Multiple phishing campaigns are deploying ConnectWise ScreenConnect, a remote access tool, by leveraging sophisticated and AI-enhanced social engineering tactics. These attacks, which are part of a larger crime-as-a-service model, have targeted over 900 organizations worldwide.
The campaigns begin by compromising a legitimate email account, often acquired from phishing or purchased from the cybercrime market. The attackers then use this trusted account to send deceptive phishing emails to colleagues, partners, and suppliers. These emails, which are often of high quality and created with the help of AI, are designed to look like legitimate invitations to meetings on platforms like Zoom or Microsoft Teams.
If a victim clicks a malicious link, they are redirected to a site that downloads the ScreenConnect software. The attackers use a variety of stealth techniques to avoid detection, such as using legitimate email services, exploiting trusted cloud platforms, and disguising malicious links.
Once ScreenConnect is deployed, attackers gain remote access to the victim's system, allowing them to spread laterally within the organization or to partner networks. This turns the initial phishing attempt into a supply chain attack that weaponizes trusted business relationships. The ultimate goal is often to sell this newly gained access on the cybercrime market, although the same methods could be used for more targeted ransomware or espionage operations.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
