Fake Word Online phishing deploys ScreenConnect via silent MSI and Ninite, gaining remote access while HideUL conceals activity from enterprise SOCs.

Continue reading
A phishing campaign recently documented by threat analysis platform ANY.RUN has exposed a technically refined and operationally dangerous attack sequence that bypasses conventional enterprise defenses by avoiding malware entirely.
The chain — moving from a spoofed Microsoft Word Online page through a silent MSI installer, Ninite package deployment, ScreenConnect remote access establishment, and HideUL-based user concealment — reaches full interactive remote access inside a target organization using exclusively legitimate, trusted tools at every stage.
The observed attack chain progresses from an Outlook email to an MSI installer, silent execution, ScreenConnect remote access, and HideUL-based concealment — a warning that phishing investigations must focus on comprehensive behaviour, not just malicious files.
The broader significance of this campaign extends well beyond the specific tools deployed. It represents the operational maturation of a threat category — phishing-to-RMM — that is now documented across multiple independent research organizations and is actively being refined by threat actors who understand precisely where enterprise detection architectures fail.
This attack does not emerge in isolation. Phishing returned as the leading method attackers used to break into organizations in the first quarter of 2026, accounting for over a third of engagements where initial access could be determined, according to Cisco Talos — the first quarter phishing has led the category since Q2 2025.
The concurrent shift toward trusted-tool abuse compounds the problem significantly. In February 2026, Microsoft Defender Experts identified multiple phishing campaigns that used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware — with files digitally signed using Extended Validation certificates issued to TrustConnect Software PTY LTD — demonstrating how familiar branding and trusted digital signatures are being systematically abused to bypass user suspicion.
In parallel, researchers at Huntress documented threat actors daisy-chaining distinct RMM tools to fragment telemetry, distribute persistence, and complicate attribution and containment efforts — with lower-skilled actors leveraging rogue RMM MSI installers to establish initial access and execute follow-on payloads including LLM-generated infostealer scripts.
The fake Word Online attack chain is therefore not an anomaly. It is the current leading edge of a structurally consistent threat model.
The campaign initiates with a message delivered through Microsoft Outlook — a deliberate choice that exploits the implicit trust users extend to email arriving in their primary corporate inbox. The message directs the recipient to what appears to be a Word Online document preview or OneDrive file sharing page, replicating the visual interface of Microsoft 365 with sufficient fidelity to pass casual inspection.
This lure design is operationally precise for several reasons. It impersonates a workflow that enterprise users encounter dozens of times daily — opening a shared document, previewing a file before downloading, continuing work from a colleague's link. No alarm is triggered by the act of clicking. There is no suspicious attachment, no macro prompt, no executable offered directly by the email itself. The phishing page is the vector, not a file within it.
Hackers and cyber criminals no longer rely on zero-day exploits or complex technical breakthroughs. Instead, they increasingly succeed by doing something far more subtle: exploiting trust — impersonating the trusted workflows, platforms, and colleagues that enterprise users interact with every day.
The attacker's investment in interface fidelity at this stage pays dividends across every subsequent stage. A user who believes they are opening a legitimate Word document will not apply heightened scrutiny to the installer that follows.
Once the user interacts with the fake Word Online page, the attack pivots from social engineering to technical execution. The page delivers a Windows Installer package — an MSI file — that presents itself as a routine software component required to access the document.
The choice of MSI as the delivery vehicle is tactically deliberate and operationally elegant. MSI files are natively trusted by the Windows operating system.
They are the standard format for enterprise software deployment, invoked through `msiexec.exe` — a built-in Windows binary — and are routinely whitelisted across endpoint security configurations.
A signature-based antivirus scanning an MSI file containing only legitimate installer components will report no threat, because there are no malicious components to detect at this stage.
PowerShell invokes msiexec to extract and install ScreenConnect components including executable, DLLs and config files, after which the installer invokes ScreenConnect.ClientService.exe with specific parameters defined in a System.config file — a configuration that tells the client which attacker-controlled server to connect to.
A signed ScreenConnect client with a certificate that has been explicitly revoked by the vendor is being silently deployed after disabling SmartScreen and stripping the Mark-of-the-Web tag, allowing execution without reputation-based blocking — bypassing the primary Windows mechanism for warning users about files downloaded from the internet.
The Mark-of-the-Web (MotW) strip is particularly significant. Windows appends this metadata tag to all files downloaded from external sources, which triggers SmartScreen reputation checks and UAC elevation prompts. Removing it prior to execution eliminates the user-facing warning layer entirely — the MSI runs with no interactive prompt, no security dialog, no visible indicator that anything is occurring.
The campaign's next layer introduces Ninite — a widely used, commercially legitimate software deployment utility — as the execution mechanism for the remote access payload. This selection reflects a deep operational understanding of enterprise security tooling and its gaps.
Ninite is a software installation and package management tool designed to simplify the process of installing or updating multiple applications. It installs or updates selected programs automatically in the background, bypassing unnecessary prompts, toolbars, or adware — designed to install applications with default settings with no user-facing interaction.
