HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Zoom‑Themed Phishing Campaign Deploys ConnectWise ScreenConnect for Remote Access and Data Theft

Attackers are sending spoofed Zoom meeting invites that lead victims to install ConnectWise ScreenConnect, a legitimate RMM tool abused for persistent remote access, credential harvesting, and ransomware deployment. The campaign highlights the risk of trusted‑third‑party tools being weaponized, demanding tighter controls for any RMM solutions in your supply chain.

LiveThreat™ Intelligence · 📅 May 18, 2026· 📰 cofense.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
cofense.com

Zoom‑Themed Phishing Campaign Deploys ConnectWise ScreenConnect for Remote Access and Data Theft

What Happened — Threat actors are sending spoofed Zoom meeting invitations that link to a fake Zoom landing page. The page convinces victims to download ConnectWise ScreenConnect, a legitimate remote‑monitoring and management (RMM) tool that attackers abuse to gain persistent remote access, harvest credentials, and drop additional malware such as ransomware.

Why It Matters for TPRM

  • The abuse of a trusted RMM product creates a “trusted foothold” that can bypass many traditional security controls.
  • Vendors that provide remote‑access tools (e.g., ConnectWise) become indirect attack vectors for any organization that allows their use.
  • Phishing campaigns that masquerade as a critical business‑communication platform (Zoom) increase the likelihood of user click‑through, expanding the attack surface across all third‑party relationships.

Who Is Affected — SaaS communications platforms (Zoom), remote‑access/RMM vendors (ConnectWise ScreenConnect), and any downstream customers that permit RMM tools on their networks (technology, finance, healthcare, etc.).

Recommended Actions

  • Review contracts and security controls for any RMM solutions used by your organization or its vendors.
  • Enforce strict URL‑allowlisting and email‑filtering for Zoom‑related domains; educate users on the visual differences between legitimate and spoofed invites.
  • Deploy application‑control policies that block unauthorized installation of remote‑access binaries unless explicitly approved.
  • Verify that remote‑access sessions are logged, monitored, and terminated when not in use.

Technical Notes — The campaign uses a text‑only phishing email, a spoofed Zoom‑branded landing page that mimics the “Join Meeting” flow, and then delivers the ConnectWise ScreenConnect installer. Once installed, the RMM agent provides full system control, credential harvesting, and a conduit for secondary payloads (e.g., ransomware). No specific CVE is cited; the attack relies on social engineering rather than a software flaw. Source: Cofense Intelligence

📰 Original Source
https://cofense.com/blog/click-install-compromised-the-new-wave-of-zoom-themed-attacks

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →