Cybercriminals are hijacking the legitimate remote monitoring tool ConnectWise ScreenConnect through sophisticated phishing emails impersonating Zoom and Microsoft Teams. Over 900 organizations across education, healthcare, and financial services have been targeted in this ongoing campaign, with dark web vendors now selling ready-made attack kits.
The campaign was brought to light by a report from Abnormal AI. This large-scale assault leverages AI-generated phishing pages and compromised email accounts to deliver ScreenConnect installations without user detection. Attackers impersonate trusted platforms like Zoom and Microsoft Teams, sending emails with lures around tax season preparations and meeting invitations.
Recipients clicking malicious links are redirected through sophisticated obfuscation chains. These include SendGrid domain wrapping, open redirect exploits, and Cloudflare Workers hosting with base64-segmented links. The technique makes detection challenging because traffic appears to originate from trusted cloud providers.
Administrator-level compromise
Once ScreenConnect becomes active on victim systems, attackers gain administrator-level access for extensive network reconnaissance. They move laterally through corporate environments, harvest credentials, and launch secondary phishing attacks from within compromised networks.
In some cases, links connect directly to live ScreenConnect sessions without requiring software installation. This approach bypasses traditional security measures that focus on blocking executable downloads.
A particularly insidious tactic involves inserting malicious links into existing email conversations. This technique exploits the trust employees place in ongoing business discussions, making the fraudulent messages appear legitimate.
Commercial exploitation on dark web
The attack method has become commercialized on dark web markets, where vendors sell “ScreenConnect Revolution” kits. These packages include hidden VNC functionality, Windows Defender bypasses, and session restoration features designed to maintain persistent access.
Turnkey deployment services are available for approximately $6,000, complete with training and technical support. More concerning are pre-compromised network access offerings, where criminals sell access to already infiltrated organizations with hundreds of connected hosts. These network access packages are priced between $500 and $2,000 depending on the target’s value.
The geographical distribution shows most victims are located in the United States, with additional targets in Canada, the United Kingdom, and Australia. Educational institutions, religious organizations, healthcare providers, financial services, insurance companies, and technology firms have all been affected.
Defense requires comprehensive approach
Recommended countermeasures extend beyond traditional email filtering. Organizations should deploy AI-powered email security solutions capable of detecting sophisticated impersonation attempts and analyzing suspicious link chains.
Enhanced endpoint monitoring specifically for unauthorized remote access tools is essential. Many legitimate remote access applications can become attack vectors when installed without proper oversight.
Previous phishing campaigns have demonstrated similar tactics, in some cases targeting mobile devices through malicious PDF files. The evolution toward legitimate tool abuse represents a concerning trend where attackers exploit software organizations actually need for business operations.
Zero-trust architectures provide additional protection by assuming no implicit trust, even for tools that appear legitimate. Updated security awareness training should specifically address the risks of unsolicited meeting invitations and tax-related communications, particularly during peak seasons when such messages seem plausible.