A sophisticated phishing campaign has emerged, targeting enterprise users by disguising malicious software as popular workplace applications such as Microsoft Teams, Zoom, and Adobe Acrobat Reader. This new threat is notable for using legitimate-looking digital signatures to evade detection by users and security systems.
Details of the Phishing Campaign
First identified in February 2026, the campaign involves multiple waves of phishing emails sent to organizations. These messages often mimic meeting invitations, financial documents, or routine business notices, enticing recipients to download what appears to be a software update or application installer. The malicious files have names mimicking real applications, including msteams.exe and zoomworkspace.clientsetup.exe.
The threat actor behind this campaign has abused Extended Validation (EV) certificates issued to TrustConnect Software PTY LTD, making these files appear legitimate. Microsoft’s Defender Experts detected these campaigns through telemetry, highlighting a calculated, multi-faceted attack strategy.
How the Malware Works
Once downloaded, the malware installs remote monitoring and management (RMM) tools like ScreenConnect, Tactical RMM, and Mesh Agent, providing the attacker with remote control over the compromised device. These tools enable lateral network movement, data harvesting, and additional payload deployment without triggering typical security alerts.
The malware establishes persistence by creating secondary copies under system directories, registering them as Windows services, and modifying registry keys to ensure automatic execution on startup. The malware also communicates with a command and control (C2) domain, executing PowerShell commands to install RMM clients silently.
Mitigation and Security Recommendations
Organizations should take proactive measures to block unauthorized RMM tools using Windows Defender Application Control or AppLocker. Enforcing multifactor authentication on all approved RMM systems is crucial. Implementing Safe Links, Safe Attachments, and Zero-hour Auto Purge can help intercept malicious emails before they reach users.
Maintaining cloud-delivered protection on endpoint antivirus is essential for quickly identifying new malware variants. Deploying attack surface reduction rules targeting untrusted executables and processes created via PsExec or WMI can further enhance security across all endpoints.
For more updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for instant updates on cybersecurity threats.
