That Can See These Attacks

No single control stops this class of threat. Defense requires layers. Here are the controls that matter most against attackers abusing legitimate remote access tools, in priority order.

Inventory every remote access tool in your environment. This sounds basic and is almost never done correctly. You need a real-time inventory of every piece of software installed on every endpoint — not a spreadsheet from two years ago. Any legitimate remote access tools that no one on your current IT team recognizes should be investigated before being removed.

Enforce a policy of only one approved remote access tool. Multiple overlapping legitimate remote access tools are a configuration problem dressed up as a feature. Pick one. Enforce it. Treat any additional installation as an incident until proven otherwise.

Apply application control policies. Modern endpoint management platforms can be configured to block the installation of any unapproved software — including commercially signed legitimate remote access tools. This stops the “drop a second tool” stage of the attacker chain cold. Your IT team should be able to explain specifically how unauthorized remote access software is blocked on your endpoints today.

Monitor for anomalous remote access behavior. A behavioral detection layer should flag remote access connections that occur outside business hours, from unfamiliar geographic locations, or to endpoints where legitimate remote access tools have never previously connected. This is achievable even in small business environments with the right managed detection approach.

Enforce multi-factor authentication on every remote access tool. This won’t stop an attacker who has already installed their own tool, but it raises the bar substantially at the initial access stage. According to CISA’s guidance on threat actor tactics, multi-factor authentication on remote access services remains one of the highest-impact controls available to small and mid-sized organizations.

Patch legitimate remote access tools within 24 hours of a critical advisory. The ConnectWise ScreenConnect case makes this concrete. Critical vulnerabilities in widely deployed tools are now weaponized within hours of public disclosure. A 30-day patching cycle — common at small businesses — means you will be compromised before your IT team schedules the update.

Segment your network. If an attacker reaches one endpoint, network segmentation limits how far they can go. A flat network — where every device can reach every other device — hands an attacker who controls a single machine access to everything. Basic segmentation separating workstations, servers, and any operational systems meaningfully limits the blast radius. Our approach to cybersecurity for small and mid-sized businesses includes network architecture review as a standard component of onboarding, specifically because flat network configurations remain the norm among organizations that have never had a formal security review.

For organizations looking to understand the full scope of their IT and security posture, our managed IT services include proactive monitoring built to detect exactly this class of threat before damage occurs.

What to Ask Your IT Firm Right Now

The defense posture above requires a capable, attentive IT firm to implement and maintain. If you’re evaluating whether your current provider is equipped to protect you against attackers abusing legitimate remote access tools, these questions will surface gaps quickly. Any qualified firm should answer them without hesitation.

• Can you give me a real-time inventory of every legitimate remote access tool currently installed on our endpoints?
• What is our policy for approving new remote access software installations, and how is that policy technically enforced?
• If an attacker installed a new remote access tool on one of our endpoints at 2 AM last Tuesday, what would have detected it and how quickly would we have been notified?
• How quickly are we patching legitimate remote access tools when CISA issues a critical advisory? What is the documented process?
• Are our remote access tools protected with multi-factor authentication? All of them — including the one your technicians use to support us?
• Is our network segmented, and can you show me the current architecture?
• Have you reviewed our environment for legitimate remote access tools installed by previous IT vendors that are no longer in active use?

If your IT firm hesitates, redirects, or answers in generalities, that is important information. Living-off-the-land attacks using legitimate remote access tools have moved from nation-state tradecraft into everyday criminal use. The businesses that absorb serious losses over the next 24 months will be the ones whose IT partners are still treating this as a future threat.

The businesses that come through clean will be the ones whose IT partners already have behavioral detection in place, enforce strict policies around legitimate remote access tools, and treat an unrecognized tool appearing on an endpoint as an incident — not a curiosity. That discipline isn’t dramatic. It isn’t expensive relative to the cost of a breach. It’s what thorough, mature IT management looks like in 2025.

If you’re not confident your current environment can answer the questions above, Book a Free Cybersecurity Strategy Call with our team. It’s a 20-minute conversation — no obligation, no pressure — and you’ll leave knowing exactly where you stand.