{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/social_engineering/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zoom","ConnectWise ScreenConnect","Windows Script Host"],"_cs_severities":["high"],"_cs_tags":["phishing","remote_access","social_engineering","screenconnect","zoom"],"_cs_type":"advisory","_cs_vendors":["Zoom","ConnectWise","Microsoft"],"content_html":"\u003cp\u003eThis phishing campaign leverages social engineering techniques using the Zoom platform as a lure to trick users into installing ConnectWise ScreenConnect, a legitimate remote monitoring and management (RMM) tool. Attackers send emails impersonating Zoom meeting invitations. These emails redirect victims to fake Zoom-branded landing pages that use audio playback and fraudulent software update prompts to persuade victims to download and execute a disguised VBS installer. This installer silently downloads and launches the ScreenConnect payload, granting attackers persistent remote access to compromised systems. The attackers abuse trusted platforms and legitimate administrative tools to blend malicious activity into normal enterprise behavior, enabling credential theft, reconnaissance, lateral movement, and potential ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim receives a phishing email impersonating a Zoom meeting invitation, containing a hyperlink to a spoofed Zoom-branded landing page.\u003c/li\u003e\n\u003cli\u003eUpon clicking the link, the victim is redirected to a fake Zoom meeting page designed to mimic a legitimate Zoom interface.\u003c/li\u003e\n\u003cli\u003eThe fake meeting page plays a distorted audio track to simulate a real meeting environment and requests microphone access.\u003c/li\u003e\n\u003cli\u003eAfter a few seconds, a popup appears, falsely notifying the user that a Zoom update is available and automatically downloaded.\u003c/li\u003e\n\u003cli\u003eThe victim is redirected to a separate page with instructions to run the downloaded \u0026ldquo;update\u0026rdquo;, a VBS file named \u0026ldquo;_zoommeeting_Zoom_installer_64_bit.exe.vbs\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe VBS file, when executed via Windows Script Host, downloads the ScreenConnect installer (ScreenConnect.ClientSetup.msi) from a hardcoded URL (212[.]11[.]64[.]45) to the user\u0026rsquo;s %TEMP% directory.\u003c/li\u003e\n\u003cli\u003eThe ScreenConnect installer is launched in a hidden window, installing the remote access tool on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eAttackers leverage ScreenConnect for credential theft, internal reconnaissance, lateral movement, and potential deployment of secondary payloads, such as ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the installation of ConnectWise ScreenConnect, granting attackers persistent remote access to the victim\u0026rsquo;s system. This access allows attackers to perform credential theft, internal reconnaissance, lateral movement within the network, and the potential deployment of secondary payloads, such as ransomware. The use of a legitimate RMM tool like ScreenConnect allows attackers to blend malicious activity with expected enterprise administration behavior, making detection more difficult.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the malicious domains and IP addresses associated with the phishing campaign at the network level to prevent initial access (IOC table: \u003ccode\u003enasbv[.]site\u003c/code\u003e, \u003ccode\u003e104[.]21[.]56[.]35\u003c/code\u003e, \u003ccode\u003e172[.]67[.]176[.]105\u003c/code\u003e, \u003ccode\u003e212[.]11[.]64[.]45\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection rules to identify the execution of VBS scripts downloading and launching MSI installers from unusual locations like the %TEMP% directory (see Sigma rule: \u0026ldquo;Detect Suspicious VBScript Downloading MSI\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor for the installation and execution of ConnectWise ScreenConnect from unexpected sources, specifically when initiated by a VBScript process (see Sigma rule: \u0026ldquo;Detect ScreenConnect Installation via VBScript\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of VBScripts from the %TEMP% directory to prevent the execution of the malicious downloader.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of social engineering attacks and the importance of verifying software update prompts, especially those delivered through web pages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T12:47:04Z","date_published":"2026-05-18T12:47:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-zoom-screenconnect/","summary":"A phishing campaign impersonates Zoom to trick users into downloading and installing ConnectWise ScreenConnect, a legitimate remote monitoring and management tool, allowing attackers to gain persistent remote access, harvest credentials, and deploy secondary malware such as ransomware.","title":"Zoom-themed Phishing Campaign Delivering ConnectWise ScreenConnect","url":"https://feed.craftedsignal.io/briefs/2026-05-zoom-screenconnect/"}],"language":"en","title":"CraftedSignal Threat Feed — Social_engineering","version":"https://jsonfeed.org/version/1.1"}