Emerging Threat: Fake ScreenConnect Attachments
Case Study: Emerging Threat – Fake
ScreenConnect Attachments
Case Study: Emerging Threat – Fake ScreenConnect Attachments
Overview
In mid-2025, Professional IT identified a rising cybersecurity threat targeting small to medium businesses across Australia: malicious attachments disguised as legitimate ScreenConnect installers. This case study explores how these attacks are executed, the real-world impact on one client, and how proactive security measures protected another.
Background
ScreenConnect (now ConnectWise Control) is a legitimate remote support tool widely used by IT providers. Recently, threat actors have begun leveraging its familiarity and trustworthiness to distribute malicious versions of the tool as part of sophisticated phishing campaigns.
Threat Summary
Attackers compromise trusted email accounts and insert malicious ScreenConnect installers as attachments—often disguised as PDFs. Once executed, these files grant full remote access to the attacker, who can:
– Extract saved passwords and browser sessions
– Access banking credentials and sensitive data
– Remain undetected for extended periods
– Launch secondary attacks or financial fraud
Case A: Sophisticated Social Engineering Attack
Client Profile
Client A – A medical practice that frequently exchanges documents with external vendors via cloud file-sharing platforms (e.g., files.fm).
In one recent case, an attacker had compromised the email account of a vendor staff member (“Vendor A”). They observed email patterns and noticed regular file exchanges with our client Client A via files.fm.
After patiently watching the correspondence, the attacker struck. Knowing that Client A was expecting a document, they sent a malicious ScreenConnect installer disguised as a PDF—perfectly timed to match the expected delivery.
Once opened, the attacker gained full access to the computer. They even sent the real PDF afterward to reduce suspicion—Client A assumed the first file had simply glitched.
The attackers waited for the next payroll session, silently captured the entire banking session, and later initiated over $50,000 in fraudulent transactions.
Case B: Threat Contained via MTDRS (EDR)
Client Profile
Another Professional IT client in the healthcare sector, enrolled in our Managed Threat Detection & Response Suite (MTDRS) or commonly known as Endpoint Detection and Response (EDR).
In contrast Client B was protected by our Managed Threat Detection & Response Suite (MTDRS). They received what appeared to be a bank statement—but in reality, it was a malicious ScreenConnect installer.
Thanks to MTDRS:
The agent detected the abnormal behavior immediately
The device was isolated from the network
Our team was alerted and able to act before any damage occurred
This incident was prevented—not remediated—because MTDRS acted faster than any user or IT administrator could.
Lessons Learned
– Trusted tools can be exploited – familiarity breeds complacency.
– Social engineering is evolving – attackers now mimic business processes, not just branding.
– Anti-virus is not enough – real-time threat detection and isolation are critical.
