← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.301
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
A coordinated IRS-themed phishing campaign documented by Microsoft Threat Intelligence on February 10, 2026, targeted more than 29,000 users across 10,000 organizations during tax season. Attackers harvested Microsoft 365 credentials and then installed legitimate remote monitoring and management tools, ConnectWise ScreenConnect, Datto RMM, and SimpleHelp, to maintain persistent backdoor access without deploying traditional malware. The business risk is significant: compromised RMM tools grant attackers ongoing remote control of affected endpoints, bypassing most endpoint and email security controls, and the signed nature of these tools means they are whitelisted in many environments.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
TTP Sophistication
HIGH
17 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft 365, ConnectWise ScreenConnect, Datto RMM, SimpleHelp, Amazon SES (abused for delivery), SmartVault (impersonated), Cloudflare (abused for evasion)
Are You Exposed?
⚠
You use products/services from Microsoft 365 → Assess exposure
⚠
17 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A coordinated IRS-themed phishing campaign documented by Microsoft Threat Intelligence on February 10, 2026, targeted more than 29,000 users across 10,000 organizations during tax season. Attackers harvested Microsoft 365 credentials and then installed legitimate remote monitoring and management tools, ConnectWise ScreenConnect, Datto RMM, and SimpleHelp, to maintain persistent backdoor access without deploying traditional malware. The business risk is significant: compromised RMM tools grant attackers ongoing remote control of affected endpoints, bypassing most endpoint and email security controls, and the signed nature of these tools means they are whitelisted in many environments.
Technical Analysis
Campaign origin: Microsoft Threat Intelligence, first documented February 10, 2026.
Attack chain uses two PhaaS platforms, Energy365 and SneakyLog/Kratos, for credential harvesting against Microsoft 365 accounts.
Initial delivery abuses Amazon SES for high-reputation email sending; lures impersonate IRS communications and SmartVault branding.
Credential-harvesting pages exploit Cloudflare anti-bot features (CWE-1021: UI Redressing; CWE-345: Insufficient Verification of Data Authenticity) to obstruct automated analysis and evade URL reputation scanning. Post-credential theft, attackers deploy signed RMM binaries, ConnectWise ScreenConnect, Datto RMM, SimpleHelp, via user-executed links or attachments (T1204.001 , T1204.002 ), establishing persistent remote access (T1219 ) through tools already whitelisted in most enterprise environments. Valid account abuse (T1078 , CWE-290) allows lateral movement without triggering authentication anomaly alerts. Web protocols are used for C2 (T1071.001 ). Additional observed techniques: spearphishing link (T1566.001 ), spearphishing attachment (T1566.002 ), external remote services (T1133 ), web credential forging (T1598.002 ), keylogging/input capture (T1056.003 ), PowerShell execution (T1059.001 ), masquerading via signed binaries (T1036.005 ), session cookie theft (T1539 ), obfuscation (T1027 ), adversary-in-the-middle (T1557 ), and establishment of email accounts and infrastructure (T1585.002 , T1583.001 ). No CVE assigned. Relevant CWEs: CWE-1021, CWE-287, CWE-345, CWE-290. Huntress reports a 277% year-over-year increase in RMM tool abuse as context for the broader trend. No patch applicable; this is a tool-abuse and social engineering campaign.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to C-suite and external incident response firm if credential harvest affects >500 users, if RMM persistence is detected on domain controllers or sensitive file servers, or if forensic analysis reveals lateral movement to restricted data repositories.
1
Step 1, Immediate: Audit authorized RMM tools across your environment. Identify any ConnectWise ScreenConnect, Datto RMM, or SimpleHelp instances not provisioned by your IT or security team. Terminate unauthorized sessions and isolate affected endpoints.
