Mimecast Logo
Richiedi un preventivo

    ScreenConnect Super Admin Credential Harvesting

    25 August 2025

    By Samantha Clarke and the Mimecast Threat Research Team

    Key Points
    • Low-volume spear phishing operation sending up to 1,000 emails per campaign run
    • Initial access for potential ransomware deployment
    • Senior IT professionals and administrators with super admin privileges
    • Adversary-in-the-middle (AITM) phishing using EvilGinx framework

    Campaign Overview

    Samantha Clarke and the Mimecast Threat Research team have identified an ongoing credential harvesting campaign (designated MCTO3030) that specifically targets ScreenConnect cloud administrators. This sophisticated operation has maintained consistent tactics, techniques, and procedures since 2022, demonstrating remarkable operational security through low-volume distribution that has allowed it to operate largely undetected.

    The campaign employs spear phishing emails delivered through Amazon Simple Email Service (SES) accounts, targeting senior IT professionals including directors, managers, and security personnel with elevated privileges in ScreenConnect environments. The attackers specifically seek super administrator credentials, which provide comprehensive control over remote access infrastructure across entire organizations.

    Screen connect new login alert.png

    Once the user clicks upon the Review Security button they are directed to one of two types of phishing pages:

    Example number 1

    Screen Connect eg1.png

    Example number 2

    Screen Connect eg2.png

    What makes this campaign particularly concerning is its apparent connection to ransomware operations. Research from Sophos indicates similar ScreenConnect targeting by Qilin ransomware affiliates, suggesting these credential harvesting activities serve as initial access vectors for subsequent ransomware deployment

    The harvested super admin credentials enable attackers to push malicious ScreenConnect clients or instances to multiple endpoints simultaneously, facilitating rapid lateral movement and ransomware distribution.

    The persistent nature of this campaign and its connection to ransomware operations make it a significant threat to organizations relying on ScreenConnect for remote access management. The combination of sophisticated AITM techniques and targeted approach toward high-privilege users requires a multi-layered defensive strategy combining technical controls, user education, and proactive monitoring.

    Technical Infrastructure and Tactics

    The threat actors leverage Amazon SES for email distribution due to its high deliverability rates, low cost, and ease of setup. These accounts are often created using compromised credentials or sold through underground markets, allowing attackers to bypass traditional email security controls through trusted infrastructure.

    The phishing pages employ sophisticated adversary-in-the-middle (AITM) techniques using the EvilGinx framework, an open-source tool designed for intercepting both credentials and multi-factor authentication (MFA) codes. This capability allows the attackers to bypass modern authentication protections and maintain persistent access to compromised accounts.

    Domain infrastructure utilizes country code top-level domains (CCTLDs) with ScreenConnect-themed naming conventions, creating convincing impersonations of legitimate ConnectWise/ScreenConnect portals. The consistent use of these naming patterns across multiple years demonstrates a successful operational model that the threat actors continue to exploit.

    Campaign Flow

    1. Initial Contact: :Spear phishing emails sent via compromised Amazon SES accounts to targeted IT professionals
    2. Social Engineering: Messages claim suspicious login activity on ScreenConnect accounts from unusual IP addresses or locations
    3. Credential Capture: Victims directed to fake ScreenConnect login portals hosted on country code TLD domains
    4. AITM Exploitation: EvilGinx framework captures both usernames/passwords and MFA tokens in real-time
    5. Account Compromise: Attackers gain full access to ScreenConnect super admin accounts
    6. Lateral Movement: Compromised credentials used to deploy additional access tools or malware across managed endpoints

    Mimecast Protection

    Mimecast has implemented detection capabilities specifically targeting this campaign’s characteristics, including Amazon SES abuse patterns, ScreenConnect impersonation indicators, and AITM phishing techniques. Our threat research team continues monitoring for tactical evolution and infrastructure changes to ensure comprehensive protection.

    Targets

    Senior IT professionals, IT directors, system administrators, and security personnel with ScreenConnect super administrator privileges across all region and industries.

    Indicators of Compromise (IOCs)

    Domains

    • connectwise.com.ar
    • connectwise.com.be
    • connectwise.com.cm
    • connectwise.com.do
    • connectwise.com.ec
    • Various other ScreenConnect-themed domains using country code TLDs

    Infrastructure Characteristics

    • Amazon SES sending infrastructure
    • EvilGinx-based phishing kits
    • Country code TLD domain patterns
    • ConnectWise/ScreenConnect branding impersonation

    Recommendations

    User Awareness Training

    • Conduct targeted training for IT staff on ScreenConnect-themed phishing campaigns
    • Educate users about AITM phishing techniques that can bypass traditional MFA
    • Implement regular phishing simulations incorporating ScreenConnect login scenarios

    Technical Security Controls

    • Deploy conditional access policies restricting ScreenConnect admin access to organization-managed devices
    • Implement phishing-resistant MFA methods such as FIDO2/WebAuthn for ScreenConnect accounts
    • Enable comprehensive logging for ScreenConnect authentication events and admin activities
    • Monitor for unusual admin activities, including new client deployments or configuration changes

    Proactive Threat Hunting

    • Search email logs for domains matching the IOC list or mentioning ScreenConnect or ConnectWise
    • Monitor for authentication attempts to ScreenConnect instances from unexpected IP ranges or geographic locations
    • Hunt for domains following the country code TLD patterns associated with this campaign
    • Review ScreenConnect admin audit logs for unauthorized changes or suspicious client deployments

    Email Security Enhancement

    • Identify Amazon SES usage within the organization and from supplier chain to determine if messages should be accepted at the agteway.
    • Implement advanced URL protection to identify and block AITM phishing infrastructure
    • Consider additional scrunity  for emails claiming security incidents or login anomalies
    Back to Top