A new English-language phishing campaign impersonates Microsoft Outlook and lures victims to download a malicious MSI that installs PDQConnect, a legitimate RMM tool abused for unauthorized access. CERT-AGID attributes the activity to Initial Access Brokers targeting primarily Italian public administrations and has shared IoCs with accredited organizations. #PDQConnect #InitialAccessBroker
Keypoints
- Attackers send English phishing emails containing a link to a fake Microsoft Outlook login page requesting the victim’s email address.
- The fake login verifies the provided address against an external domain to confirm it matches the email recipient before offering a download.
- The offered download is an MSI installer that installs PDQConnect, a legitimate remote management tool abused for malicious remote access.
- Actors behind the campaign are likely Initial Access Brokers (IAB) who collect credentials or access to sell to other threat actors.
- Victims observed by CERT-AGID are mainly Italian public administration entities.
- Criminals register RMM services using free or already-compromised personal email accounts and exploit short trial periods to maintain access.
- CERT-AGID has shared the campaign’s Indicators of Compromise with organizations accredited to its IoC feed.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers use a fake Microsoft Outlook login page to harvest email addresses and validate recipients before delivering malware. Quote: ‘the email contains a link to a fake Microsoft Outlook page requesting the email address.’
- [T1566.001] Phishing: Spearphishing Link – Malicious emails with a link to the fake login page are used to trick recipients into providing credentials or downloading the MSI. Quote: ‘The e-mail presents a link that leads to a fake Microsoft Outlook page in which the user is asked to enter their email address.’
- [T1204.002] User Execution: Malicious File – Victims are prompted to download and run an MSI installer that installs PDQConnect to achieve remote access. Quote: ‘…a download of an MSI file is offered… to install PDQConnect…’
- [T1588.002] Obtain Capabilities: Acquire Services – Threat actors register RMM service accounts (PDQ Connect/Action1) using free or compromised emails and trial periods to obtain remote management capabilities. Quote: ‘to register to RMM services… criminals use free email addresses or already compromised personal mailboxes, taking advantage of trial periods.’
- [T1078] Valid Accounts – Actors leverage legitimate RMM accounts created during trial periods (or compromised accounts) to access target systems. Quote: ‘they use free or already-compromised personal email accounts… the trial periods are sufficient for their purposes.’
Indicators of Compromise
- [Download links/URLs] Fake Microsoft Outlook page and MSI download – examples withheld; IoCs have been shared with accredited organizations via CERT-AGID (link: Download IoC).
- [File names] MSI installer context – PDQConnect installer MSI (example: PDQConnectInstaller.msi) and similar RMM installers.
- [Email addresses] Account registration context – use of free email services or compromised personal email addresses (examples not listed in article).