Attackers are exploiting the trust users place in everyday workplace communications to deliver remote access malware, according to a new report from human behavior security company Abnormal AI Inc. The report details an ongoing campaign that leverages convincing impersonations of videoconferencing platforms such as Zoom Communications Inc. and Microsoft Teams to trick users into installing ConnectWise ScreenConnect, a legitimate remote monitoring and management tool.

The campaign uses phishing schemes to target potential victims, sending them emails from compromised accounts that appear to be from trusted sources. The emails often include timely hooks like tax season or meeting invitations to make the messages seem more authentic. Once the target clicks on the email, they are redirected to artificial intelligence-generated phishing pages or file-sharing platforms that deliver ScreenConnect.

In some cases, links lead directly to live ScreenConnect sessions, bypassing installation entirely. Social engineering isn't the only method used by attackers in this campaign. They also employ obfuscation techniques such as SendGrid domain wrapping, open redirect exploits, and Cloudflare Workers hosting to disguise malicious links. These techniques make it difficult for even advanced detection systems to detect the traffic.

The obfuscation techniques are noted in the report as being particularly challenging because the traffic appears to originate from trusted providers. Another technique used involves segmenting links with base64 encoding, which evades signature-based security tools and makes them harder to detect.

Once installed, ScreenConnect gives attackers administrator-level access and allows them to move laterally, harvest credentials, and launch secondary phishing campaigns from inside compromised environments. Abnormal AI's researchers observed adversaries inserting malicious links into ongoing email threads, making the attacks appear as natural continuations of legitimate business discussions.

The methodology is also popular among hacking communities, with dark web vendors selling prepackaged "ScreenConnect Revolution" kits that include hidden virtual network computing capabilities, Windows Defender bypasses, and session restoration features. Some sellers are offering turnkey deployments for as little as $6,000, complete with training and after-sales support.

Other sellers are offering access to already compromised networks with hundreds of connected hosts, priced between $500 and $2,000 per network. The researchers estimate that there are more than 900 organizations that have been targeted across education, religious institutions, healthcare, financial services, insurance, and technology.

"This campaign serves as a critical reminder that modern threats increasingly weaponize trusted systems rather than circumvent them," the report concludes. Abnormal's researchers recommended enterprises adopt defenses including AI-powered email security, enhanced endpoint monitoring for unauthorized remote tools, and zero-trust architectures, along with updating awareness training so staff know what to look for.