Hackers are abusing ConnectWise ScreenConnect, again
The phishing campaign has targeted hundreds of organizations so far
A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
Analysis from Abnormal.ai shows the campaign involves tricking victims into downloading legitimate remote monitoring and management (RMM) software such as ConnectWise ScreenConnect.
Thereafter, attackers are able to assume control of end-user devices and extract sensitive information.
"To manipulate targets into engaging and downloading ScreenConnect, the attackers employ advanced deception techniques built around impressive impersonations and familiar business contexts, effectively creating workflows that align with end-user expectations," researchers said.
"Specific tactics observed include the utilization of compromised legitimate email accounts, AI-generated phishing components, and strategic URL obfuscation methods, as well as the exploitation of trusted business tools such as file-sharing platforms for hosting malicious links."
Initial access comes via phishing emails from compromised accounts, disguised as meeting invitations via trusted entities like Zoom and Microsoft Teams.
Researchers noted the threat actors also incorporate various themes to make these invitations look legitimate, for example, "Meeting Invite - 2024 Tax Organizer".
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Targets are then tricked into installing ScreenConnect through AI-generated landing pages, legitimate file-sharing platforms, direct session links, or executable email attachments.
Once installed, ScreenConnect gives the attackers remote access capabilities that enable comprehensive system control equivalent to direct access while avoiding detection due to minimal signal activity.
Attackers then leverage compromised systems for account takeover, including lateral phishing campaigns and credential harvesting. They often use the targetʼs email accounts to target colleagues and business partners with the same techniques.
"This campaign represents a significant evolution in cybercrime tactics," the researchers said.
"The weaponization of a legitimate IT administration tool — one designed to grant IT professionals deep system access for troubleshooting and maintenance — combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion."
How to stay safe
Researchers pointed out that the sophisticated and resilient infrastructure supporting these attacks implies a mature criminal ecosystem, with dark web vendors operating like legitimate software providers.
"The commoditization of advanced attack capabilities —driven by bad actors who profit from widespread tool adoption — has democratized complex cybercrime operations and poses an escalating threat to organizations across all sectors, particularly those with legacy security infrastructure or limited security awareness programs," they said.
The attackers don't appear to be targeting any particular sector, with a fairly even spread across industries. Most victims were based in the US, with Canadian, Australian and UK organizations also affected.
CISOs should deploy AI-powered email security solutions capable of detecting complex social engineering attacks that bypass traditional security controls, and establish comprehensive monitoring for legitimate remote access tools, focusing on unauthorized installations and suspicious usage patterns.
Similarly, researchers urged enterprises to update training programs to address evolving tactics and implement network segmentation and access controls to limit the potential impact of compromised systems with remote access capabilities.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are targeting Windows Quick Assist remote desktop features to deploy ransomware
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
- State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
Multi-channel phishing attacks: How to manage the riskIn-depth Attackers are evolving beyond email towards phishing across multiple channels. Why is this, and what can be done to manage the risk?
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees