UNC3753 Screen-Sharing and RMM Tools Attack on Legal Data

UNC3753 Screen-Sharing and RMM Tools Attack: What Happened?

UNC3753 uses screen-sharing sessions and RMM tools to exfiltrate sensitive legal data. This campaign, detailed by Google Cloud, has targeted law firms and professional services since early 2026. The group, also known as Luna Moth, Chatty Spider, or Silent Ransom Group, relies on social engineering instead of technical exploits. By manipulating staff into granting remote access, they can steal confidential information within hours, often before the breach is detected.

The attack typically starts with a legitimate-looking invoice email sent from a consumer address. These messages do not contain malicious links or attachments, making them hard to detect by traditional security tools. The actual compromise occurs when attackers, masquerading as IT helpdesk staff, phone the recipient and persuade them to join a screen-sharing session using tools like Zoom or Microsoft Teams. They then direct victims to install remote monitoring and management (RMM) software such as AnyDesk or Bomgar, giving them full access to the target system.

Why UNC3753’s Methods Matter to UK Organisations

The UNC3753 campaign is significant because it highlights a shift from technical exploitation to psychological manipulation. The methods used are highly portable and could be used against UK small and medium businesses, not just large US law firms. Attackers are leveraging everyday business tools like screen-sharing and RMM software, which are widely trusted and often necessary for legitimate IT support. As a result, detection is challenging and the risk of data loss is high.

In many cases, attackers can search corporate file systems for high-value data such as legal agreements, financial records, or personal identifiers. This data is then uploaded to attacker-controlled cloud accounts and used for extortion. Victims receive aggressive emails threatening to expose the breach to clients, staff, and the media unless a ransom is paid. Since the entire attack can unfold within a single business day, there is little time to respond before sensitive information leaves the organisation’s control.

• Attacks use legitimate business tools, bypassing technical defences.
• RMM tools give attackers persistent access and are difficult to distinguish from authorised IT activity.
• Screen-sharing sessions are initiated under the guise of trusted helpdesk interactions.
• Data exfiltration often takes place within hours, making rapid detection and response critical.

How Organisations Can Defend Against Screen-Sharing and RMM Attacks

To reduce risk from UNC3753 and similar social engineering campaigns, UK organisations should review and strengthen controls around remote access and helpdesk processes. Technical defences alone are insufficient; staff awareness and robust verification procedures are essential.

1. RMM Tool Controls and Monitoring

• Restrict who can install and use remote monitoring and management tools. Maintain an approved list and block unapproved software at the endpoint level.
• Monitor for new installations of RMM tools and alert on suspicious activity, especially outside normal IT operations.
• Log and review remote access sessions. Investigate any unexpected or unauthorised use.

2. Helpdesk Verification and Staff Awareness

• Train staff to recognise and report suspicious emails and unsolicited IT support calls, especially those referencing invoices or urgent actions.
• Establish clear helpdesk verification procedures. Require staff to confirm the identity of anyone requesting remote access through a secondary channel, such as a direct call to the official IT number.
• Communicate regularly about evolving social engineering tactics and encourage a sceptical mindset when asked to install software or share screens.

3. Data Exfiltration Detection and Response

• Deploy monitoring to detect large or unusual file transfers, particularly to cloud storage providers not used by your business.
• Limit user access rights to sensitive data based on job role, reducing the potential impact if an account is compromised.
• Prepare an incident response plan that includes rapid investigation and containment of suspected data theft, as well as communication to affected stakeholders.

Key Takeaways for UK Professional Services

The UNC3753 campaign demonstrates that even organisations with strong technical security can fall victim to well-crafted social engineering attacks. Legal and professional services firms are attractive targets due to the value of their data and the trust placed in their staff. UK businesses should assume these tactics will be used locally and take steps now to strengthen their defences.

• Screen-sharing and RMM attacks rely on manipulating people, not exploiting software.
• Regular staff training and helpdesk verification are critical controls.
• Technical monitoring can limit the impact but must be complemented by robust processes and incident response readiness.

By understanding the tactics used by UNC3753 and implementing layered safeguards, organisations can reduce their risk and respond more effectively to emerging threats.

Originally reported by cybersecuritynews.com.