A new report out today from human behavior security company Abnormal AI Inc. details how attackers are currently exploiting the trust users place in everyday workplace communications to deliver remote access malware.
The report details an ongoing campaign that leverages convincing impersonations of videoconferencing platforms such as Zoom Communications Inc. and Microsoft Teams to trick users into installing ConnectWise ScreenConnect, a legitimate remote monitoring and management tool that, once abused, gives adversaries full control over victim systems.
Phishing schemes are far from new, but where this operation becomes interesting is that it shifts tactics by persuading targets to install what they believe is standard business software. Potential victims are targeted by emails from compromised accounts, lending them authenticity and include timely hooks like tax season or meeting invitations.
Once the target clicks through on the phishing email, they are redirected to artificial intelligence-generated phishing pages or file-sharing platforms that deliver ScreenConnect. In some cases, links lead directly to live ScreenConnect sessions, bypassing installation entirely.
Social engineering isn’t the only method used by the attackers in the campaign. Obfuscation techniques such as SendGrid domain wrapping, open redirect exploits and Cloudflare Workers hosting have been used to disguise malicious links. The obfuscation techniques used are noted in the report as difficult to detect by even advanced detection systems because the traffic appears to originate from trusted providers.
Another technique used involves segmenting links with base64 encoding, evading signature-based security tools as well.
Once installed, ScreenConnect gives the attackers administrator-level access and allows them to move laterally, harvest credentials and launch secondary phishing campaigns from inside compromised environments. Abnormal AI’s researchers observed adversaries inserting malicious links into ongoing email threads, making the attacks appear as natural continuations of legitimate business discussions.
The methodology is also proving popular among hacking communities, the report detailing how dark web vendors are selling prepackaged “ScreenConnect Revolution” kits that include hidden virtual network computing capabilities, Windows Defender bypasses and session restoration features.
Some sellers were found to be offering turnkey deployments for as little as $6,000, complete with training and after-sales support, effectively offering remote access trojans-as-a-service. Other sellers were found to be offering access to already compromised networks with hundreds of connected hosts, priced between $500 and $2,000 per network.
The researchers estimate that there are more than 900 organizations that have been targeted across education, religious institutions, healthcare, financial services, insurance and technology. Though most victims are in the U.S., organizations in Canada, the U.K. and Australia were also affected.
“This campaign serves as a critical reminder that modern threats increasingly weaponize trusted systems rather than circumvent them,” the report concludes.
Abnormal’s researchers recommended enterprises adopt defenses including AI-powered email security, enhanced endpoint monitoring for unauthorized remote tools and zero-trust architectures, along with updating awareness training so staff know what to look for.
Image: News/Reve
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
