New Phishing Campaign Abuses ConnectWise ScreenConnect to Take Over Devices

A novel phishing campaign is attempting to trick victims into downloading ConnectWise ScreenConnect remote monitoring and management (RMM) software, enabling attackers to take complete control over end-user devices. A report by Abnormal AI found that the legitimate RMM tool is abused by the threat actors to achieve remote system control and facilitate follow-on attacks, including account takeovers and lateral phishing.

The ongoing campaign represents a significant evolution in phishing tactics, which traditionally rely on victims giving up personal information such as credentials and financial details. "The weaponization of a legitimate IT administration tool – one designed to grant IT professionals deep system access for troubleshooting and maintenance – combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion," said the researchers.

The campaign has so far targeted more than 900 organizations, impacting a broad range of sectors and geographies. The use of ScreenConnect to support the campaign also demonstrates a more mature criminal ecosystem where dark web vendors operate like legitimate software providers. "Cybercriminals can acquire ScreenConnect in numerous forms across forums, encrypted messaging apps and anonymous web pages," they noted.

The multi-stage attack begins with a phishing email, which is designed to appear as routine business communications or friendly correspondence. One commonly used lure is fake Zoom meeting invitations, using timely subject lines such as "Meeting Invite - 2024 Tax Organizer SID:80526353241," tying in tax season relevance to make the message feel genuine.

The emails feature familiar branding and originate from compromised legitimate accounts to increase their credibility and avoid detection. In one case, the attackers hijacked an ongoing thread that already contained a genuine Zoom meeting invitation to insert a malicious link. Other phishing lures involve invites to fake MS Teams calls.

Once a link is clicked, the target is redirected to a malicious site where the second stage of the attack is initiated. This site prompts the user to download what appears to be an updated version of the relevant video conferencing platform. Instead, the file is the ScreenConnect RMM software.

Recipients whose organization already has ScreenConnect installed for legitimate purposes are immediately connected to a live ScreenConnect session controlled by the attackers. For targets without existing ScreenConnect installations, clicking these links triggers an automatic download prompt for the ScreenConnect client software.

"This technique exploits the fact that many organizations already have ScreenConnect installed for legitimate remote support purposes, allowing threat actors to bypass the installation process entirely," the researchers said. Once downloaded, the threat actors are able to weaponize ScreenConnect's intended functionality to achieve comprehensive system access equivalent to an IT administrator.

The attackers have also been observed pivoting to lateral phishing campaigns that leverage the compromised environment to compromise additional targets within the organization. "They analyze communication patterns, identify high-value targets and craft phishing messages that appear to originate from trusted internal sources," Abnormal AI wrote.

The Abnormal AI researchers urged organizations to take action to address growing abuse of legitimate RMM tools by threat actors. This includes establishing comprehensive monitoring of these tools on the network, focusing on unauthorized installations and suspicious usage patterns.

Additionally, they advised organizations to update their training programs to make staff aware of legitimate software abuse, including during phishing attacks. "This campaign serves as a critical reminder that modern threats increasingly weaponize trusted systems rather than circumvent them. As a result, defenders must fundamentally reconsider their approach to threat detection and response," the researchers noted.