Trusted Deception: Fake Microsoft Teams Invitation leading to ScreenConnect

Phishing Lure: Campaign impersonates legitimate Microsoft Teams meeting invitations from colleagues or business contacts.

Cloudflare Workers Platform: The attacker deploys a malicious application on Cloudflare Workers' trusted cloud platform (wallacedoors-red-rsomy100.workers.dev).

ScreenConnect RAT Delivery: Multi-stage attack chain that leverages fake Teams app update prompts to deliver ScreenConnect.

Trusted Domain: The phishing site is hosted on Cloudflare Workers' legitimate cloud platform which is typically not blocked by security gateways and email filters.

Familiar User Experience: The attack mimics the exact look and feel of legitimate Microsoft Teams meeting invitations and app update processes that users encounter regularly.

Legitimate Software Disguise: ScreenConnect is a legitimate remote access tool, making detection more challenging as it can appear as authorized business software.

Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

Defense-in-depth: This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.