secures $37M Series A to preempt Digital Impersonation & ATO scams   🎉

Research: why fraud prevention must start before login

REMOTE ACCESS FRAUD PROTECTION

Remote Desktop Takeover: How It Works & How to Detect It in Real Time

Enterprise guide to remote desktop takeover: how remote access scams abuse trusted tools, bypass MFA and device checks, and demand real-time detection.

Introduction

Remote desktop takeover attacks now account for some of the largest single-incident fraud losses banks report. The attacker does not always need to steal a password. They convince the victim to grant remote access to a trusted device or active session, then operate through an environment that upstream controls often read as legitimate.

That is the core problem: remote desktop takeover does not need to break your defenses. It exploits a trusted user, a trusted device, and a valid authentication context. MFA may pass because the real user completed it. Device checks may pass because the real device is involved. Transaction monitoring may only react once suspicious activity has already escalated.

This guide covers the full attack kill chain, explains why standard controls struggle at each stage, and details what real-time detection requires to identify remote desktop takeover before it turns into downstream fraud, credential theft, or account takeover.

The Scam That Looks 
Like a Service Call

The call comes from what appears to be a trusted number. The caller knows the customer’s name, last transaction, or account details. There is a security alert on the account: urgent, credible, and completely fabricated.

The customer follows the instructions. They download a legitimate remote access tool such as AnyDesk, TeamViewer, QuickSupport, or LogMeIn. They read out a session code. They watch a supposed support agent navigate their account to “secure it.” Within minutes, the attacker may be positioned to steal credentials, harvest personal data, or initiate unauthorized activity.

Nothing obvious looks wrong. Not to the victim. Not to standard authentication controls. The device is recognized. The credentials are valid. The IP may be residential. MFA may already have passed. Every surface-level signal can point to a legitimate user in a legitimate interaction.

This is remote desktop takeover, a fraud pattern often initiated through a remote access scam. It is one of the fastest-growing fraud vectors because it weaponizes trust rather than technical intrusion. The tool is legitimate. The device is real. The fraudulent element is who is actually controlling the interaction.

What Is Remote Desktop Takeover?

Remote desktop takeover is a scam-based attack where a fraudster manipulates a victim into granting remote access to their device or active session. The attacker often impersonates a trusted entity, such as a bank, technology provider, government agency, courier service, or company representative, then uses a legitimate remote access tool to take control.

In many remote desktop takeover attacks, the victim is an active participant at every step. They download the tool. They grant access. They remain on the phone. They may even complete MFA or approve actions because they believe they are cooperating with a legitimate support or security process.

Three characteristics make remote desktop takeover structurally different from many other attack types:

  • No malicious payload is required. Tools like AnyDesk, TeamViewer, QuickSupport, and LogMeIn are legitimate applications. They may not trigger antivirus, endpoint detection, or malware alerts.
  • The victim grants access. The attacker does not necessarily need to exploit a vulnerability. The victim is manipulated into creating the access path.
  • The attacker operates through a trusted environment. Once access is granted, the attacker may act through the victim’s device, authenticated context, or live interaction.
    The attack does not look like fraud because it is designed not to. That is not a flaw in the technique. That is the technique.

Latest podcast episodes

Podcast

The MemcycoFM Show: Ep 25 – How to Detect Brand Impersonation: Key Signals for Security Teams

Podcast

The MemcycoFM Show: Ep 24 – Real-Time Remote Desktop Takeover Detection and Mitigation

Podcast

The MemcycoFM Show: Ep 23 – Real-Time MitM Protection and ATO Prevention Strategy

Remote Desktop Takeover vs. Remote Access Scam vs. Remote Access Fraud

These terms often overlap, but the distinction is operationally important.

A remote access scam is the social-engineering setup: the impersonation, manufactured urgency, installation of the remote access tool, and handover of device control.

Remote desktop takeover is the control event: the attacker gaining remote control of the victim’s device or active session.

Remote access fraud is the financial crime that follows: unauthorized transfer, credential theft, card data harvesting, theft of PII, or account takeover.

The critical gap is that many organizations only have controls for the fraud outcome. Transaction monitoring, AML rules, and anomaly detection often fire downstream of the takeover event itself. By the time those systems trigger, the attacker may already have controlled the interaction.

Closing that gap means detecting remote desktop takeover risk while the attack is active, not only investigating its consequences.