IR Detail
Containment
NIST 800-61r3 §3.2.3
NIST IR-4(1)
CIS 2.4
NIST 800-53 SI-7
Compensating Control
Without EDR: query Windows Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall for ScreenConnect, Datto, or SimpleHelp GUIDs; cross-reference against IT-maintained approved software spreadsheet. Use 'tasklist /v' and 'wmic process list full' to capture running processes; isolate endpoints by unplugging network cable or disabling NIC via BIOS if no network control available. Manually terminate process via Task Manager or 'taskkill /PID [pid] /F' command.
Preserve Evidence
Capture before isolation: (1) Registry export of HKLM\Software\Microsoft (reg export command); (2) Active process list with parent process ID and command line via 'wmic process list full > process_snapshot.txt'; (3) File metadata for RMM binaries (creation time, modification time, digital signature via 'sigcheck -nobanner [binary_path]'); (4) Network connections via 'netstat -anob' or 'Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess'; (5) RMM application logs if present (typically C:\ProgramData\[RMM_vendor]\logs\).
2
Step 2, Detection: Query email gateway and Microsoft 365 logs for messages delivered via Amazon SES containing IRS, SmartVault, or tax-related lures. Search endpoint logs for execution of ScreenConnect, Datto RMM, or SimpleHelp binaries not launched from approved management infrastructure. Review sign-in logs for Microsoft 365 accounts showing successful authentication followed by RMM tool installation within the same session window.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2.1
NIST 800-53 AU-12
NIST 800-53 CA-7
CIS 8.2
CIS 8.8
Compensating Control
M365 alternative (no SIEM): export Azure AD sign-in logs via Azure Portal > Azure AD > Sign-in logs > filter by date range, apply filter 'ResourceDisplayName equals Office 365 Exchange Online' and 'Status equals Success', export to CSV. Cross-reference timestamps with Windows Event Log 4688 (process creation) on target endpoints for RMM binary execution within 15 minutes. Email gateway alternative (no SIEM): enable mail flow logs in Exchange admin center, search message trace for 'from:*amazonaws.com' OR 'from:amazon.com' combined with keyword 'IRS' or 'tax' or 'refund'; export results to CSV. For on-premises mail: query Exchange message tracking logs via 'Get-MessageTrackingLog -Start [date] -End [date] -Sender *@*.amazonaws.com -ResultSize unlimited'.
Preserve Evidence
Capture before analysis: (1) M365 Azure AD sign-in logs for 14 days prior to detection (export via Azure Portal or Graph API); (2) Windows Event Log Security (4624 logons, 4688 process creation) filtered for RMM binary names — export via 'wevtutil qe Security /q:"Event[System[(EventID=4688)]] and Event[EventData[Data[@Name='CommandLine'] and (contains(., 'ScreenConnect') or contains(., 'Datto') or contains(., 'SimpleHelp'))]]" /f:text'; (3) Email gateway message trace logs (14-day retention minimum); (4) DNS query logs for resolution of ScreenConnect, Datto, or SimpleHelp command-and-control domains (query via 'Get-DnsClientQueryPolicy' or firewall logs); (5) File download history from user profiles (%USERPROFILE%\Downloads\, %USERPROFILE%\AppData\Local\, Application Data folders).
3
Step 3, Assessment: Inventory all RMM software present on endpoints using EDR telemetry or asset management tooling. Confirm each instance is authorized, managed, and connected only to your organization's approved tenant or relay. Cross-reference against your approved software list and flag any gaps.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2.2
NIST 800-53 CM-8
NIST 800-53 CA-7
CIS 1.1
CIS 2.1
Compensating Control
Without EDR/CMDB: deploy PowerShell inventory script across endpoints via GPO or manual execution: 'Get-WmiObject Win32_Product | Where-Object {$_.Name -match "ScreenConnect|Datto|SimpleHelp"} | Select-Object Name, Version, InstallDate, Vendor > software_inventory.csv'. For each identified instance, query registry HKLM\Software\[Vendor] for tenant URL or relay address and compare against IT-maintained approved tenant list. For Linux/Mac: execute 'sudo find / -name "*ScreenConnect*" -o -name "*datto*" -o -name "*simplehelp*" 2>/dev/null' and 'sudo ps aux | grep -E "ScreenConnect|datto|simplehelp"' and cross-reference process connections via 'lsof -p [PID]' or 'netstat -tunap | grep [PID]'.
