{"id":2510,"date":"2025-08-27T08:53:42","date_gmt":"2025-08-27T08:53:42","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/08\/27\/new-phishing-campaign-abuses-connectwise-screenconnect-to-take-over-devices\/"},"modified":"2025-08-27T08:53:42","modified_gmt":"2025-08-27T08:53:42","slug":"new-phishing-campaign-abuses-connectwise-screenconnect-to-take-over-devices","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/27\/new-phishing-campaign-abuses-connectwise-screenconnect-to-take-over-devices\/","title":{"rendered":"New Phishing Campaign Abuses ConnectWise ScreenConnect to Take Over Devices"},"content":{"rendered":"
\n

A novel phishing campaign attempts to trick victims into downloading ConnectWise ScreenConnect remote monitoring and management (RMM) software, enabling attackers to take complete control over end-user devices.<\/p>\n

A report by Abnormal AI found that the legitimate RMM tool is abused by the threat actors to achieve remote system control and facilitate follow-on attacks, including account takeovers and lateral phishing.<\/p>\n

The researchers said the ongoing campaign represents a significant evolution in phishing tactics, which traditionally rely on victims giving up personal information such as credentials and financial details.<\/p>\n

\u201cThe weaponization of a legitimate IT administration tool \u2013 one designed to grant IT professionals deep system access for troubleshooting and maintenance \u2013 combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion,\u201d they wrote.<\/p>\n

The campaign has so far targeted more than 900 organizations, impacting a broad range of sectors and geographies.<\/p>\n

The use of ScreenConnect to support the campaign also demonstrates a more mature criminal ecosystem where dark web vendors operate like legitimate software providers, the researchers added.<\/p>\n

\u201cCybercriminals can acquire ScreenConnect in numerous forms across forums, encrypted messaging apps and anonymous web pages,\u201d they noted.<\/p>\n

As well as focusing on deployment, some of these offerings are focused on resale. For example, vendors have been observed offering domain-admin level ScreenConnect access to networks in Germany, the UK and China, typically including control over 90\u2013345 hosts.<\/p>\n

Read now: ConnectWise Confirms Hack, \u201cVery Small Number\u201d of Customers Affected<\/em><\/p>\n

A Multi-Stage Attack Chain<\/strong><\/h2>\n

The Abnormal AI report, published on August 26, observed that the multi-stage attack begins with a phishing email, which is designed to appear as routine business communications or friendly correspondence.<\/p>\n

One commonly used lure is fake Zoom meeting invitations, using timely subject lines such as “Meeting Invite – 2024 Tax Organizer SID:80526353241,\u201d tying in tax season relevance to make the message feel genuine.<\/p>\n

The emails feature familiar branding and originate from compromised legitimate accounts to increase their credibility and avoid detection.<\/p>\n

\u201cIn this particular instance, the attackers appear to have found a real Zoom notification email and modified only the call-to-action (CTA) to further enhance the illusion of authenticity,\u201d the researchers noted.<\/p>\n

In one case, the attackers hijacked an ongoing thread that already contained a genuine Zoom meeting invitation to insert a malicious link.<\/p>\n

Other phishing lures involve invites to fake MS Teams calls.<\/p>\n

Once a link is clicked, the target is redirected to a malicious site where the second stage of the attack is initiated.<\/p>\n

This site prompts the user to download what appears to be an updated version of the relevant video conferencing platform. Instead, the file is the ScreenConnect RMM software.<\/p>\n

Recipients whose organization already has ScreenConnect installed for legitimate purposes are immediately connected to a live ScreenConnect session controlled by the attackers. For targets without existing ScreenConnect installations, clicking these links triggers an automatic download prompt for the ScreenConnect client software.<\/p>\n

\u201cThis technique exploits the fact that many organizations already have ScreenConnect installed for legitimate remote support purposes, allowing threat actors to bypass the installation process entirely,\u201d the researchers said.<\/p>\n

Stealthy Post-Compromise Activity<\/strong><\/h2>\n

Once downloaded, the threat actors are able to weaponize ScreenConnect\u2019s intended functionality to achieve comprehensive system access equivalent to an IT administrator.<\/p>\n

This allows for a wide range of post-compromise activities, including bypassing security controls, navigating file systems, achieving persistent access and exfiltrating sensitive data.<\/p>\n

The attackers have also been observed pivoting to lateral phishing campaigns that leverage the compromised environment to compromise additional targets within the organization.<\/p>\n

\u201cThey analyze communication patterns, identify high-value targets and craft phishing messages that appear to originate from trusted internal sources,\u201d Abnormal AI wrote.<\/p>\n

Many of these phishing emails ultimately aim for additional ScreenConnect deployments across the organization.<\/p>\n

By sending phishing emails directly from the target\u2019s account, they can bypass security controls that might flag external phishing attempts.<\/p>\n

How to Defend Against ScreenConnect Abuse<\/strong><\/h2>\n

The Abnormal AI researchers urged organizations to take action to address growing abuse of legitimate RMM tools by threat actors.<\/p>\n

This includes establishing comprehensive monitoring of these tools on the network, focusing on unauthorized installations and suspicious usage patterns.<\/p>\n

Additionally, they advised organizations to updated training programs to make staff aware of legitimate software abuse, including during phishing attacks.<\/p>\n

\u201cThis campaign serves as a critical reminder that modern threats increasingly weaponize trusted systems rather than circumvent them. As a result, defenders must fundamentally reconsider their approach to threat detection and response,\u201d the researchers noted.<\/p>\n

Abnormal AI told Infosecurity<\/em> it has not had any communication with ConnectWise regarding the research.<\/p>\n

Infosecurity<\/em> has contacted ConnectWise for comment on the findings but has not received a response at the time of writing.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

A novel phishing campaign attempts to trick victims into downloading ConnectWise ScreenConnect remote monitoring and management (RMM) software, enabling attackers to take complete control over end-user devices. A report by Abnormal AI found that the legitimate RMM tool is abused by the threat actors to achieve remote system control and facilitate follow-on attacks, including account<\/p>\n","protected":false},"author":2,"featured_media":2511,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2510","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2510-f610e821-239a-4779-8c83-376f4cbbc4bb-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2510"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2510\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2511"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2510"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}