From Phishing Emails to Industrial Control Systems: How Modern Threat Campaigns Expand Their Reach

Modern campaigns consist of social engineering, legitimate management software exploits, and targeting of industrial infrastructures to create maximum damage.

Phishing remains a popular method of infiltrating a network; however, modern attacks reveal a trend toward using remote administration tool exploits and attacking operational technology infrastructure. Thus, companies have to deal with many more dangers than just stolen credentials.

Why Modern Phishing Campaigns Are Becoming More Sophisticated

Phishing attacks no longer depend on malicious attachment or imitation log-in web pages but have evolved into using well-thought-out lures that trick users.

Latest campaign includes invitation-type emails which at first glance seem harmless. Unlike those which pressure recipients into acting right away, these types of emails tell the recipients to open the attachment using their desktop devices. This is a critical part since the hackers may need desktops for installing a program that will enable deeper access to the computer system.

It means that the phishing email is just a part of a whole attack chain where the ultimate aim is to make users install programs remotely accessing their systems.

This strategy works effectively since the whole process seems legitimate.

Cyber Attack Analysis: A Special Invitation to Install RMM Tools (Greetings Island → ScreenConnect)

RMM Abuse · Greetings Island → ScreenConnect

A SPECIAL INVITATION
to Install Ransomware

A newly reported campaign opens with a friendly Greetings Island e-card invitation. The catch is in the subject line itself: “preview on a desktop.” Do that, and a website silently downloads a renamed ScreenConnect remote-access tool — handing attackers full control to delete backups and deploy ransomware.

LAUNCH SIMULATION

outlook.office365.com — Inbox

[EXTERNAL]

Special Invitation For You // Desktop Preview Only

From: notifications@greetingsisland-invite.com | Thu 6/11/2026 8:03 AM

Greetings ISLAND

A colleague sent you an Invitation.

Open Invitation

Visit us at greetingsisland.com · Help · Blog · About · Contact

STEP 1: THE INVITATION LURE

A cheerful e-card impersonating Greetings Island — a real invitation service — lands in the inbox. The trick is baked into the subject line: “DESKTOP PREVIEW ONLY.” Often the sending account is a previously compromised contact, so it looks familiar.

ionaprep3.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

Untitled — opened on desktop browser

Downloads

ScreenConnect.ClientSetup.exe

Open file

The page references “screenconnect” in its domain — not Greetings Island — and the .exe downloads automatically, with no user interaction.

STEP 2: SILENT RMM DOWNLOAD

Opening the invite on a desktop redirects to a ScreenConnect-themed site that auto-drops ScreenConnect.ClientSetup.exe. Forcing “desktop only” sidesteps mobile protections. Legitimate ConnectWise binaries are named ScreenConnect.WindowsClient.exe / .ClientService.exe — the renamed setup file is the red flag.

Endpoint Telemetry — Post-Execution Behavior

Persistence + Privilege Escalation

Full remote control gained

File Drops

System32 · Program Files · Windows

Recon

System · Browser · BIOS · Storage

                        [Background Process Log — user sees nothing]

                        → Unattended remote session established (Access & Guest)

                        → Registry modified · scheduled task + Run key written for persistence

                        → powershell.exe scripts executed; arbitrary commands run

                        → Files dropped/overwritten in System32, Program Files, Windows

ScreenConnect is a legitimate, signed RMM tool — so signature-based antivirus often stays silent while all of this runs in the background.

STEP 3: STEALTH FOOTHOLD

Running the file gives the attacker initial access and full remote capabilities. In the background they maintain persistence, escalate privileges, drop files into system directories, harvest system/browser/BIOS/storage data, edit the registry, and run PowerShell — all invisible to the user.

Threat Intel — RMM Phishing Attack Chain

Attack Chain Visualized

1 Greetings Island “invitation” email

↓

2 Subject demands “preview on desktop”

↓

3 Link → ScreenConnect-domain site

↓

4 .exe auto-downloads, user runs it

5 Full remote access + persistence

↓

6 Privilege escalation & recon

↓

7 VSS shadow-copy backups deleted

↓

8 Ransomware deployed, files encrypted

Reported in June 2026 threat intelligence — one click on a friendly e-card can lead to unattended remote access and ransomware.

FULL ATTACK SEQUENCE

Every stage is designed to look legitimate — a trusted e-card brand and a signed RMM tool. From “invitation” to encrypted files, the whole chain can unfold without the victim noticing a thing.

                        PRE-RANSOMWARE — Backup Sabotage
                         RUNNING
                    

[+] Targeting Volume Shadow Copy Service (VSS)

                            VSS creates shadow copies for backups

                            while applications keep running
                        
[!] vssadmin delete shadows /all /quiet

                            Backup snapshots deleted

                            Rollback / restore now impossible
                        
[!] RANSOMWARE STAGED

                            Encryption armed across reachable hosts

                            Awaiting operator trigger

Deleting the Safety Net

Before encrypting anything, the threat actors destroy recovery options. VSS shadow copies are how Windows quietly keeps point-in-time backups — so deleting them ensures victims can’t simply roll back, maximizing pressure to pay.

Trusted brand lure (Greetings Island)
“Desktop only” to dodge mobile defenses
Signed ScreenConnect RMM for stealth access
VSS shadow-copy deletion blocks recovery
Persistence & privesc before ransomware

Threat Intel Report — RMM Phishing Impact Matrix

IMPACT & RISK FACTORS

Trusted-Brand + Compromised Senders

A real e-card brand and emails sent from already-compromised accounts give the lure instant credibility, slipping past both human suspicion and many email filters.

