Threat Alert: ScreenConnect Login Alert

• Threat actors are impersonating ScreenConnect to phish credentials using Adversary-in-the-Middle (AiTM) techniques.
• With ScreenConnect credentials to valid instances, threat actors are granted remote access as that user, potentially enabling initial access operations.
• In addition to being used as a payload, the ScreenConnect brand is also abused in credential phishing. 

How is it used in the wild?

• Threat actors register look-alike domains (containing ‘ScreenConnect’ or ‘ConnectWise’) hosted on varying Top-Level Domains (TLD).
  • TLD is the last segment of a domain name, the part that comes after the final dot. For example, in "example.com", the ".com" is the TLD.
• The threat actors then use these domains to send spoofed ScreenConnect login alerts, claiming there was a login from a new IP address. ,"
  • Example look-alike domains used include: ConnectWise[.]com[.]bo and ScreenConnect[.]com[.]by.
• The messages contain links to a fake ScreenConnect authentication page that, if clicked, is capable of harvesting MFA tokens, which can then be used to bypass MFA.
  

Key Action: Stay Alert!

• Keep in mind that cybercriminals regularly abuse legitimate services. Abusing legitimate services gives cybercriminals and their lures an additional air of legitimacy.
• Stay alert for emails impersonating familiar brands and unexpected emails requesting to validate credentials.
• Watch out for unexpected emails creating a sense of urgency for action (e.g., revealing credentials, following links embedded within emails).
• Report ANY suspicious emails via Phish Alarm.