Authored by Mayur Sewani, Senior Security Researcher, Forcepoint X-Labs researchers observed:
A campaign in which a spoofed email impersonating the U.S. Social Security Administration delivers a malicious attachment designed for silent execution and privilege escalation.
The script disables Windows SmartScreen, removes the Mark-of-the-Web, and installs a legitimate ScreenConnect client that is then abused as a Remote Access Trojan (RAT) to maintain command-and-control access.
Notably, the ScreenConnect client analyzed was signed with a certificate that had been explicitly revoked, underscoring how attackers are leveraging trusted tooling to evade detection.
The compromised host ultimately establishes encrypted communications with a remote server linked to Iranian network infrastructure, enabling data exfiltration activity.
Why This Matters
This research highlights a growing defensive challenge: attackers increasingly bypass traditional security controls by modifying system protections and repurposing legitimate IT management software. The findings reinforce the need for organizations to block revoked software, enforce strict RMM allowlists, and monitor for security-control tampering.
You can read the research here: ScreenConnect Attack: SmartScreen Bypass and RMM Abuse
Like this:
Like Loading...
Related
This entry was posted on February 11, 2026 at 9:08 am and is filed under Commentary with tags Forcepoint X-Labs. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Forcepoint X-Labs Uncovers SmartScreen Evasion Campaign Abusing ScreenConnect for Persistent Remote Access
Authored by Mayur Sewani, Senior Security Researcher, Forcepoint X-Labs researchers observed:
A campaign in which a spoofed email impersonating the U.S. Social Security Administration delivers a malicious attachment designed for silent execution and privilege escalation.
The script disables Windows SmartScreen, removes the Mark-of-the-Web, and installs a legitimate ScreenConnect client that is then abused as a Remote Access Trojan (RAT) to maintain command-and-control access.
Notably, the ScreenConnect client analyzed was signed with a certificate that had been explicitly revoked, underscoring how attackers are leveraging trusted tooling to evade detection.
The compromised host ultimately establishes encrypted communications with a remote server linked to Iranian network infrastructure, enabling data exfiltration activity.
Why This Matters
This research highlights a growing defensive challenge: attackers increasingly bypass traditional security controls by modifying system protections and repurposing legitimate IT management software. The findings reinforce the need for organizations to block revoked software, enforce strict RMM allowlists, and monitor for security-control tampering.
You can read the research here: ScreenConnect Attack: SmartScreen Bypass and RMM Abuse
Share this:
Like this:
Related
This entry was posted on February 11, 2026 at 9:08 am and is filed under Commentary with tags Forcepoint X-Labs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.