Multi-RMM attack: Splashtop Streamer and Atera payloads delivered via Discord CDN link

Sublime's Attack Spotlight series highlights real-world email threats, focusing on adversary tactics, techniques, and detection methods, with a specific case involving Microsoft 365 and malware/ransomware attacks via Remote Monitoring and Management (RMM) software. In a recent attack, a compromised email account was used to distribute a malicious payload that impersonated OneDrive, tricking recipients into downloading a file that appeared to be a .docx but was actually a .msi installer for RMM tools like Atera and Splashtop, allowing attackers to maintain remote access. This attack was detected and thwarted by Sublime's AI-powered detection engine, which identified key signals such as file extension manipulation and the use of free file hosting via Discord CDN. The series emphasizes the importance of adaptive email security platforms that leverage AI and machine learning to identify subtle threats, helping prevent malicious installers from reaching inboxes.