New Attack Targeting ScreenConnect Cloud Administrators to Steal Login Credentials

A sophisticated credential harvesting campaign has emerged targeting ScreenConnect cloud administrators with spear phishing attacks designed to steal super administrator credentials.

The ongoing operation, designated MCTO3030, has maintained consistent tactics since 2022 while operating largely undetected through low-volume distribution strategies that send up to 1,000 emails per campaign run.

The campaign specifically targets senior IT professionals including directors, managers, and security personnel who possess elevated privileges in ScreenConnect environments.

Attackers leverage Amazon Simple Email Service accounts to deliver convincing phishing emails that claim suspicious login activity from unusual IP addresses or geographic locations, creating urgency to prompt immediate action from victims.

Mimecast analysts identified this persistent threat as particularly concerning due to its apparent connection to ransomware operations, with research indicating similar targeting patterns by Qilin ransomware affiliates.

The harvested super admin credentials serve as initial access vectors for subsequent ransomware deployment, enabling attackers to push malicious ScreenConnect clients to multiple endpoints simultaneously.

The campaign employs country code top-level domains with ScreenConnect-themed naming conventions, including domains like connectwise.com.ar, connectwise.com.be, and connectwise.com.cm to create convincing impersonations of legitimate ConnectWise portals.

Once victims click the “Review Security” button in phishing emails, they are redirected to sophisticated fake login pages that closely mimic authentic ScreenConnect interfaces.

Advanced Adversary-in-the-Middle Techniques

The technical sophistication of this campaign centers on its implementation of adversary-in-the-middle phishing using the EvilGinx framework, an open-source tool specifically designed for intercepting both credentials and multi-factor authentication codes in real-time.

This capability allows attackers to bypass modern authentication protections that many organizations rely upon for security.

The EvilGinx framework operates by positioning itself between the victim and the legitimate authentication service, capturing login credentials while simultaneously forwarding authentication requests to the real ScreenConnect portal.

This technique enables the harvesting of time-sensitive MFA tokens, allowing attackers to maintain persistent access to compromised accounts even when multi-factor authentication is enabled.

The consistent use of Amazon SES infrastructure provides high deliverability rates while bypassing traditional email security controls through trusted cloud services, demonstrating the campaign’s operational sophistication and long-term strategic planning.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.