Key Points
- Low-volume spear phishing operation sending up to 1,000 emails per campaign run
- Initial access for potential ransomware deployment
- Senior IT professionals and administrators with super admin privileges
- Adversary-in-the-middle (AITM) phishing using EvilGinx framework
Campaign Overview
Samantha Clarke and the Mimecast Threat Research team have identified an ongoing credential harvesting campaign (designated MCTO3030) that specifically targets ScreenConnect cloud administrators. This sophisticated operation has maintained consistent tactics, techniques, and procedures since 2022, demonstrating remarkable operational security through low-volume distribution that has allowed it to operate largely undetected.
The campaign employs spear phishing emails delivered through Amazon Simple Email Service (SES) accounts, targeting senior IT professionals including directors, managers, and security personnel with elevated privileges in ScreenConnect environments. The attackers specifically seek super administrator credentials, which provide comprehensive control over remote access infrastructure across entire organizations.
Please click here to read the entire article.
We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