Signed RMM Evades Signature AV

ScreenConnect is legitimate and signed, so it frequently bypasses signature-based antivirus. “Desktop preview only” steers victims off protected mobile devices onto Windows.

No Path Back (Backups Wiped)

Persistence and privilege escalation set the stage; deleting VSS shadow copies removes the safety net — so once ransomware fires, recovery without offline backups is near impossible.

THREAT LEVEL: CRITICAL | SOURCE: THREAT INTEL · JUN 2026 | VECTOR: E-CARD → RMM → RANSOMWARE

RECOMMENDED ACTIONS

Defending Against RMM Tool Phishing

Avoid clicking links or opening attachments in unsolicited emails, confirm senders through verified official channels, treat unexpected RMM installers as malware, and lean on behavior-based (not signature-based) endpoint detection with offline backups.

Cyber Awareness Education

Train staff to distrust unexpected e-card/invitation emails and “preview on desktop” instructions, verify senders out-of-band, and recognize a downloaded ScreenConnect/AnyDesk-style installer as a serious red flag.

Phishing Simulation

Run controlled invitation/e-card phishing simulations to measure who clicks the lure, switches to desktop, and runs the auto-downloaded RMM installer under realistic conditions.

How Legitimate Remote Management Tools Can Be Abused

Modern phishing involves elaborate methods of influence that go beyond malicious attachments or fake login pages.

The invitations in such emails appear harmless but instruct recipients to open their content in desktop mode. Attackers prefer desktop mode since it allows them to deploy software that will have a higher degree of system-level access.

Therefore, the email is merely the initial stage of an attack process whose end-game is getting the user to install software allowing remote access. The success rate is improved due to the legitimacy of such interactions and lack of common phishing signs.

Remotely Monitoring and Managing (RMM) software plays an important part in managing networks and troubleshooting issues. Nevertheless, more attackers use RMM applications to obtain remote access by abusing their credentials and functionality.

Recent attacks involve deploying files mimicking legitimate remote access applications. As a result, once executed, such applications create a connection to the compromised device for the attacker.

Some of the purposes of such malicious actions include:

Remote access
Persistence
Remote command execution
Information gathering
Additional payload deployment
Preparation of ransomware

Thus, organizations need to verify both the file’s malicious nature and its legitimate purpose.

The Hidden Activities That Occur After Initial Access

Though users believe that once the file has been downloaded, the threat is over, the threat usually comes after the installation process is done. Malicious actors carry out various operations in the background such as:

Privilege escalation
Registry modifications
File substitutions
System reconnaissance
Gathering browser information
Hardware information gathering
Command execution

In addition, they collect information about the storage devices, operating system configuration, and networking resources to identify critical targets for their activities.

Since all this happens in the background, it becomes difficult to know about the breach.

Why Industrial Control Systems Are Facing Increased Attention

Threat actors are focusing on OT systems in addition to enterprise networks. ICS and PLCs are essential for energy, water, manufacturing, and government sectors.

Latest reports have indicated that there is continued interest in industrial devices available over the internet due to inadequate authentication or the presence of management interfaces that enable the system to connect directly to the device.

In case the devices are accessible, the threat actor gains access to:

Configuration settings
Project files
HMIs
SCADA systems
Operational settings

Why Execution Governance Matters Against RMM Abuse

With the example of the remote access operation described in the bulletin, it is evident that there is an emerging trend when legitimate software can pose significant risks even when used by unauthorized actors.

Execution Governance strategy would be helpful in such situations because instead of focusing solely on signatures and malware indicators, this strategy focuses on the capabilities of the software in terms of execution possibilities and conditions.

It will be particularly valuable in operations that exploit legitimate administration tools, since the main problem is posed by the unauthorized execution of these programs.

Conclusion: When an Invitation Becomes Ransomware

This campaign shows how modern ransomware attacks no longer need to begin with an obvious malicious attachment. A friendly e-card invitation, a trusted brand name, and a “desktop preview only” message are enough to move the victim from curiosity to execution. Once the renamed ScreenConnect installer runs, the attacker gains remote access, establishes persistence, deletes backups, and prepares the environment for encryption.

The attack succeeds because everything looks familiar until control is already lost.

Why This Threat Works So Well

This is a phishing-led ransomware chain built around trust, timing, and legitimate tooling.

A real e-card brand makes the lure feel harmless
A compromised sender account makes the email feel familiar
“Desktop preview only” pushes the victim toward a Windows endpoint
A ScreenConnect-themed site makes the download look like support software
A signed RMM tool helps the attack blend into normal IT activity
PowerShell, registry edits, reconnaissance, and backup deletion prepare the ransomware stage

By the time files are encrypted, the breach has already moved through multiple trusted steps.

Where Xcitium Changes the Outcome

This attack must be stopped at two points, before the user trusts the lure and before the payload can cause damage.

Xcitium Cyber Awareness Education and Phishing Simulation helps employees recognize fake invitations, desktop-only tricks, suspicious downloads, and impersonated support flows before they run the file.

Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance when the file executes.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
RMM abuse, PowerShell activity, persistence, backup deletion, and ransomware execution are stopped before impact.

This is Execution Governance in practice.
Control before trust. Enforcement before encryption.

Xcitium = No Ransomware

This campaign proves that ransomware can arrive disguised as something ordinary, an invitation, a preview, a trusted tool, or a familiar sender. Security cannot depend only on users recognizing the trick. It must also prevent execution from becoming damage.

Train users before they trust the lure.
Govern execution when the file runs.
Stop ransomware before encryption begins.

Choose Xcitium Cyber Awareness Education and Phishing Simulation to strengthen the human layer.
Choose Xcitium Advanced EDR to enforce Execution Governance and stop ransomware at execution.

Like what you see? Share with a friend.