Microsoft Defender Experts recently found a series of phishing campaigns abusing legitimate signatures to deceive targets. Identified in February 2026, the phishing lures consisted of crafted meeting invitations and PDF attachments leading to false pages that claimed to provide needed updates, but actually downloaded malware disguised as workplace applications. Users and systems are more likely to trust digitally signed software, as these signatures are designed to authenticate trust, and traditional threat protection measures have often relied on signature-based detection.
The Weaponization of Code-Signing Certificates
Code-signing plays a significant role in modern software, helping to verify both the legitimacy of the software’s publisher and the fact that the code has remained unaltered since the signature. Compromising such certificates enables attackers to deploy malware that appears to targets to be verifiably legitimate. Many see these signatures as foolproof evidence that software is trustworthy, discounting the possibility of malicious activity.
Extended Validation (EV) certificates verify the highest level of vetting and background checks, providing solid assurance of extensive security verification. The ability to abuse this type of authentication allows attackers to launch even more deceptive attacks by increasing the perceived trustworthiness of malicious files. These campaigns underscore the flaws in heavily depending on security tools that rely on certificate reputation to verify the legitimacy of software.
Living Off Legitimate Tools
Threat actors are always looking to evolve their tactics to increase the success rates and payouts of their attacks, implementing new methods and technologies. In service of this goal, attackers in recent years are increasingly turning to the abuse of legitimate tools rather than custom malware. This not only allows them to save on the time and resources that would be required to craft their own malware, but also increases the chances of attacks going undetected.
There is a wide range of native tools that attackers can use in these attacks for a variety of malicious ends. Remote monitoring and management (RMM) platforms are attractive to threat actors as they enable extensive capabilities within target systems. Attackers use compromised RMM tools to obtain a persistent presence with remote control and administrative capabilities within the target system, at which point they can carry out further malicious activity.
The Attack Chain
The identified attack campaigns began with phishing-style emails mimicking meeting invites or counterfeit PDF attachments, which led to a spoofed download page claiming to provide necessary software updates for Adobe, Teams, or Zoom. These download pages actually downloaded fake installers disguised as trusted application updates, deploying malware signed with a legitimate certificate to bypass certificate checks.
The next step in the attack chain was the installation of legitimate RMM software as a backdoor to allow the attacker’s persistent presence within the targeted system. In some cases, they were seen installing additional RMM tools to bolster persistence by establishing redundancies. The attackers then leveraged this remote access for post-exploitation activity.
What Attackers Do After Gaining Access
There is a range of actions that attackers can take once they have established persistent access via backdoor entries. Credential harvesting and privilege escalation are common, along with lateral movement across enterprise networks. This kind of activity enables threat actors to use their existing access to expand their capabilities by taking over legitimate accounts and moving through the target system to more sensitive and protected areas.
Threat actors use their access to carry out surveillance and espionage, exfiltrate data, and deploy ransomware or other monetization tactics. The attackers in these campaigns, installing the ScreenConnect RMM software as a backdoor, enabled a wide array of malicious activity with the potential to cause extensive damage in enterprise environments.
The Bigger Security Trend
These campaigns spotted by Microsoft are only one example of a larger ongoing trend in cybersecurity, where attackers are shifting from exploiting vulnerabilities to abusing trusted tools. The misuse of identities, certificates, and legitimate software is on the rise as threat actors turn to tactics and technologies that enable them to establish persistent access and evade detection.
Traditional signature-based defenses struggle with these attacks, as bad actors use tactics designed to take advantage of the way that these tools operate. Compromising legitimate software and leveraging verified signatures deceives traditional threat detection and increases the persistence and success of these attacks.
Rethinking Enterprise Security
These campaigns highlight the importance of implementing behavioral monitoring and analysis rather than relying on trusting signed binaries. Understanding behavior enables the detection of anomalous use of legitimate administrative tools such as RMM platforms. Stronger certificate lifecycle management is also required to mitigate the dangers of compromised signatures. Organizations should apply zero-trust principles to software and remote access tools in order to defend against attacks like these.
Robust, resilient, and reliable security requires the evaluation of many signals and telemetry beyond simple binary signatures. “In that model, the signature remains valuable; however, it becomes evidence rather than verdict,” says Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). “Trust emerges from the convergence of identity, behavior, and reputation, and this works well in zero trust models using blended defenses.”
The Takeaway for Security Leaders
The significance of these campaigns lies in the indication that trust signals alone are no longer sufficient indicators of legitimacy. In order to be adequately protected against attacks, organizations must assume that even “trusted” software can be abused, and secure their systems accordingly. Security strategies must evolve to detect misuse of legitimate infrastructure, like these attacks identified by Microsoft.
