A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
Analysis from Abnormal.ai shows the campaign involves tricking victims into downloading legitimate remote monitoring and management (RMM) software such as ConnectWise ScreenConnect.
Thereafter, attackers are able to assume control of end-user devices and extract sensitive information.
"To manipulate targets into engaging and downloading ScreenConnect, the attackers employ advanced deception techniques built around impressive impersonations and familiar business contexts, effectively creating workflows that align with end-user expectations," researchers said.
"Specific tactics observed include the utilization of compromised legitimate email accounts, AI-generated phishing components, and strategic URL obfuscation methods, as well as the exploitation of trusted business tools such as file-sharing platforms for hosting malicious links."
Initial access comes via phishing emails from compromised accounts, disguised as meeting invitations via trusted entities like Zoom and Microsoft Teams.
Researchers noted the threat actors also incorporate various themes to make these invitations look legitimate, for example, "Meeting Invite - 2024 Tax Organizer".
Targets are then tricked into installing ScreenConnect through AI-generated landing pages, legitimate file-sharing platforms, direct session links, or executable email attachments.
Once installed, ScreenConnect gives the attackers remote access capabilities that enable comprehensive system control equivalent to direct access while avoiding detection due to minimal signal activity.
Attackers then leverage compromised systems for account takeover, including lateral phishing campaigns and credential harvesting. They often use the targetʼs email accounts to target colleagues and business partners with the same techniques.
"This campaign represents a significant evolution in cybercrime tactics," the researchers said.
"The weaponization of a legitimate IT administration tool — one designed to grant IT professionals deep system access for troubleshooting and maintenance — combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion."
How to stay safe
Researchers pointed out that the sophisticated and resilient infrastructure supporting these attacks implies a mature criminal ecosystem, with dark web vendors operating like legitimate software providers.
"The commoditization of advanced attack capabilities —driven by bad actors who profit from widespread tool adoption — has democratized complex cybercrime operations and poses an escalating threat to organizations across all sectors, particularly those with legacy security infrastructure or limited security awareness programs," they said.
The attackers don't appear to be targeting any particular sector, with a fairly even spread across industries. Most victims were based in the US, with Canadian, Australian and UK organizations also affected.
CISOs should deploy AI-powered email security solutions capable of detecting complex social engineering attacks that bypass traditional security controls, and establish comprehensive monitoring for legitimate remote access tools, focusing on unauthorized installations and suspicious usage patterns.
Similarly, researchers urged enterprises to update training programs to address evolving tactics and implement network segmentation and access controls to limit the potential impact of compromised systems with remote access capabilities.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are targeting Windows Quick Assist remote desktop features to deploy ransomware
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
- State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Nasuni targets fresh growth under revamped leadership teamNews The unified file data platform provider has announced a trio of executive hires as the firm looks to strengthen its standing in the enterprise AI era
-
A notorious hacker group is ramping up cloud-based ransomware attacks
News The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
AI means cyber teams are rethinking their approach to insider threatsNews Nearly two-thirds of European cybersecurity professionals see insider threats as their biggest security risk – and AI is making things worse.
-
74% of companies admit insecure code caused a security breachNews A large number of data breaches are linked to insecure code, prompting calls for better training
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Cyber pros say the buck stops with the board when it comes to security failingsNews Fines, sanctions, and even prosecution are all on the table when it comes to cyber failings, practitioners believe
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update nowNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
