Mimecast has identified an ongoing credential harvesting campaign (designated MCTO3030) that specifically targets ScreenConnect cloud administrators.
The sophisticated operation has maintained consistent tactics, techniques, and procedures since 2022, demonstrating remarkable operational security through low-volume distribution that has allowed it to operate largely undetected.
The campaign employs spear phishing emails delivered through Amazon Simple Email Service (SES) accounts, targeting senior IT professionals including directors, managers, and security personnel with elevated privileges in ScreenConnect environments.
The attackers specifically seek super administrator credentials, which provide comprehensive control over remote access infrastructure across entire organisations.
According to Mimecast, the campaign is particularly concerning because of its apparent connection to ransomware operations.
Research from Sophos indicates similar ScreenConnect targeting by Qilin ransomware affiliates, suggesting these credential harvesting activities serve as initial access vectors for subsequent ransomware deployment.
The harvested super admin credentials enable attackers to push malicious ScreenConnect clients or instances to multiple endpoints simultaneously, facilitating rapid lateral movement and ransomware distribution.
The persistent nature of the campaign and its connection to ransomware operations make it a significant threat to organizations relying on ScreenConnect for remote access management. The combination of sophisticated AITM techniques and targeted approach toward high-privilege users requires a multi-layered defensive strategy combining technical controls, user education and proactive monitoring.
Technical infrastructure and tactics
The threat actors leverage Amazon SES for email distribution due to its high deliverability rates, low cost, and ease of setup. These accounts are often created using compromised credentials or sold through underground markets, allowing attackers to bypass traditional email security controls through trusted infrastructure.
The phishing pages employ sophisticated adversary-in-the-middle (AITM) techniques using the EvilGinx framework, an open-source tool designed for intercepting both credentials and multi-factor authentication (MFA) codes. This capability allows the attackers to bypass modern authentication protections and maintain persistent access to compromised accounts.
Domain infrastructure utilizes country code top-level domains (CCTLDs) with ScreenConnect-themed naming conventions, creating convincing impersonations of legitimate ConnectWise/ScreenConnect portals.
The consistent use of these naming patterns across multiple years demonstrates a successful operational model that the threat actors continue to exploit.
The spear phishing campaign flows as follows:
- Initial contact: :Spear phishing emails sent via compromised Amazon SES accounts to targeted IT professionals
- Social engineering: Messages claim suspicious login activity on ScreenConnect accounts from unusual IP addresses or locations
- Credential capture: Victims directed to fake ScreenConnect login portals hosted on country code TLD domains
- AITM exploitation: EvilGinx framework captures both usernames/passwords and MFA tokens in real-time
- Account compromise: Attackers gain full access to ScreenConnect super admin accounts
- Lateral movement: Compromised credentials used to deploy additional access tools or malware across managed endpoints
Mimecast has implemented detection capabilities specifically targeting this campaign’s characteristics, including Amazon SES abuse patterns, ScreenConnect impersonation indicators, and AITM phishing techniques.