Barracuda security researchers have identified an increase in the use of trusted tools such as ScreenConnect for unauthorised remote access, accompanied by a surge in Microsoft 365 login attempts from unfamiliar locations.
Attackers are increasingly able to evade detection by exploiting tools and valid credentials commonly used by organisations, gaining illicit access to business networks and sensitive resources.
ScreenConnect risks
ScreenConnect, a widely used device management platform across enterprise environments, has been at the centre of recent security concerns. Attackers have begun targeting older, unpatched versions of ScreenConnect, exploiting vulnerabilities that emerged earlier in 2025. These weaknesses enable the remote installation of malicious software, delivery of ransomware, data theft, and movement across networked systems.
Security teams have observed attackers connecting their own endpoints to targets’ ScreenConnect instances, or deploying the software themselves to gain access. The trusted status of ScreenConnect within many networks allows such activity to be concealed amongst legitimate operations.
ScreenConnect released an update patching the vulnerability in April 2025, but risks remain for organisations failing to update. Companies are particularly at risk if they run outdated versions, use unmanaged remote access tools, lack multifactor authentication (MFA) on admin accounts, or have not applied the software patch.
“The detection of ScreenConnect does not immediately arouse suspicion,” said Mike Flouton, Vice President of Product Management, Barracuda.
Compromised credentials
The use of stolen or purchased usernames and passwords remains a primary tactic for attackers seeking to breach systems. Once legitimate credentials are successfully used, attackers can blend in with normal user activity, making detection more difficult.
The Barracuda report notes a trend of attackers leveraging these credentials to launch ransomware attacks, steal data, or set up persistent access channels. In these cases, observed behaviour includes multiple repeat or simultaneous login attempts and the unusual use of administrative tools such as PsExec or PowerShell.
Companies without robust password policies, regular credential rotation, or comprehensive authentication controls are at increased risk. Lack of monitoring for anomalous behaviour or failure to alert on suspicious remote activity can further expose organisations to sustained compromise.
Microsoft 365 threats
Unusual login activity targeting Microsoft 365 accounts has also spiked, with attempts arising from countries outside the standard operating regions of the affected organisations. These may involve the use of password databases purchased on criminal forums, permitting attackers to access corporate communications, confidential files, and impersonate staff for internal phishing attempts.
Companies that do not implement geo-blocking, enforce MFA, or maintain vigilant monitoring of account login origins are especially vulnerable to this threat. Sophisticated attackers can move quickly beyond the initial breach, escalating their privileges or carrying out further attacks on the corporate environment.
Defensive strategies
The research underscores the importance of multi-layered security. Regular software updates, strict password policies, mandatory MFA-especially for administrators and remote access accounts-and continuous monitoring for unusual behaviour are recommended to reduce exposure to these ongoing threats.
Employee training to spot phishing attempts and report anomalies forms part of a comprehensive approach to defence. Automated systems, such as managed endpoint security and advanced detection and response platforms, can help alert security teams to malicious activity conducted through trusted tools or legitimate credentials.
According to Barracuda’s findings, organisations that have not scaled their defences in line with evolving attack methods are likely to remain at heightened risk.
“Cybercriminals are stealing or buying usernames and passwords (credentials) and using them to break into systems. Once inside, they launch ransomware attacks or steal sensitive data,” said Flouton.