A new phishing campaign is tricking victims into installing ConnectWise ScreenConnect, a legitimate remote monitoring and management (RMM) tool, allowing attackers to take full control of computers.
According to a report from Abnormal AI, hackers are abusing ScreenConnect to launch follow-up attacks, such as stealing accounts and spreading phishing emails across organizations. Over 900 organizations worldwide have already been targeted.
Unlike traditional phishing attacks that steal passwords or financial data, this campaign uses legitimate software to take over systems. The attackers combine social engineering with trusted branding, often pretending to send Zoom or Microsoft Teams meeting invites.
The emails look real because they often come from compromised accounts and mimic legitimate business communication. Clicking the links leads to a fake download page that installs ScreenConnect under the disguise of a video conferencing app update.
If the victim’s company already uses ScreenConnect, the attackers can connect immediately without needing to install anything. If not, the link initiates a download of the tool, giving the hackers admin-level access to the system.
Once inside, the attackers can bypass security protections, steal data, monitor or control the system, and send more phishing emails from within the organization.
The Mimecast Threat Research Team has recently warned of a separate long-running spear-phishing campaign that is targeting ScreenConnect cloud administrators using fake security alert emails. Each wave targets up to 1,000 accounts, tricking victims into visiting phishing sites that steal login credentials and MFA codes. Once compromised, the accounts are used as initial access points for ransomware attacks.