Fake Interactive Zoom Call Leads to Malicious ScreenConnect Download

Zoom’s ubiquity in remote work has made it a prime target for phishing, but the latest campaign pushes the envelope by delivering an interactive, AI‑driven experience. Unlike static screenshots or video clips, the malicious page lets users click buttons, hear choppy audio, and even see participant names change in real time. This level of interactivity leverages JavaScript that simulates Zoom’s UI, creating a convincing illusion that lowers user skepticism and increases the likelihood of clicking the fabricated "update" prompt.

The technical chain is straightforward yet effective. After a phishing email lands in the inbox, the victim follows a link to a spoofed domain that performs a rudimentary OS check before presenting a fake waiting room. A pop‑up then advertises a Zoom Workspace update, redirecting to a counterfeit Microsoft Store page where a ZoomUpdateInstaller.msi is offered. Once executed, the installer drops ScreenConnect, a legitimate remote‑monitoring and management (RMM) platform, which the attackers configure for covert access. Because ScreenConnect is trusted software, it can bypass many endpoint defenses, allowing persistent control, data exfiltration, or lateral movement within the network.

For organizations, the incident signals a shift toward more immersive phishing attacks that blend AI‑generated content with legitimate tools. Defensive measures must extend beyond traditional URL and attachment scanning to include behavioral analytics that detect anomalous UI interactions and unexpected RMM installations. User education should emphasize verification of email senders, domain authenticity, and the impossibility of Zoom requiring Windows‑only updates. By hardening email gateways, enforcing least‑privilege application controls, and monitoring for unauthorized ScreenConnect activity, enterprises can mitigate the risk posed by these sophisticated Zoom impersonation schemes.