These attacks are abusing trusted remote access tools to bypass detection, exposing a growing security gap for enterprises. A fake Word Online phishing page has exposed a growing enterprise blind spot: attackers using trusted tools to gain remote access without raising immediate alarms.
The attack chain observed by ANY.RUN moved from an Outlook email to an MSI installer, silent execution, ScreenConnect remote access, and HideUL-based concealment. For CISOs, this is a warning that phishing investigations must focus on full behavior, not just malicious files.[1]
[1] https://hackread.com/fake-word-phishing-enterprise-blind-spot-trusted-remote-access-tools/
Link to full report: IR-26-140-001_FakeWordPhishing.pdf
Comments