For a threat actor, these design characteristics are not limitations to work around — they are features to exploit. Ninite Pro integrates with remote management tools to silently install or update popular third-party applications, with agents deployable via MSI, a simple executable with a `/silent` switch, or a network-wide installer.
In the context of this attack chain, Ninite is used precisely as designed — to install software silently, in the background, without user prompts. The difference is that the software being installed is ScreenConnect, and the operator is not an IT department but an adversary seeking persistent remote access.
From a SOC telemetry perspective, a Ninite installation event is nearly indistinguishable from legitimate IT operations. Ninite is actively used by IT administrators in enterprise environments for software rollout and patching.
An alert fired on Ninite execution would generate significant false positive volume in organisations that legitimately use it — and in organizations that do not, the binary may simply not be part of any watchlist at all.
With Ninite executing silently, ScreenConnect — ConnectWise's commercial remote access platform — is installed and activated. This represents the operational fulcrum of the entire chain: the moment at which the attacker transitions from preparation to persistent, interactive control of the compromised endpoint.
Rather than using custom malware, attackers deploy modified versions of legitimate remote access software such as ScreenConnect. Because ScreenConnect is widely used by IT teams for legitimate remote support, its installation may not immediately trigger suspicion unless behavioral monitoring or application allow-listing is in place — reflecting a broader trend of RMM tool abuse where attackers blend in with normal IT operations.
The network behaviour of ScreenConnect further complicates detection. Unlike traditional backdoors that open inbound ports, ScreenConnect establishes outbound connections to external relay servers controlled by the attacker — a design characteristic that renders standard perimeter firewall rules largely ineffective. Inbound connection blocking is a primary defensive control; an outbound TLS connection to an external HTTPS endpoint is standard enterprise network traffic.
Following installation, the ScreenConnect client persists as a Windows service and beacons to the adversary-controlled ScreenConnect server over TCP port 8041, establishing a persistent, encrypted channel to the attacker's infrastructure.
The client establishes a network session with the remote command-and-control domain, after which the host begins exhibiting Remote Access Trojan-style behaviours and data exfiltration activity, encrypting data with a session key while uploading in chunks to the C2 server.
Once the ScreenConnect session is live, the attacker possesses full interactive desktop access — mouse, keyboard, screen, file system, clipboard, process manager.
Every subsequent action taken through this channel uses a legitimately installed, vendor-signed application generating network traffic that, to most enterprise security tooling, is indistinguishable from an IT administrator conducting legitimate remote support.
The final documented stage of this attack chain is HideUL — a Windows utility that modifies registry entries to conceal specific user accounts from the Windows login screen and, in some configurations, from standard user enumeration commands.
At this stage the attacker has already achieved their primary objective of persistent remote access. HideUL represents the post-exploitation tradecraft layer: ensuring that the access persists undetected, that no secondary user account created during the session is visible to administrators, and that routine user enumeration by IT staff or a Tier 1 SOC analyst does not surface anomalous account activity.
This technique maps directly to MITRE ATT&CK's T1564 — Hide Artifacts and T1078 — Valid Accounts categories.
The registry modifications made by HideUL are not inherently malicious in isolation — they are standard Windows functionality. Detecting their adversarial application requires behavioral context: who made the change, when, under what parent process, and in what sequence relative to other observed activity.
That context is precisely what conventional tiered SOC architectures struggle to assemble in real time.
The attack sequence documented here is not sophisticated in the conventional sense — it exploits no memory corruption vulnerability, deploys no polymorphic shellcode, and bypasses no cryptographic control. Its sophistication lies in something more dangerous: a precise operational understanding of where enterprise security architectures generate visibility and where they do not.
The biggest risk in this type of phishing attack is the delay between the first suspicious action and a confident response.
When attackers use legitimate installers, remote access tools, and concealment utilities, the SOC may see separate pieces of activity without enough context to understand the full business risk — creating problems including trusted tools becoming part of the intrusion path, Tier 1 teams needing more time to validate the threat, escalations reaching Tier 2 or IR without enough context, leadership lacking a clear view of severity, and remote access being established before the incident is prioritized.
Each stage of this chain was designed to occupy a different blind spot:
The phishing page bypasses email attachment scanning because no malicious file is attached.
The MSI installer bypasses antivirus because it contains no malicious code — only legitimate installer components.
The Ninite execution bypasses behavioural detection because it operates exactly as designed — silently, in the background, without anomalous process behaviour.
The ScreenConnect installation bypasses network controls because it generates outbound TLS traffic on standard ports to a known commercial platform.
The HideUL execution bypasses identity monitoring because it uses native Windows registry modification functions.
No single stage is sufficient to trigger a high-confidence alert in most enterprise security stacks. The malicious intent of the sequence is only visible when all five stages are correlated into a single behavioral timeline — a correlation that requires both the telemetry sources and the analytical capacity to connect them in real time.
Daisy-chaining distinct RMM tools fragments telemetry, distributes persistence, and complicates both attribution and containment efforts — with each tool generating logs in a different system, making the aggregate attack pattern invisible to analysts examining individual data sources.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.