Preserve Evidence
Capture before inventory: (1) Complete software inventory export from asset management tool (Excel format with Name, Version, InstallDate, Publisher, RegistryPath columns); (2) Registry exports for all identified RMM vendors: 'reg export HKLM\Software\[Vendor] [vendor_reg_export.reg]'; (3) RMM application configuration files typically stored in C:\ProgramData\[Vendor]\config.xml or C:\Windows\System32\config\[vendor_service].ini — export entire directories; (4) Network connection telemetry for RMM processes (source IP, destination IP, destination port, protocol, certificate CN if TLS) via 'netstat -anob' or EDR API; (5) File metadata (hash, signature, path, creation/modification time) for all RMM binaries via 'Get-FileHash' and 'Get-ItemProperty'.
4
Step 4, Communication: Notify affected users whose credentials may have been harvested. Issue a targeted security awareness alert to all staff about IRS-themed phishing during tax season. Escalate to legal and compliance if credential compromise is confirmed, given potential data access implications.
IR Detail
Recovery
NIST 800-61r3 §3.3
NIST 800-53 IR-4(4)
NIST 800-53 AU-6(1)
CIS 17.1
CIS 19.7
Compensating Control
No compensating control — this is a procedural requirement. Use email distribution lists filtered from M365 sign-in log analysis to notify affected users directly. Template: 'Your Microsoft 365 account credentials were harvested in a phishing attack on [date]. Mandatory actions: (1) Reset password immediately via account.microsoft.com; (2) Review recent sign-in activity at https://account.microsoft.com/security; (3) Contact IT at [email] if you see unfamiliar activity.' Send org-wide phishing alert via email and security awareness portal highlighting IRS/tax-themed lures, with screenshot examples from the campaign. Log all notifications with timestamps for compliance audit trail.
Preserve Evidence
Capture before communication: (1) Complete list of affected users from M365 sign-in log analysis (usernames, email addresses, sign-in timestamp, RMM installation event timestamp if correlated); (2) Email message samples from the phishing campaign (raw EML files, including headers with X-Originating-IP, DKIM, SPF alignment data); (3) RMM installation logs showing affected endpoints and timestamps; (4) Confirmation email delivery receipts for user notifications (archived in legal hold); (5) Legal/compliance sign-off document authorizing disclosure and communication approach.
5
Step 5, Long-term: Implement application allowlisting or software restriction policies to block unauthorized RMM binary execution. Enforce phishing-resistant MFA (FIDO2/hardware token) on all Microsoft 365 accounts. Establish a formal RMM governance policy defining approved tools, approved tenants, and mandatory enrollment procedures. Review Cloudflare-proxied URL handling in your secure email gateway configuration.
IR Detail
Post-Incident
NIST 800-61r3 §3.4.1
NIST 800-53 CM-6
NIST 800-53 IA-2(1)
NIST 800-53 SI-7(1)
CIS 2.3
CIS 5.4
CIS 6.1
Compensating Control
Without enterprise endpoint control: (1) Deploy Windows AppLocker via GPO with rules blocking execution of ScreenConnect, Datto, SimpleHelp binaries except from C:\Program Files\[approved_path]\; policy XML example: 'New-AppLockerPolicy -RuleCollectionType Exe -RuleCollection (Get-AppLockerPolicy -Local -RuleCollectionType Exe).RuleCollections | Set-AppLockerPolicy'. (2) For FIDO2 alternative without hardware tokens: enforce passwordless sign-in via Windows Hello for Business or Microsoft Authenticator app (requires Windows 10+ or mobile device). (3) RMM governance policy document: define approved vendors (ConnectWise official tenant URL, Datto official domain, SimpleHelp official relay), require IT approval for any new RMM deployment, mandate encryption in transit (TLS 1.2+), and quarterly audit of all RMM instances. (4) Email gateway: review allow-list for Cloudflare IP ranges (1.1.1.0/24, etc.) and add additional scrutiny rule: 'Flag for review if message Header contains Cloudflare and Body contains IRS/tax/refund keywords'.