The Tools Scammers Use: AnyDesk, TeamViewer, QuickSupport, and LogMeIn

Many attackers do not use custom malware because they do not need to. AnyDesk, TeamViewer, QuickSupport, LogMeIn, Zoho Assist, and similar tools provide a ready-made path to remote control.

Attackers favor these tools for three reasons.

Trust

These tools are used by legitimate IT and support teams. Victims may recognize the names, and enterprise security systems may treat them as normal software.

Accessibility

Many remote access tools are easy to download, simple to install, and designed to connect quickly through a session code or access request.

Low technical friction

The victim does much of the work. The attacker only needs to guide them through the process and keep them engaged.

The tool is not inherently the threat. The risk comes from how attackers abuse trusted remote access workflows.

How Remote Desktop Takeover Works: The 5-Stage Kill Chain

Every stage of a remote desktop takeover attack is engineered to look routine. No obvious malware drop. No unusual login from an unknown geography. No attacker device directly entering the account. The attack moves through five stages, and each one exploits a different blind spot.

Stage 1: Impersonation and the Fake Alert

The attack often begins with impersonation. The victim receives a call, message, browser pop-up, fake support prompt, or delivery notification that appears to come from a trusted entity.

The pretext varies:

  • A bank security alert
  • A fake tech support warning
  • A courier delivery issue
  • A government or tax notification
  • A company support call
  • A fraud prevention message

At this stage, no protected session may exist yet. The attacker is still building trust and urgency.

Stage 2: Social Engineering and Manufactured Urgency

Once the victim engages, the attacker applies pressure. They may claim that the account is compromised, the device is infected, a payment is pending, or urgent verification is required.

The instructions are deliberate:

  • Do not hang up
  • Do not call the bank back
  • Do not tell anyone
  • Follow the steps immediately
  • Download the tool from the official website
  • Read out the access code

The attacker’s goal is to isolate the victim and move them quickly from concern to compliance.

Stage 3: Legitimate Tool,
Illegitimate Purpose

The attacker directs the victim to install or open a legitimate remote access tool. The download may come from the official vendor website. There may be no spoofed domain, malicious attachment, or suspicious executable.

The victim grants access. The attacker joins the remote session. From many monitoring perspectives, nothing obviously malicious has happened. The software is legitimate. The device is recognized. The activity appears user-initiated.

This is where the trust trap closes.

Stage 4: Remote Control During
a Trusted Interaction

Once the attacker has remote access, they can guide or manipulate activity through the victim’s trusted device and authenticated environment. The device is recognized, the credentials may be valid, and the interaction can appear legitimate to standard controls.

The attacker may keep the victim occupied, direct them through steps, request approvals, or manipulate what the victim sees. Depending on the scenario, the attacker may attempt to steal credentials, harvest card data, capture personal information, initiate unauthorized actions, or prepare downstream account takeover.

Industry approaches to remote desktop takeover detection may evaluate behavioral, technical, and session-context indicators. The important point is timing: these signals are most valuable when correlated in real time, while the risk is active, rather than after downstream fraud has already occurred.

Stage 5: Account Takeover, Data
Theft, and Downstream Fraud

The remote session may end, but the impact can continue.

Attackers may use the access window to capture credentials, payment data, personal information, or authentication details. They may attempt to change account details, reset passwords, add beneficiaries, or prepare downstream replay attempts.

A single remote desktop takeover event can become part of a broader ATO pipeline. Credentials or data captured during the event may later be reused across accounts, institutions, or digital services.

That is why detection cannot focus only on the final transaction. The full pipeline matters.

SOLUTION BRIEF

Understand how Memcyco helps neutralize remote access fraud as it starts

Who Remote Desktop Takeover Targets, and Why

Remote desktop takeover is especially damaging in sectors where customer trust, high-value accounts, and urgent service interactions are common.

Banks and Financial Institutions

Banks are prime targets because customers are conditioned to respond quickly to security alerts. A convincing call from a supposed fraud agent can feel legitimate, especially when the attacker references real customer details.

The financial upside is also high. A single successful remote desktop takeover event may enable fund transfers, credential theft, card data exposure, or downstream ATO.

eCommerce and
Delivery

Retail and courier scams often begin with fake delivery notifications, refund issues, or failed payment messages. The attacker’s goal may be stored payment credentials, account access, gift card balances, or personal data.
The pretext changes. The structure does not. The attacker impersonates a trusted entity, manufactures urgency, obtains remote access, and exploits a trusted interaction.

