ScreenConnect as malware via Canva abuse and Docusign impersonation

Post Details

Company

Sublime Security

Date Published

May 8, 2025

Author

Brian Baskin

Word Count

1,527

Language

English

Hacker News Points

-

Source URL

sublime.security/blog/screenconnect-as-malware-via-canva-abuse-and-docusign-impersonation

Summary

Sublime's Attack Spotlight series highlights a recent increase in email threats leveraging Canva to distribute malware and conduct credential phishing. These attacks exploit Canva's trusted reputation and ease of use, allowing perpetrators to create seemingly legitimate pages for malicious purposes. The series reports that some campaigns use fake CAPTCHA pages with encrypted JavaScript to evade detection tools, redirecting users to phishing sites for services like Google and Xfinity. Other attacks involve directing victims to download ScreenConnect remote administration software by impersonating brands through Canva-hosted pages. Though ScreenConnect is a legitimate tool, attackers manipulate its configuration to connect to malicious servers. Sublime's AI detection engine identifies such threats by recognizing brand impersonation and mass distribution tactics, helping organizations preemptively block these sophisticated email-based attacks.