Multiple phishing campaigns deploying ConnectWise ScreenConnect for remote control demonstrate the sophistication, extent, and danger of AI-supercharged social engineering.

An ongoing ScreenConnect threat example highlights primary aspects of modern cybercriminality: AI-enhanced, scaled, and sophisticated social engineering; use of trust and stealth to deceive security controls; and maximum use of the professionalized crime-as-a-service (CaaS) ecosphere.

Current ScreenConnect campaigns differ in their attack details, but all conform to the basic process: a phishing attack leading to deployment of ScreenConnect to allow remote access and potential control of the victim organization. Researchers have found more than 900 targeted enterprises around the world.

The initial preparatory stage of the attack is to compromise a legitimate email account. This could be acquired from the attackers’ separate phishing, or through purchase from an increasingly sophisticated CaaS underworld, such as from Infostealer logs 

“Once attackers compromise or acquire a compromised email account, they typically expand outward by abusing the victim’s address book, distribution lists, and ongoing conversations,” explains Piotr Wojtyla (head of threat intelligence at Abnormal AI. “They’ll send phishing emails to colleagues, business partners, suppliers, and anyone the compromised user interacts with regularly, effectively weaponizing trusted relationships. By inserting malicious links or attachments into existing threads, the attacker increases credibility and makes the phishing far harder to spot.”

The campaign proper starts with phishing emails sent from the legitimate but compromised email account. A common method is to disguise the emails as an invitation to a Zoom meeting. There is nothing in this likely to trigger in-house security tools. And the quality of the AI-assisted emails, including ‘professional’ forms likely created by Vercel’s vO (an AI-powered tool that helps developers build complete user interfaces from text prompts) shows no obvious red flags to the recipient.

A similar approach is used with Microsoft Teams. If the target is seduced into joining a Teams meeting, he or she is prompted to download the latest version of Teams which is, of course, ScreenConnect, which is legitimate remote monitoring and management (RMM) software.

The psychology of trust is also spot-on. Recipients accustomed to Zoom will take it in their stride, while others will consider it encouraging to be invited to Zoom – the invite may even have been inserted into an ongoing thread discussing a Zoom meeting.

The purpose is to persuade the target to click a disguised malicious link – such as a button labeled ‘download the latest version of Zoom’. This redirects the user to an external location that downloads ScreenConnect. Throughout the process, the attacker does everything to avoid triggering any security red flags. 

Observed methods include using legitimate email service providers, such as SendGrid, to wrap malicious URLs within reputable domains; exploiting Open Redirects; Base64-encoded link segmentation; and exploiting trusted cloud platforms like Cloudflare Workers. The last offers several advantages for hosting the attack infrastructure: it trades off Cloudflare’s good reputation, it speeds delivery regardless of global location, and has built-in encrypted connections with the ability to evade blocks (such as geo-blocking).

The attackers don’t stop at a single target – they expand through lateral phishing. “It allows them to spread ScreenConnect laterally within the victim organization or into partner networks, which could become a supply chain compromise,” says Wojtyla. “They abuse the victim’s address book, distribution lists, and ongoing conversations to target colleagues, business partners, suppliers, and anyone the compromised user interacts with regularly.” 

By inserting malicious links into existing email threads with external partners, the attack effectively becomes a supply chain attack, weaponizing trusted business relationships.

The attacks described by Abnormal AI are focused on the deployment of ScreenConnect via phishing. The primary takeaway, however, is the sophistication of modern cybercrime. It combines access broker initiations and CaaS-supplied tools, AI-assisted social engineering phishing emails and business forms, and sophisticated stealth operations. And, of course, the pivot range of a compromised email account.

The primary purpose is to sell the ScreenConnect compromises back into the access broker market. But this could be just the beginning. Both the method used and, “The availability of turnkey ScreenConnect kits and ready-made access for sale creates the possibility for more targeted operations if the buyer’s motivation is different” warns Wojtyla. “A ransomware affiliate or espionage group could easily take the same tools and methods and apply them in a more surgical way, even as the majority of current activity remains broad and opportunistic.”