Attackers weaponize workplace communication to install remote access tools
An ongoing phishing campaign is targeting organizations across multiple industries, using
sophisticated social engineering tactics to convincingly impersonate well-known
videoconferencing platforms and deploy ConnectWise ScreenConnect for unauthorized remote
access.
The research from Abnormal Intelligence reveals that unlike traditional credential-harvesting attacks that steal login information, this campaign deceives targets into downloading legitimate remote monitoring and management (RMM) software, granting cybercriminals complete control over end-user devices.
The attackers are employing advanced deception techniques built around impersonations and familiar business contexts, effectively creating workflows that align with end-user expectations. Specific tactics observed include the utilization of compromised legitimate email accounts, AI-generated phishing components, and strategic URL obfuscation methods, as well as the exploitation of trusted business tools like file-sharing platforms for hosting malicious links.
The report’s authors note, “This campaign represents a significant evolution in cybercrime tactics. The weaponization of a legitimate IT administration tool -- one designed to grant IT professionals deep system access for troubleshooting and maintenance -- combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion.”
The attack starts with phishing emails impersonating trusted entities (like Zoom and
Microsoft Teams) from compromised legitimate accounts, using timely themes and
familiar branding to maximize credibility. Targets are then duped into installing ScreenConnect.
Using ScreenConnect, a commonly used RMM tool with extensive functionality, allows malicious activity to blend seamlessly with sanctioned IT operations, making detection and response significantly more challenging. Thus, once ScreenConnect is installed, threat actors can achieve system control while maintaining operational stealth.
The report concludes:
This campaign serves as a critical reminder that modern threats increasingly weaponize trusted systems rather than circumvent them. As a result, defenders must fundamentally reconsider their approach to threat detection and response.
Security leaders must adopt a multi-layered defense strategy that encompasses advanced
behavioral analytics, zero-trust network architecture, enhanced security awareness programs, and continuous threat intelligence research.
You can get the full report which has a detailed overview of the attack from the Abnormal site.
Image credit: Rawpixel/depositphotos.com