Zoom‑Themed Phishing Campaign Deploys ConnectWise ScreenConnect for Remote Access and Data Theft
What Happened — Threat actors are sending spoofed Zoom meeting invitations that link to a fake Zoom landing page. The page convinces victims to download ConnectWise ScreenConnect, a legitimate remote‑monitoring and management (RMM) tool that attackers abuse to gain persistent remote access, harvest credentials, and drop additional malware such as ransomware.
Why It Matters for TPRM —
- The abuse of a trusted RMM product creates a “trusted foothold” that can bypass many traditional security controls.
- Vendors that provide remote‑access tools (e.g., ConnectWise) become indirect attack vectors for any organization that allows their use.
- Phishing campaigns that masquerade as a critical business‑communication platform (Zoom) increase the likelihood of user click‑through, expanding the attack surface across all third‑party relationships.
Who Is Affected — SaaS communications platforms (Zoom), remote‑access/RMM vendors (ConnectWise ScreenConnect), and any downstream customers that permit RMM tools on their networks (technology, finance, healthcare, etc.).
Recommended Actions
- Review contracts and security controls for any RMM solutions used by your organization or its vendors.
- Enforce strict URL‑allowlisting and email‑filtering for Zoom‑related domains; educate users on the visual differences between legitimate and spoofed invites.
- Deploy application‑control policies that block unauthorized installation of remote‑access binaries unless explicitly approved.
- Verify that remote‑access sessions are logged, monitored, and terminated when not in use.
Technical Notes — The campaign uses a text‑only phishing email, a spoofed Zoom‑branded landing page that mimics the “Join Meeting” flow, and then delivers the ConnectWise ScreenConnect installer. Once installed, the RMM agent provides full system control, credential harvesting, and a conduit for secondary payloads (e.g., ransomware). No specific CVE is cited; the attack relies on social engineering rather than a software flaw. Source: Cofense Intelligence