Fintechs and Neobanks

Fintechs and neobanks face similar exposure, especially where instant payments, mobile-first journeys, or thin support models create pressure for fast action. Attackers may impersonate the platform itself, a fraud support team, or a payment security function.

Insurance

Insurance accounts may contain valuable personal data, policy details, and financial information. Attackers can use fake claims support, policy verification, or refund pretexts to move victims into a remote access session.

Telco

Telco accounts are attractive because they can support SIM swap, identity abuse, or downstream financial account takeover. The pretext may be fake tech support, billing support, or device troubleshooting.

The Role of Impersonation in Remote Desktop Takeover

Digital Impersonation is often the structural foundation of remote desktop takeover. Without a convincing trusted-entity pretext, the attacker has little reason to ask the victim to install a remote access tool or hand over control.

That impersonation may involve:

  • Spoofed caller ID
  • Fake support pages
  • Fraud alert messages
  • Fake courier notifications
  • Fake bank security calls
  • Fake technology support pop-ups
  • Lookalike domains or fake landing pages

For detection, this matters because impersonation can provide an earlier warning point. Organizations that can identify abuse of trusted brands, fake digital journeys, or customer-facing impersonation assets may be able to detect that the attack chain has started before the remote access step occurs.

Why Remote Desktop
Takeover Is So Hard to Detect

Here is the uncomfortable truth every fraud leader needs to sit with: remote desktop takeover often does not look like an attack.

It can look like a customer using their own device, on their own network, with valid credentials, in an authenticated interaction. Standard controls evaluate that interaction and may return the same verdict: trusted.

That is not always a tuning problem. It is a structural blind spot in controls built to catch anomalies the attacker has deliberately avoided.

The tool is not inherently the threat. The risk comes from how attackers abuse trusted remote access workflows.

Why MFA Does Not Stop Remote Desktop Takeover

MFA does not fail because attackers always break it. It fails because the victim may complete it.
By the time the attacker gains remote control, the user may have already authenticated. If a step-up challenge appears, the victim may approve it because they believe they are cooperating with a legitimate security process.
This creates a similar trust problem to adversary-in-the-middle attacks: authentication succeeds, but control of the session no longer reflects the legitimate user’s intent.
Stronger authentication is still important. But in remote desktop takeover, authentication alone does not prove that the legitimate user remains in control.

Why Standard Device Fingerprinting and IP Rules Fall Short

Device intelligence tools are built to catch impostors. The problem is that in remote desktop takeover, the attacker may operate through the real user’s device, IP, and authentication context.
The device may match the stored profile. The IP may be the victim’s residential connection. The session may appear familiar.
Many of the signals traditional device fingerprinting is designed to detect may be absent. The attacker is not necessarily trying to look like the victim from a new environment. They are abusing the victim’s actual environment.

Why Transaction Monitoring Often Catches It Too Late

Transaction monitoring is often the last line of defense. In remote desktop takeover, that can leave too little time to intervene.
These systems typically evaluate payment or account activity once it is initiated. That is valuable, but it may be late in the attack sequence. When faster payment rails are involved, response time is even more compressed.
The goal should not be to replace transaction monitoring. It should be to add earlier visibility into the remote takeover risk before downstream fraud escalates.

The Remote Desktop Takeover Exposure Window

The exposure window is the period between the moment attacker-controlled remote access becomes active and the moment the organization can identify and respond to the risk.

In that window, the attacker may attempt to:

  • Capture credentials
  • Harvest card data
  • Steal PII
  • Manipulate account activity
  • Prepare downstream ATO
  • Initiate unauthorized actions
  • Coach the victim through security prompts

Closing this window requires real-time detection that can identify remote desktop takeover risk during live interaction with the protected site, at the individual victim level where applicable.

Real-World Remote Desktop Takeover Examples

Patterns are easier to spot when you have seen them before. These examples represent common remote desktop takeover variants, each distinct in its pretext but similar in structure.

Example 1: The Fake Bank Security Alert

A customer receives a call from someone claiming to be from the bank’s fraud department. The caller says suspicious activity has been detected and the account must be secured immediately.
The customer is instructed to install AnyDesk, read out a session code, and log in to verify the account. The attacker now has remote access to the victim’s device and can guide or manipulate the interaction.
The detection gap: the session may originate from the customer’s recognized device, with valid credentials and a familiar network context.

Example 2: Tech Support Impersonation via TeamViewer

A browser pop-up claims the device is infected and instructs the victim to call a support number. A supposed technician tells the victim to install TeamViewer QuickSupport.
Once connected, the attacker uses familiar operating system screens or warnings to create fear and urgency. They may request payment, guide the victim into a banking session, or capture credentials and account information.
The detection gap: the remote tool is legitimate, the victim initiated the installation, and there may be no malware signature.

Example 3: The Courier and Parcel Delivery Variant

The victim receives a fake delivery message claiming a parcel failed or customs verification is required. They are directed to a fake site or call center, then instructed to install a remote support tool to complete verification.
Once connected, the attacker may guide the victim through a payment, identity check, or account login.
The detection gap: the social engineering happens outside the bank’s environment. By the time the protected site is involved, the victim may already be under attacker guidance.

Example 4: Remote Desktop Takeover-to-ATO Credential Replay Pipeline

A remote desktop takeover event rarely has to end with one account. During the interaction, the attacker may capture credentials, card data, PII, or other information that can be reused later.
Those details may feed credential replay, credential stuffing, or downstream ATO attempts across unrelated services.
Scoping detection only to the initial remote access event can miss the broader ATO and credential replay pipeline.

Dive deeper into Remote Desktop Takeover attacks

Blog

How Threat Intelligence Automation Helps Security Teams Prioritize External Threats

Blog

How Brand Impersonation Leads to Account Takeover (ATO)

Blog

What Is Agentic Threat Intelligence?

Remote Desktop Takeover Detection: What Good
Actually Looks Like

Most fraud teams think of detection as catching a bad transaction. With remote desktop takeover, that framing is incomplete.
By the time a suspicious transaction triggers a rule, the attacker may already have controlled the interaction. Effective remote desktop takeover detection is not only about the transaction. It is about identifying when control of a trusted interaction appears to shift from the legitimate user to a remote third party.

Real-Time Detection vs. Post-Transaction
Detection: Why Timing Is Everything

Post-transaction detection asks: what happened?
Real-time remote desktop takeover detection asks: is this trusted-looking interaction showing signs of attacker-controlled remote access right now?
That difference matters. Earlier detection creates more room for intervention. Later detection mainly supports investigation, reimbursement, and recovery.

Key Signals That Can Indicate Remote
Desktop Takeover in Progress

Remote desktop takeover can leave distinct technical, behavioral, and session-context signals. If they are correlated in real time, they can support earlier detection.

Examples may include:

  • Remote-control indicators
  • Device or session inconsistencies
  • Abnormal interaction patterns
  • Unusual timing or flow characteristics
  • Known fraud or impersonation context
  • Signals connected to prior exposure or suspicious access

No single signal is conclusive in isolation. The value comes from correlating high-confidence indicators in real time, while the risk is active, so fraud and security teams have more time to respond.

What Real-Time Victim-Level
Visibility Means

Victim-level visibility means connecting remote desktop takeover risk to the specific affected user or account in real time, while the risk is active, not only after downstream fraud has occurred.

That distinction matters operationally. Without victim-level visibility, teams may only have broad risk scores, transaction alerts, or post-event evidence. With victim-level visibility, fraud and security teams can take more precise, targeted action against the specific user or interaction showing signs of attacker-controlled access.

How Memcyco Detects and Disrupts Remote Desktop Takeover in Real Time

Most detection approaches ask the wrong question. They ask: “Did this transaction look suspicious?” Memcyco asks whether a trusted-looking interaction shows signs of remote attacker control in real time.

That shift creates an earlier intervention point before remote desktop takeover escalates into ATO, credential theft, card data exposure, or financial loss.

Detecting Remote Desktop Takeover During
Live Interaction

Most detection tools wait for a suspicious transaction or post-event investigation. Memcyco detects signs of remote desktop takeover during live interaction with the protected site.

Memcyco detects remote desktop takeover in real time when attacker-controlled access interacts with a protected site. It uses real-time session and device telemetry to surface suspicious remote-control indicators, alert fraud and security teams, and support targeted protective actions through existing workflows.

This is different from approaches that rely only on post-transaction rules or user-reported fraud. Memcyco correlates remote-control indicators with device, session, authentication, and fraud context to identify high-risk interactions in real time.

The result:
O rganizations can be alerted while the risk is active, giving fraud and security teams more time to investigate and trigger targeted protective actions before downstream fraud escalates.

Memcyco’s Detection Approach: Why the
Timing Is Different

Most detection controls watch the perimeter, authentication event, or transaction. Memcyco detects remote desktop takeover where it creates business risk: during live interaction with the protected site.

Memcyco uses real-time session and device telemetry to identify suspicious remote-control indicators, even when the device, credentials, and IP appear legitimate.

Memcyco deploys agentlessly and integrates into existing fraud and security workflows through dashboards and APIs.

This helps surface high-risk interactions that standard controls may treat as legitimate because the user, device, and authentication context appear trusted.

The result:
Is real-time remote desktop takeover detection without requiring the victim to change behavior or install anything on their device.

From Detection to Disruption: Acting Before
Risk Escalates

Detection alone is not enough. The value comes from enabling targeted protective action while the risk is active.

When Memcyco surfaces high-confidence remote desktop takeover risk, it alerts the organization and supports targeted protective actions through existing workflows. These actions may include targeted warnings, escalation to fraud teams, risk signal enrichment, or blocking sensitive actions through the organization’s existing systems.

Where credential exposure is detected or suspected, marked decoy credentials can help disrupt downstream replay attempts and create a forensic trail.

This supports two outcomes:

  • Workflow disruption: Targeted protective actions and decoy data can help interrupt the attacker’s execution path and create more time for intervention.
  • Forensic correlation: When marked decoy credentials appear in downstream replay attempts, they can help correlate later ATO activity back to the original exposure.

Protective actions should be risk-based and targeted, helping organizations respond to high-confidence remote desktop takeover signals while minimizing unnecessary friction for legitimate customers.

Real-Time Detection, Targeted Response: The
Measurable Outcome

Memcyco supports near-real-time detection for remote desktop takeover risk during live interaction with the protected site.

The downstream impact can include:

  • Reduced ATO exposure
  • Shorter investigation times
  • More precise victim-level response
  • Better fraud and SOC signal quality
  • Fewer support escalations
  • Stronger customer trust
  • Less reliance on post-event investigation alone

Remote desktop takeover risk is surfaced while the attack is active, not only after downstream fraud has occurred.

Remote Desktop Takeover Protection: What to Look for in a Solution

Most fraud stacks were not built to catch a threat where the user, device, and credentials can all appear legitimate. Before evaluating a remote desktop takeover protection solution, use these capabilities as a baseline.

Capability 1: Real-Time Detection, Not Only Post-Transaction Flagging

Ask any vendor: when does your solution generate a detection signal?
If the answer is only after a suspicious transaction is initiated, that is late-stage detection. It may support investigation, but it may not create enough time to intervene.
The baseline requirement is real-time detection while the risk is active, before downstream fraud, credential theft, or account takeover escalates.

Capability 2: Individual Victim Identification in Real Time

Aggregate risk scoring tells you that something may be suspicious. It does not always tell you who is being targeted right now.
Ask vendors directly: can your solution identify the specific user session showing signs of remote desktop takeover during the active event?
Individual victim identification enables more precise response, such as targeted warnings, account-specific investigation, or risk-based action.

Capability 3: Agentless Deployment

Customer-facing remote desktop takeover detection cannot depend on installing software on customer devices.
Organizations do not control customer endpoints. They cannot require every customer to install an agent, extension, or support component before a scam occurs.
Agentless deployment is a baseline requirement for scalable customer-facing protection.

Capability 4: Integration with Existing Fraud and Security Workflows

Detection that does not feed existing workflows creates another silo.
Ask vendors whether their signals can integrate with fraud platforms, authentication systems, SIEM tools, SOC workflows, dashboards, and APIs.
The goal is not just to generate another alert. It is to support faster, more targeted response using the systems teams already operate.

Capability 5: Targeted Disruption and Decoy Data

Detection without action is incomplete. Ask vendors whether their solution can support protective actions while the risk is active.
The capability that matters is targeted disruption. Marked decoy data can help disrupt downstream replay attempts, create forensic intelligence, and connect later ATO attempts to the original exposure.

Capability 6: Remote Desktop Takeover-to-ATO Pipeline Visibility

A solution that only catches one event may miss where the attack starts and where it ends.
Remote desktop takeover may begin with impersonation and end with credential replay, card data theft, PII exposure, account takeover, or unauthorized payment activity.
Full pipeline coverage helps teams connect the remote takeover event to downstream abuse and respond with better context.

Conclusion

Remote desktop takeover defeats standard controls by design. The device may be genuine. The credentials may be valid. MFA may have passed. The interaction may appear legitimate.

Stopping this attack requires detecting signs of remote attacker control in real time, not relying only on logs or transaction alerts after fraud escalates.

The control point is the live interaction where trusted-looking access becomes business risk.

See How Memcyco Detects and Disrupts Remote Desktop Takeover in Real Time

Remote desktop takeover is designed to look legitimate across the layers your current controls monitor. Memcyco detects suspicious remote-control indicators in real time when attacker-controlled access interacts with a protected site, helping fraud and security teams respond before downstream ATO, credential theft, or financial loss escalates.

Fight real-time phishing, with advanced 
Remote Desktop Access protection

Reduce ATOs 

by at least 

50%

Reduce mean time 

to detection to

Zero

Slash incident-related
expenses by

$Millions

Already solved MitM attacks? Solve more

Account takeover (ATO)

Keep customer accounts safer and auto-lock fraudsters out

Digital Impersonation

Detect impersonation scams in real-time from their inception
Credit card scams

Credit card scams

Keep customer card data safer and lock fraudsters out of accounts
SEO poisoning scams

SEO poisoning scams

Disarm SEO poisoning, reclaim your revenue
Credential Stuffing

Credential Stuffing

Detect credential stuffing earlier and more accurately versus server-based detection and expose threat actors
Fake courier scams

Fake courier scams

Get control of one of the most common fishing-related scams around

Remote desktop takeover

Fraudsters exploit remote access tools and legitimate-looking sessions to achieve ATO
Higher education IP theft

Higher education IP theft

Prevent theft of academic research and other intellectual property
Fake gift card scams

Fake e-shops, purchase 
scams, gift card scams

Prevent revenue loss, customer churn and brand reputation damages
Charity scams

Charity scams

Preserve trust in secure donations that go to the right people

TIME FOR A DEMO?

Discover the ‘nano defenders’ in Memcyco’s secret sauce

Find out how Memcyco’s real-time digital risk protection is saving global enterprises millions

Frequently asked questions

Can remote desktop takeover be detected without blocking legitimate tools like AnyDesk or TeamViewer?

Yes. Blocking remote access tools entirely would disrupt legitimate IT support operations and is not a viable enterprise strategy. Effective detection focuses on real-time indicators that suggest remote-control abuse during interaction with a protected site. This helps organizations identify attacker-controlled access without blocking legitimate remote support tools outright.

What is the difference between remote desktop takeover and phishing?

Phishing usually tricks the victim into entering credentials on a fake site, giving the attacker data they can reuse later. Remote desktop takeover gives the attacker live control of the victim’s device or active session. The attacker may not need the victim’s password because they can operate through a trusted, already-authenticated environment in real time.

How can I tell if a customer is experiencing remote desktop takeover right now?

Possible indicators include remote-control artifacts, suspicious interaction patterns, unusual session context, and signals that suggest a trusted-looking interaction may be under third-party control. Real-time detection platforms can correlate these indicators while the risk is active, helping organizations identify the affected user and respond faster.

Do remote desktop takeover attackers need the victim’s password?

Not always. In many remote desktop takeover attacks, the attacker operates through the victim’s already-authenticated environment, which is why MFA and password controls alone may not stop the attack

Why does remote desktop takeover bypass multi-factor authentication?

MFA verifies that the legitimate user is present at authentication, but it does not necessarily prove that the legitimate user remains in control throughout the interaction. In remote desktop takeover, the victim may complete MFA normally, then hand control of the trusted environment to the attacker.

What should enterprises look for in remote desktop takeover detection?

Enterprises should look for real-time detection, victim-level visibility, agentless deployment, integration with existing fraud and security workflows, targeted protective actions, and coverage across the remote desktop takeover-to-ATO pipeline.