Hackers Turn Zoom Invites into Remote Takeovers, Abnormal AI Warns

A new threat report from Abnormal AI details a sprawling phishing campaign that transforms everyday workplace communications—Zoom invites, Teams messages, even shared documents—into Trojan horses for full device compromise. Instead of stealing passwords, attackers are tricking victims into installing ConnectWise ScreenConnect, a legitimate remote monitoring tool that effectively hands over system control to cybercriminals.

Phishing 2.0: When Trust Becomes the Weapon

Unlike the garden-variety phishing schemes that dump you on a fake login page, this operation hijacks the rituals of modern office life. Imagine a routine Zoom calendar invite, branded with real logos, arriving from a colleague’s compromised account. One click on “Join Meeting” leads not to a video call, but to a live ScreenConnect session controlled by attackers.

The ruse works because it doesn’t feel like a ruse. The emails appear in existing conversation threads. The links are wrapped in trusted services like SendGrid. Some even exploit Cloudflare Workers or open redirect flaws in legitimate websites to camouflage their true destination.

“This is about abusing what people already trust,” said one Abnormal AI executive in the report. “By turning common business workflows into delivery mechanisms, attackers make security controls—and human suspicion—far less effective.”

AI in the Attack Chain

The deception doesn’t stop with logos and timing. According to the report, some phishing sites are generated using AI-powered development platforms such as Vercel’s v0, which can spin up polished, functional landing pages in minutes. The sites detect whether Zoom is installed, then push what looks like an update package but is actually ScreenConnect masquerading as Zoom.ClientSetup.exe.

This weaponization of legitimate IT tools is particularly dangerous because malicious use blends in with sanctioned remote support activity. Once inside, adversaries can move laterally, harvest credentials, or insert fresh phishing lures into genuine email threads—all without triggering obvious red flags.

Cybercrime’s SaaS Economy

The report also highlights the thriving dark-web market behind these attacks. Pre-packaged “ScreenConnect Revolution Packs” bundle in hidden VNC access, Windows Defender bypasses, and even a “blank-screen fix” that lets attackers operate invisibly during remote sessions. Vendors offer $6,000 branded kits with training and after-sales support, mimicking the customer service polish of mainstream SaaS providers. Others sell direct access to already-compromised ScreenConnect deployments for as little as $500.

The infrastructure is just as professionalized. Criminal forums tout “bulletproof” hosting on VPS providers that ignore abuse complaints, with Cloudflare front-ends to mask origins and session restoration features that survive takedowns. It’s a full-fledged supply chain where persistence, stealth, and scalability are sold as features.

A Broad and Growing Target List

Abnormal’s researchers say more than 900 organizations across sectors from healthcare to financial services have been targeted. No single industry dominates—religious groups, universities, insurers, retailers, manufacturers, and tech companies all appear on the victim list. Most activity clusters in the U.S., but Canada, the U.K., and Australia are also heavily represented.

The breadth suggests attackers aren’t cherry-picking industries for espionage. They’re harvesting access at scale, stockpiling footholds for resale or future monetization.

The Defensive Playbook

Security leaders, the report warns, must rethink assumptions. This isn’t malware that sneaks in through zero-days—it’s legitimate software invited through the front door by tricked employees.

Recommended countermeasures include AI-driven email detection, continuous monitoring of remote access tool installations, refreshed awareness training focused on “legitimate software abuse,” and a shift toward zero-trust architectures that limit the blast radius of compromised endpoints.

The bottom line: The future of phishing isn’t fake. It’s real software, real platforms, and real trust—twisted into tools of compromise.