Preserve Evidence
Capture post-incident: (1) Baseline AppLocker or software restriction policy configuration (XML/GPO export); (2) FIDO2 enrollment baseline report (number of users enrolled, device types, backup authentication method data); (3) RMM governance policy document (signed, version-controlled, dated); (4) Email gateway configuration export showing Cloudflare-specific rules and keyword filters; (5) Pre- and post-implementation detection rule testing results (e.g., test execution of ScreenConnect binary from non-approved path to confirm block).
Recovery Guidance
Post-containment: (1) Force password reset for all affected M365 accounts via Azure AD Bulk Operations and require MFA re-enrollment. (2) Revoke all active Microsoft 365 sessions for compromised accounts via 'Revoke-AzureADUserAllRefreshToken' PowerShell cmdlet to terminate any residual attacker access. (3) Audit M365 delegated admin access and app consent grants for the 14-day window around compromise; remove any suspicious OAuth app registrations via 'Remove-AzureADApplication'. (4) Conduct forensic analysis of isolated endpoints to confirm RMM removal and absence of additional persistence mechanisms (scheduled tasks, WMI event subscriptions, registry run keys); rebuild from known-good backup if evidence of lateral movement is found.
Key Forensic Artifacts
Windows Event Log Security (Event ID 4624 logons, 4688 process creation, 4720 user creation) — extract via 'wevtutil qe Security /f:text > security_log.txt'
Windows Event Log System (Event ID 7034 service unexpected termination, 7045 new service installation) — document legitimate vs. suspicious RMM service installations
Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall and HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall — identify RMM GUIDs, install dates, uninstall strings
M365 Azure AD sign-in logs and audit logs (Azure Portal > Azure AD > Audit logs) — correlate successful logons with RMM binary execution timestamps
RMM application logs in C:\ProgramData\[Vendor]\logs\ or %APPDATA%\[Vendor]\logs\ — document connection timestamps, user names used to connect, relay server addresses, session duration
Email gateway message trace logs and mail flow records — identify phishing source IP, SES-spoofed sender addresses, recipient count, keyword matches
Network traffic capture (PCAP) from RMM processes — document C&C domain names, IP addresses, TLS certificate details, HTTP User-Agent strings for attribution
File system timeline (MFT analysis) — establish file creation/modification times for RMM binaries and supporting files to correlate with phishing delivery date
Browser history and download artifacts (%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\, %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History) — document phishing link clicks and RMM installer download sources
Detection Guidance
Microsoft 365 / Entra ID: Query sign-in logs for successful authentications originating from unusual ASNs or geolocations followed within 30 minutes by new device registrations or OAuth application consent grants.
Look for service principal activity from unfamiliar RMM application IDs.
Endpoint telemetry (EDR): Alert on execution of ScreenConnect.Client.exe, DattoRMM agent binaries, or SimpleHelp binaries (server.exe, remote.exe) where the parent process is a browser, email client, or user-launched installer, not your approved management platform.
Flag outbound connections from these binaries to relay domains not registered in your RMM tenant. Email gateway: Search for messages with Amazon SES sending infrastructure (mail from: amazonses.com) containing keywords: IRS, tax refund, SmartVault, Form W-2, tax document. Flag URLs proxied through Cloudflare Workers or Pages domains (workers.dev, pages.dev) that redirect to Microsoft 365 login clones. Network: Monitor for RMM relay traffic (ConnectWise relay: relay.screenconnect.com; Datto: concord.centrastage.net) originating from endpoints where your team did not deploy an agent. Flag any SimpleHelp relay connections to non-corporate SimpleHelp server IPs. Behavioral indicators: User account logs into Microsoft 365 from a known IP, then within the same session a new device or app is registered; shortly after, an RMM binary executes on that same endpoint. This sequence, credential use, new registration, RMM launch, is the core behavioral chain to detect.
