Hackers are abusing ConnectWise ScreenConnect, again

Phishing email attack concept image showing email with warning symbol on a laptop screen with a fishing hook attached. — (Image credit: Getty Images)

A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.

Analysis from Abnormal.ai shows the campaign involves tricking victims into downloading legitimate remote monitoring and management (RMM) software such as ConnectWise ScreenConnect.

Thereafter, attackers are able to assume control of end-user devices and extract sensitive information.

"To manipulate targets into engaging and downloading ScreenConnect, the attackers employ advanced deception techniques built around impressive impersonations and familiar business contexts, effectively creating workflows that align with end-user expectations," researchers said.

"Specific tactics observed include the utilization of compromised legitimate email accounts, AI-generated phishing components, and strategic URL obfuscation methods, as well as the exploitation of trusted business tools such as file-sharing platforms for hosting malicious links."

Initial access comes via phishing emails from compromised accounts, disguised as meeting invitations via trusted entities like Zoom and Microsoft Teams.

Researchers noted the threat actors also incorporate various themes to make these invitations look legitimate, for example, "Meeting Invite - 2024 Tax Organizer".

Targets are then tricked into installing ScreenConnect through AI-generated landing pages, legitimate file-sharing platforms, direct session links, or executable email attachments.

Once installed, ScreenConnect gives the attackers remote access capabilities that enable comprehensive system control equivalent to direct access while avoiding detection due to minimal signal activity.

Attackers then leverage compromised systems for account takeover, including lateral phishing campaigns and credential harvesting. They often use the targetʼs email accounts to target colleagues and business partners with the same techniques.

"This campaign represents a significant evolution in cybercrime tactics," the researchers said.

"The weaponization of a legitimate IT administration tool — one designed to grant IT professionals deep system access for troubleshooting and maintenance — combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion."

How to stay safe

Researchers pointed out that the sophisticated and resilient infrastructure supporting these attacks implies a mature criminal ecosystem, with dark web vendors operating like legitimate software providers.

"The commoditization of advanced attack capabilities —driven by bad actors who profit from widespread tool adoption — has democratized complex cybercrime operations and poses an escalating threat to organizations across all sectors, particularly those with legacy security infrastructure or limited security awareness programs," they said.

The attackers don't appear to be targeting any particular sector, with a fairly even spread across industries. Most victims were based in the US, with Canadian, Australian and UK organizations also affected.

CISOs should deploy AI-powered email security solutions capable of detecting complex social engineering attacks that bypass traditional security controls, and establish comprehensive monitoring for legitimate remote access tools, focusing on unauthorized installations and suspicious usage patterns.

Similarly, researchers urged enterprises to update training programs to address evolving tactics and implement network segmentation and access controls to limit the potential impact of compromised systems with remote access capabilities.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.