Credential Harvesting Campaign Targets ScreenConnect

A sophisticated phishing campaign has surfaced targeting ScreenConnect (now part of ConnectWise Control) cloud administrators. Threat actors have mimicked legitimate ScreenConnect login alerts to harvest credentials, successfully bypassing multi-factor authentication (MFA) and enabling widespread compromise across managed service provider (MSP) networks.

Here are the top takeaways:

The Phishing Campaign: an Overview

In early 2025, MSP administrators began receiving phishing emails that looked alarmingly legitimate, claiming to be authentication alerts from ScreenConnect’s RMM platform. These emails contained links prompting recipients to “login and review the security alert.” Clicking the link directed them to a cleverly spoofed domain like cloud.screenconnect[.]com.ms, designed to appear identical to the real ScreenConnect login page.

Behind the scenes, the phishing site operated as a reverse proxy—forwarding credentials and time-based one-time passwords (TOTPs) to the legitimate ScreenConnect portal while capturing them via an adversary-in-the-middle (AiTM) framework known as Evilginx. This technique allowed attackers to bypass MFA protections and log in as super administrators, gaining full control over MSP environments.

Deployment of Malicious ScreenConnect Instances and Lateral Movement

Once inside the environment, attackers deployed a malicious ScreenConnect instance (ru.msi) across multiple customer systems, effectively giving them a stealthy foothold.

They then performed network reconnaissance, reset user credentials, and deployed widely used tools for lateral movement such as PsExec, WinRM, and NetExec.

Exploiting Backup Vulnerabilities & Enabling Extortion

In parallel, threat actors exploited CVE-2023-27532, a vulnerability within Veeam Cloud Backup, to extract unencrypted credentials and disable backup functions, greatly hampering recovery efforts.

Before deploying ransomware, the attackers compressed files using WinRAR and exfiltrated sensitive data to EasyUpload.io via Incognito mode in Chrome to evade detection. They then modified boot settings to launch systems in Safe Mode with networking, bypassing many endpoint protections.

Ransomware and Double Extortion Tactics

With persistence established, the attackers launched the Qilin Ransomware, a notorious Ransomware-as-a-Service (RaaS) group formerly known as "Agenda."

Each victim received a unique version, complete with customized passwords and ransom notes. Their double extortion approach included both encryption and data leakage via platforms like “WikiLeaksV2.”

Broader MSP Ecosystem Vulnerability

MSPs serve as high-value targets because they hold privileged access to multiple downstream clients. A single compromised account can cascade into a multi-organization security breach.

CISA has also highlighted the broader risks associated with unpatched features and authentication layers within ScreenConnect deployments, which can enable both credential harvesting and unauthorized remote control when abused.

Defense Strategies to Protect Against Future Attacks

To defend against such sophisticated threats, organizations—particularly MSPs—should consider implementing the following protections:

• Deploy phishing-resistant authentication, such as FIDO2 or hardware security keys.

• Enforce conditional access policies, limiting logins to known and managed devices.

• Strengthen email security, using domain authentication (e.g., DMARC) and filters to flag spoofed links.

• Enhance MFA defenses with anti-AiTM techniques and user education on impersonation tactics.

• Promptly patch vulnerabilities, including those in remote access and backup systems like Veeam.

Conclusion

This sophisticated credential harvesting campaign targeting ScreenConnect cloud administrators illustrates how modern adversaries can bypass MFA and weaponize trusted administrative tools. Enabled by clever phishing tactics, proxy-based credential capture, and exploitation of backup systems, these attacks can disrupt entire MSP ecosystems and their customers.

Proactive measures—including strengthened authentication, conditional access controls, robust phishing defenses, and rapid patching—are essential for mitigating these risks. For MSPs and organizations alike, this is a compelling reminder that securing privileged access is not an option; it’s a necessity.