Hackers are using fake Zoom or Microsoft Teams invites to spy on all your workplace activity

A new report from security researchers at Abnormal claimed criminals would use compromised email accounts and conversation threads, AI-generated phishing pages, and would abuse legitimate file-sharing video conferencing platforms to spoof Zoom and Microsoft Teams with authentic-looking emails.

The goal was to get the victims to install ConnectWise ScreenConnect, a legitimate IT tool repurposed for full remote access. Instead of stealing passwords, attackers lure victims into giving them administrator-level control over corporate systems. Once inside, they launch account takeovers, lateral phishing campaigns, and data theft while blending in with normal IT activity.

Targeting education and religious groups

Among the 900 companies attacked so far, the researchers found the majority were in education and religious groups (14.4%), healthcare and pharma (9.7%), and financial services (9.4%), with other industries like insurance, legal, retail, manufacturing, and tech, also being heavily targeted. Most victims are in the US, UK, Canada, and Australia.

The attacks are powered by a dark web marketplace that sells ScreenConnect “attack kits” for a few thousand dollars, along with network access resold for $500–$2,000.

Some vendors even offer $6,000 custom packages with training and support, effectively turning ScreenConnect abuse into a RAT-as-a-Service business model.

This campaign highlights a dangerous shift, Abnormal believes. Instead of breaking into systems, threat actors are now weaponizing trusted workplace tools to sidestep defenses.

That is why businesses should adopt AI-powered email security, endpoint monitoring, zero-trust, and better staff awareness training, to counter these increasingly sophisticated threats.

You might also like

• Everything you need to know about phishing
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers