The $100M Freight Heist That EDR Never Saw Coming

In the last 90 days, organized crime has stolen millions in cargo using a method most defenders still overlook: A simple phishing email. A fake “load packet.” And a legitimate remote-management tool that installs without resistance.

Once the RMM runs, attackers use off-the-shelf credential dumpers like NirSoft to harvest saved passwords, log into dispatch systems, and quietly reroute entire truckloads to their crews.

No malware. No exploits. Just signed IT tools that Windows and every security tool trusts.

And these aren’t random utilities, they come straight out of the same abused RMM catalogues tracked by LOLRMM and other open-source intelligence projects: LogMeIn, SimpleHelp, ScreenConnect, AnyDesk, N-able, Basecamp etc.

This is the new normal for supply-chain attacks. And traditional security stacks are defenseless against it.

Why Traditional Defenses Fail

Most defenders already recognize the pattern, but the root problem hasn’t changed:

1. EDR is tuned for malice, not legitimacy.

If a binary is signed, behaves exactly as intended, and comes from a tool admins commonly use, EDR sees nothing malicious. Because technically, nothing is.

2. Reputation engines automatically trust common RMMs.

Thousands of organizations rely on these tools daily, so reputation systems green-light them by design.

3. Blocking individual tools is a losing race.

Attackers simply rotate to the next abused remote-access client from the same small pool.

4. These attacks don’t generate anomalies.

They run exactly like IT software is supposed to run, because they are IT software.

This year, Proofpoint, DarkReading, Microsoft, and independent researchers all mapped the same reality: The abuse consistently stays inside a known, finite set of legitimate IT administration tools: remote-access clients, password extractors, diagnostic utilities, and vulnerable drivers.

This predictability is why intelligence-driven allowlisting works and why detection never will.

So the real question is: If your organization doesn’t rely on these tools, why are they allowed to run at all?

How MagicSword Turns Predictability into Prevention

MagicSword isn’t a “default deny everything” solution that would affect operations.

Instead, it enforces precision allowlisting built on curated threat intelligence.

We take the known universe of abused administrative tools, the exact categories attackers live inside, and:

• Block them everywhere by default
• Allow all legitimate business software to run normally
• Auto-update policies whenever new abused tools appear

Concretely:

[LOLRMM Intelligence] Every abused RMM tool and its signing certificates: blocked out of the box.

[NirSoft / JoeWare Intelligence] Credential-dumping utilities: stopped before launch.

[SysInternals + Microsoft Block Rules] Dangerous or out-of-policy use of admin tools: denied at the kernel.

[LOLDrivers + Microsoft Vulnerable Driver Blocklist] Weaponized or insecure drivers: rejected at load time.

When the next RMM gets abused, the updated rule hits your policy automatically. No guess work.

That’s the difference between chasing hashesand blocking the entire abused category.

This isn’t “block all.” This is block the right things.

And deployment takes hours, not months. Zero performance impact.

If you protect logistics, manufacturing, distribution, or any environment where dispatchers operate under pressure, you need to know what is allowed to run today.

Living-off-the-land attacks don’t have to win. This ends with us.

Want to keep up with how modern attacks actually work? Subscribe to the MagicSword newsletter for practical research, real-world attack tradecraft, and prevention-focused intelligence from the team tracking abused tools every day.

If you want to see how this intelligence turns into real blocking, stopping abused tools before they execute, you can book a demo here.