ScreenConnect abuse in phishing campaigns: what security teams should watch

TL;DR: Attackers are embedding real ScreenConnect session links into phishing emails, using compromised accounts, threaded replies, and fake meeting invitations to bypass installation checks and gain remote control, with one campaign targeting more than 900 organizations, according to Abnormal AI. Trusted remote access tools become a governance problem when users cannot distinguish legitimate administration from attacker-controlled sessions.

NHIMG editorial — based on content published by Abnormal AI: ScreenConnect phishing campaign analysis and workplace communication abuse

By the numbers:

• This phishing campaign has targeted over 900 organizations across a broad spectrum of industries and geographic regions.
• Education and religious organizations represent 14.4% of targets, followed by healthcare and pharmaceuticals at 9.7%, and financial services at 9.4%.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern legitimate remote access tools used in phishing campaigns?

A: Treat remote access tools as privileged access paths, not just software.

Q: Why do compromised email accounts make remote access abuse harder to detect?

A: A compromised mailbox inherits trust from the organisation’s own communications patterns.

Q: What breaks when organisations rely on approved remote support software as a trust signal?

A: The control breaks because software approval does not equal session approval.

Practitioner guidance

• Separate sanctioned support from untrusted remote sessions Create explicit policy controls for ScreenConnect and similar tools so approved support sessions are logged, constrained, and distinguishable from inbound sessions initiated through email links.
• Harden email trust around internal reply chains Flag link insertion, sender-account anomalies, and unusual remote-access prompts inside ongoing conversations, especially when a compromised mailbox could be used to extend trust.
• Audit endpoint exposure to remote administration tools Inventory where ScreenConnect or equivalent RMM software exists, then verify which devices can accept inbound sessions and whether those paths are monitored at session level.

What's in the full article

Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:

• Example phishing lures and screen captures used to impersonate Zoom and Microsoft Teams.
• Technical indicators and delivery patterns associated with real ScreenConnect session abuse.
• Dark web tooling and persistence tactics tied to ScreenConnect REVOLUTION PACK V2.0.
• Broader victimology data showing how the campaign spread across sectors and geographies.

👉 Read Abnormal AI's analysis of phishing campaigns abusing ScreenConnect →

ScreenConnect abuse in phishing campaigns: what security teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →