Hackers are using fake Zoom or Microsoft Teams invites to spy on all your workplace activity

News
By published

Be careful when installing remote desktop solutions

A padlock icon next to a person working on a laptop.
(Image credit: Shutterstock)
  • Campaign targeted more than 900 companies with sophisticated phishing lures
  • The goal was to deploy a remote monitoring and management tool
  • Hackers are shifting goals and priorities and businesses must adapt

More than 900 organizations have been targeted by a highly convincing phishing attack which sought to deploy a legitimate remote monitoring and management (RMM) solution and gain access to target endpoints without raising any alarms.

A new report from security researchers at Abnormal claimed criminals would use compromised email accounts and conversation threads, AI-generated phishing pages, and would abuse legitimate file-sharing video conferencing platforms to spoof Zoom and Microsoft Teams with authentic-looking emails.

The goal was to get the victims to install ConnectWise ScreenConnect, a legitimate IT tool repurposed for full remote access. Instead of stealing passwords, attackers lure victims into giving them administrator-level control over corporate systems. Once inside, they launch account takeovers, lateral phishing campaigns, and data theft while blending in with normal IT activity.

Targeting education and religious groups

Among the 900 companies attacked so far, the researchers found the majority were in education and religious groups (14.4%), healthcare and pharma (9.7%), and financial services (9.4%), with other industries like insurance, legal, retail, manufacturing, and tech, also being heavily targeted. Most victims are in the US, UK, Canada, and Australia.

The attacks are powered by a dark web marketplace that sells ScreenConnect “attack kits” for a few thousand dollars, along with network access resold for $500–$2,000.

Some vendors even offer $6,000 custom packages with training and support, effectively turning ScreenConnect abuse into a RAT-as-a-Service business model.

This campaign highlights a dangerous shift, Abnormal believes. Instead of breaking into systems, threat actors are now weaponizing trusted workplace tools to sidestep defenses.

That is why businesses should adopt AI-powered email security, endpoint monitoring, zero-trust, and better staff awareness training, to counter these increasingly sophisticated threats.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.