Hackers are abusing ConnectWise ScreenConnect, again
The phishing campaign has targeted hundreds of organizations so far
A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
Analysis from Abnormal.ai shows the campaign involves tricking victims into downloading legitimate remote monitoring and management (RMM) software such as ConnectWise ScreenConnect.
Thereafter, attackers are able to assume control of end-user devices and extract sensitive information.
"To manipulate targets into engaging and downloading ScreenConnect, the attackers employ advanced deception techniques built around impressive impersonations and familiar business contexts, effectively creating workflows that align with end-user expectations," researchers said.
"Specific tactics observed include the utilization of compromised legitimate email accounts, AI-generated phishing components, and strategic URL obfuscation methods, as well as the exploitation of trusted business tools such as file-sharing platforms for hosting malicious links."
Initial access comes via phishing emails from compromised accounts, disguised as meeting invitations via trusted entities like Zoom and Microsoft Teams.
Researchers noted the threat actors also incorporate various themes to make these invitations look legitimate, for example, "Meeting Invite - 2024 Tax Organizer".
Targets are then tricked into installing ScreenConnect through AI-generated landing pages, legitimate file-sharing platforms, direct session links, or executable email attachments.
Once installed, ScreenConnect gives the attackers remote access capabilities that enable comprehensive system control equivalent to direct access while avoiding detection due to minimal signal activity.
Attackers then leverage compromised systems for account takeover, including lateral phishing campaigns and credential harvesting. They often use the targetʼs email accounts to target colleagues and business partners with the same techniques.
"This campaign represents a significant evolution in cybercrime tactics," the researchers said.
"The weaponization of a legitimate IT administration tool — one designed to grant IT professionals deep system access for troubleshooting and maintenance — combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion."
How to stay safe
Researchers pointed out that the sophisticated and resilient infrastructure supporting these attacks implies a mature criminal ecosystem, with dark web vendors operating like legitimate software providers.
"The commoditization of advanced attack capabilities —driven by bad actors who profit from widespread tool adoption — has democratized complex cybercrime operations and poses an escalating threat to organizations across all sectors, particularly those with legacy security infrastructure or limited security awareness programs," they said.
The attackers don't appear to be targeting any particular sector, with a fairly even spread across industries. Most victims were based in the US, with Canadian, Australian and UK organizations also affected.
CISOs should deploy AI-powered email security solutions capable of detecting complex social engineering attacks that bypass traditional security controls, and establish comprehensive monitoring for legitimate remote access tools, focusing on unauthorized installations and suspicious usage patterns.
Similarly, researchers urged enterprises to update training programs to address evolving tactics and implement network segmentation and access controls to limit the potential impact of compromised systems with remote access capabilities.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are targeting Windows Quick Assist remote desktop features to deploy ransomware
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
- State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
-
Terzo taps former Accenture leader to drive channel expansionNews The financial and analytics specialist has named Daniel Haitz as head of strategic partnerships and channel growth
-
Dell Pro 34 Plus P3425WE monitor reviewReviews A classy ultrawide monitor with a business focus – the good image quality, useful features, and solid build are marred only by the high price
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
Microsoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging appsNews Microsoft warns about a sophisticated attack that starts with WhatsApp messages, while the NCSC says such incidents are on the rise
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
