Barracuda’s latest cybersecurity report highlights a concerning rise in the unauthorized use of trusted tools, notably ScreenConnect, for remote access, coupled with a notable increase in Microsoft 365 login attempts from unfamiliar locations. The findings suggest that attackers are leveraging popular legitimate software and stolen credentials to infiltrate business networks and sensitive resources, effectively evading detection.
ScreenConnect, a prevalent device management platform within enterprise environments, has emerged as a focal point in recent security vulnerabilities. Attackers are increasingly targeting outdated and unpatched versions of this software, exploiting vulnerabilities that came to light earlier in 2025. Such exploits allow for the remote installation of malicious software, the delivery of ransomware, and unauthorized data access, enabling attackers to navigate across networked systems.
Security experts have reported instances where attackers either connect their endpoints to existing ScreenConnect instances or install the software independently to gain access. The platform’s trusted status often masks these malicious activities, blending them with routine operations and fostering a deceptive environment where detection becomes challenging.
In response to these vulnerabilities, ScreenConnect released a crucial update in April 2025. However, organizations that delay implementing this patch or continue to utilize outdated versions are particularly vulnerable. This risk amplifies for those using unmanaged remote access tools, lacking multifactor authentication (MFA) for administrative accounts, or failing to safeguard against potential exploits.
As emphasized by Mike Flouton, Vice President of Product Management at Barracuda, “The detection of ScreenConnect does not immediately arouse suspicion,” making it imperative for businesses to enhance their scrutiny of legitimate software usage.
The persistence of compromised credentials continues to be a fundamental tactic employed by cybercriminals. Following the acquisition of valid usernames and passwords, attackers can masquerade as genuine users, making it increasingly difficult to notice abnormal behavior. The report indicates a rising trend of attackers leveraging these credentials to execute ransomware attacks, steal data, or establish persistent access channels. Commonly observed tactics include repeated login attempts and the unauthorized use of administrative tools.
Organizations lacking stringent password policies, regular credential rotations, and robust authentication controls find themselves at heightened risk. Failure to monitor for unusual behavioral patterns further exacerbates their vulnerability, leaving them open to ongoing compromises.
Furthermore, unusual login patterns targeting Microsoft 365 accounts have also seen a significant increase. Attempts are often traced back to countries not typically associated with the organizations under attack. In many instances, attackers utilize password databases obtained from illicit forums to access corporate communications and sensitive files, potentially allowing them to impersonate staff members for internal phishing schemes.
The findings reinforce the need for businesses to adopt multi-layered security strategies. Regular updates, stringent password protocols, mandatory MFA, especially for administrators and remote access accounts, and continuous monitoring for anomalies are crucial to mitigate these threats effectively. Coupled with employee training to identify phishing attempts, a holistic defense approach is necessary. Automated systems, including managed endpoint security and advanced threat detection platforms, are essential in alerting security teams to malicious activity conducted through trusted tools or legitimate credentials.
Barracuda’s research underscores that organizations failing to evolve their defenses alongside emerging attack methodologies remain at considerable risk. As Flouton noted, “Cybercriminals are stealing or buying usernames and passwords, using them to infiltrate systems. Once inside, they can perpetrate ransomware attacks or facilitate data theft,” highlighting the urgent need for businesses to bolster their cybersecurity frameworks.
