A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
Analysis from Abnormal.ai shows the campaign involves tricking victims into downloading legitimate remote monitoring and management (RMM) software such as ConnectWise ScreenConnect.
Thereafter, attackers are able to assume control of end-user devices and extract sensitive information.
"To manipulate targets into engaging and downloading ScreenConnect, the attackers employ advanced deception techniques built around impressive impersonations and familiar business contexts, effectively creating workflows that align with end-user expectations," researchers said.
"Specific tactics observed include the utilization of compromised legitimate email accounts, AI-generated phishing components, and strategic URL obfuscation methods, as well as the exploitation of trusted business tools such as file-sharing platforms for hosting malicious links."
Initial access comes via phishing emails from compromised accounts, disguised as meeting invitations via trusted entities like Zoom and Microsoft Teams.
Researchers noted the threat actors also incorporate various themes to make these invitations look legitimate, for example, "Meeting Invite - 2024 Tax Organizer".
Targets are then tricked into installing ScreenConnect through AI-generated landing pages, legitimate file-sharing platforms, direct session links, or executable email attachments.
Once installed, ScreenConnect gives the attackers remote access capabilities that enable comprehensive system control equivalent to direct access while avoiding detection due to minimal signal activity.
Attackers then leverage compromised systems for account takeover, including lateral phishing campaigns and credential harvesting. They often use the targetʼs email accounts to target colleagues and business partners with the same techniques.
"This campaign represents a significant evolution in cybercrime tactics," the researchers said.
"The weaponization of a legitimate IT administration tool — one designed to grant IT professionals deep system access for troubleshooting and maintenance — combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion."
How to stay safe
Researchers pointed out that the sophisticated and resilient infrastructure supporting these attacks implies a mature criminal ecosystem, with dark web vendors operating like legitimate software providers.
"The commoditization of advanced attack capabilities —driven by bad actors who profit from widespread tool adoption — has democratized complex cybercrime operations and poses an escalating threat to organizations across all sectors, particularly those with legacy security infrastructure or limited security awareness programs," they said.
The attackers don't appear to be targeting any particular sector, with a fairly even spread across industries. Most victims were based in the US, with Canadian, Australian and UK organizations also affected.
CISOs should deploy AI-powered email security solutions capable of detecting complex social engineering attacks that bypass traditional security controls, and establish comprehensive monitoring for legitimate remote access tools, focusing on unauthorized installations and suspicious usage patterns.
Similarly, researchers urged enterprises to update training programs to address evolving tactics and implement network segmentation and access controls to limit the potential impact of compromised systems with remote access capabilities.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are targeting Windows Quick Assist remote desktop features to deploy ransomware
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
- State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
-
Researchers sound alarm over AI hardware vulnerabilities that expose training dataNews Hackers can abuse flaws in AI accelerators to break AI privacy – and a reliable fix could be years away
-
Are AI PCs becoming the norm?ITPro Podcast As manufacturers increasingly embed NPUs in devices, what are the benefits to businesses?
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
