"Recipients clicking malicious links are redirected through sophisticated obfuscation chains. These include SendGrid domain wrapping, open redirect exploits, and Cloudflare Workers hosting with base64-segmented links. The technique makes detection challenging because traffic appears to originate from trusted cloud providers. Administrator-level compromise Once ScreenConnect becomes active on victim systems, attackers gain administrator-level access for extensive network reconnaissance. They move laterally through corporate environments, harvest credentials, and launch secondary phishing attacks from within compromised networks."
"Cybercriminals are hijacking the legitimate remote monitoring tool ConnectWise ScreenConnect through sophisticated phishing emails impersonating Zoom and Microsoft Teams. Over 900 organizations across education, healthcare, and financial services have been targeted in this ongoing campaign, with dark web vendors now selling ready-made attack kits. This large-scale assault leverages AI-generated phishing pages and compromised email accounts to deliver ScreenConnect installations without user detection."
Cybercriminals hijack ConnectWise ScreenConnect through AI-generated phishing pages and compromised email accounts that impersonate Zoom and Microsoft Teams. The campaign has targeted over 900 organizations across education, healthcare, and financial services and relies on phishing lures tied to tax season and meeting invitations. Recipients clicking links are redirected through obfuscation chains using SendGrid domain wrapping, open redirect exploits, and Cloudflare Workers with base64-segmented links to evade detection. Some attacks connect directly to live ScreenConnect sessions without downloads. Successful deployments grant administrator-level access, enabling lateral movement, credential harvesting, and internal secondary phishing. Dark web vendors sell ready-made kits facilitating the attacks.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]