Duncan Riley
2025-08-26 06:00:00
siliconangle.com
A new report out today from human behavior security company Abnormal AI Inc. details how attackers are currently exploiting the trust users place in everyday workplace communications to deliver remote access malware.
The report details an ongoing campaign that leverages convincing impersonations of videoconferencing platforms such as Zoom Communications Inc. and Microsoft Teams to trick users into installing ConnectWise ScreenConnect, a legitimate remote monitoring and management tool that, once abused, gives adversaries full control over victim systems.
Phishing schemes are far from new, but where this operation becomes interesting is that it shifts tactics by persuading targets to install what they believe is standard business software. Potential victims are targeted by emails from compromised accounts, lending them authenticity and include timely hooks like tax season or meeting invitations.
Once the target clicks through on the phishing email, they are redirected to artificial intelligence-generated phishing pages or file-sharing platforms that deliver ScreenConnect. In some cases, links lead directly to live ScreenConnect sessions, bypassing installation entirely.
Social engineering isn’t the only method used by the attackers in the campaign. Obfuscation techniques such as SendGrid domain wrapping, open redirect exploits and Cloudflare Workers hosting have been used to disguise malicious links. The obfuscation techniques used are noted in the report as difficult to detect by even advanced detection systems because the traffic appears to originate from trusted providers.
Another technique used involves segmenting links with base64 encoding, evading signature-based security tools as well.
Once installed, ScreenConnect gives the attackers administrator-level access and allows them to move laterally, harvest credentials and launch secondary phishing campaigns from inside compromised environments. Abnormal AI’s researchers observed adversaries inserting malicious links into ongoing email threads, making the attacks appear as natural continuations of legitimate business discussions.
The methodology is also proving popular among hacking communities, the report detailing how dark web vendors are selling prepackaged “ScreenConnect Revolution” kits that include hidden virtual network computing capabilities, Windows Defender bypasses and session restoration features.
Some sellers were found to be offering turnkey deployments for as little as $6,000, complete with training and after-sales support, effectively offering remote access trojans-as-a-service. Other sellers were found to be offering access to already compromised networks with hundreds of connected hosts, priced between $500 and $2,000 per network.
The researchers estimate that there are more than 900 organizations that have been targeted across education, religious institutions, healthcare, financial services, insurance and technology. Though most victims are in the U.S., organizations in Canada, the U.K. and Australia were also affected.
“This campaign serves as a critical reminder that modern threats increasingly weaponize trusted systems rather than circumvent them,” the report concludes.
Abnormal’s researchers recommended enterprises adopt defenses including AI-powered email security, enhanced endpoint monitoring for unauthorized remote tools and zero-trust architectures, along with updating awareness training so staff know what to look for.
Image: SiliconANGLE/Reve
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
Enjoy the perfect blend of retro charm and modern convenience with the Udreamer Vinyl Record Player. With 9,041 ratings, a 4.3/5-star average, and 400+ units sold in the past month, this player is a fan favorite, available now for just $39.99.
The record player features built-in stereo speakers that deliver retro-style sound while also offering modern functionality. Pair it with your phone via Bluetooth to wirelessly listen to your favorite tracks. Udreamer also provides 24-hour one-on-one service for customer support, ensuring your satisfaction.
Don’t miss out—get yours today for only $39.99 at Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
BITCOIN bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
DOGECOIN D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
ETHEREUM 0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.