Indicators of Compromise (6)
Export as
Splunk SPL
KQL
Elastic
Copy All (6)
4 domains
2 urls
Type Value Enrichment Context Conf.
⌘ DOMAIN
relay.screenconnect.com
VT
US
ConnectWise ScreenConnect relay domain — flag unexpected outbound connections from endpoints not enrolled in your approved ScreenConnect tenant
MEDIUM
⌘ DOMAIN
concord.centrastage.net
VT
US
Datto RMM relay domain — flag connections from endpoints not provisioned by your RMM team
MEDIUM
⌘ DOMAIN
workers.dev
VT
US
Cloudflare Workers subdomain pattern abused to host credential-harvesting pages; flag in email URL analysis and proxy logs
MEDIUM
⌘ DOMAIN
pages.dev
VT
US
Cloudflare Pages subdomain pattern used for phishing page hosting; flag alongside workers.dev in gateway rules
MEDIUM
🔗 URL
https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/
VT
US
Primary source — Microsoft Threat Intelligence campaign analysis (T1 source, search-retrieved, recommend human validation)
HIGH
🔗 URL
https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/
VT
US
Primary source — Microsoft analysis of signed RMM backdoor deployment (T1 source, search-retrieved, recommend human validation)
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (2)
4 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: Tax Season RMM Abuse: Threat Actors Pivot to Persistent Access as 29,000 Users H
let malicious_domains = dynamic(["relay.screenconnect.com", "concord.centrastage.net", "workers.dev", "pages.dev"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Malicious URLs hosted on legitimate platforms. The domain is safe — the specific URL path is the indicator.
KQL Query Preview
Read-only — detection query only
// Threat: Tax Season RMM Abuse: Threat Actors Pivot to Persistent Access as 29,000 Users H
// Specific malicious URLs on shared platforms
let suspicious_urls = dynamic(["https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/", "https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (suspicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (7)
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Falcon API IOC Import Payload (4 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "relay.screenconnect.com",
"source": "SCC Threat Intel",
"description": "ConnectWise ScreenConnect relay domain \u2014 flag unexpected outbound connections from endpoints not enrolled in your approved ScreenConnect tenant",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-17T00:00:00Z"
},
{
"type": "domain",
"value": "concord.centrastage.net",
"source": "SCC Threat Intel",
"description": "Datto RMM relay domain \u2014 flag connections from endpoints not provisioned by your RMM team",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-17T00:00:00Z"
},
{
"type": "domain",
"value": "workers.dev",
"source": "SCC Threat Intel",
"description": "Cloudflare Workers subdomain pattern abused to host credential-harvesting pages; flag in email URL analysis and proxy logs",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-17T00:00:00Z"
},
{
"type": "domain",
"value": "pages.dev",
"source": "SCC Threat Intel",
"description": "Cloudflare Pages subdomain pattern used for phishing page hosting; flag alongside workers.dev in gateway rules",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-17T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["relay.screenconnect.com", "concord.centrastage.net", "workers.dev", "pages.dev"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1071.001
T1078
T1583.001
T1566.001
T1204.001
T1133
+11
AC-2
AC-6
IA-2
IA-5
AT-2
SC-7
+8
164.312(d)
164.308(a)(5)(i)
MITRE ATT&CK Mapping
T1078
Valid Accounts
defense-evasion
T1566.001
Spearphishing Attachment
initial-access
T1133
External Remote Services
persistence
T1598.002
Spearphishing Attachment
reconnaissance
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1585.002
Email Accounts
resource-development
T1539
Steal Web Session Cookie
credential-access
T1027
Obfuscated Files or Information
defense-evasion
T1557
Adversary-in-the-Middle
credential-access
T1219
Remote Access Tools
command-and-control
Guidance Disclaimer
