A newly identified credential harvesting campaign, tracked as MCTO3030 by Mimecast’s Threat Research team, is targeting administrators of ConnectWise ScreenConnect cloud services in a highly orchestrated operation.
Active since 2022, the campaign showcases advanced adversary tradecraft, leveraging low-volume, precision spear phishing to maintain stealth while focusing on senior IT personnel with super administrator privileges.
Targeting High-Value Credentials
The phishing attacks are launched through Amazon Simple Email Service (SES), giving the adversaries strong deliverability rates while exploiting reputable infrastructure to bypass standard filtering mechanisms.
The emails designed to mimic corporate security alerts claim suspicious unauthorized access, prompting recipients to click a “Review Security” button.
Victims are then redirected to spoofed ScreenConnect login pages hosted on country-code top-level domains (ccTLDs) such as connectwise.com.ar connectwise.com.ec.
The lookalike portals deploy EvilGinx adversary-in-the-middle (AITM) frameworks to capture both login credentials and multi-factor authentication (MFA) codes in real time. This allows the attackers to gain full privilege even when MFA is enforced.
Once obtained, super admin credentials enable lateral access across enterprise environments. Threat actors can silently deploy remote clients across multiple endpoints, potentially using ScreenConnect itself as a distribution vector for malicious payloads, including ransomware.
Links to Ransomware Operations
Research from Sophos earlier this year highlighted ScreenConnect intrusions tied to Qilin ransomware affiliates, suggesting MCTO3030 may play a role in ransomware operators’ initial access strategies.
By harvesting administrator accounts, cybercriminals gain footholds in managed IT environments, drastically reducing time-to-impact when pushing out destructive payloads at scale.
Mimecast notes that the operational consistency of the campaign infrastructure setup with ccTLD domains, exploitation of SES, and reliance on EvilGinx indicates a mature adversary team.
The ability to maintain activity over three years without significant disruption underscores their disciplined operational security.
Defensive Measures and Recommendations
Mimecast has rolled out enhanced detection rules targeting telltale signs of this campaign, including Amazon SES abuse patterns, AITM indicators, and ScreenConnect impersonation domains. Organizations relying on ScreenConnect are urged to:
- Enforce phishing-resistant MFA such as FIDO2/WebAuthn instead of TOTP-based methods.
- Restrict super admin access through conditional access policies tied to managed devices and known IP ranges.
- Conduct targeted awareness training for IT teams around AITM phishing and ScreenConnect impersonation tactics.
- Increase monitoring of ScreenConnect audit logs for anomalous deployments or privilege escalations.
With ransomware operators increasingly exploiting remote access software as a launchpad, campaigns like MCTO3030 highlight the urgent need for layered defenses, spanning technical controls and informed user vigilance.
Indicators of Compromise (IOCs)
Domains
- connectwise.com.ar
- connectwise.com.be
- connectwise.com.cm
- connectwise.com.do
- connectwise.com.ec
- Various other ScreenConnect-themed domains using country code TLDs
Infrastructure Characteristics
- Amazon SES sending infrastructure
- EvilGinx-based phishing kits
- Country code TLD domain patterns
- ConnectWise/ScreenConnect branding impersonation
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=ScreenConnect Credential Theft - A newly identified credential harvesting campaign, tracked as MCTO3030 by Mimecast’s Threat Research team.){kind=link}