← feed

anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect

Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access

IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.

likely IIM v1.1 unknown needs review
Raw JSON
entities4
relations3
techniques1
published2026-05-30 21:28:41

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

url

<Outlook phishing email link>

2
redirector

url

<fake Word Online / OneDrive page>

IIM-T006
3
staging

file

<multi-stage software installer>

4
c2

domain

<ScreenConnect relay endpoint>

Relations

directed infrastructure edges
e1redirecte2 likely
e2downloade3 likely
e3connecte4 likely

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e1 url <Outlook phishing email link>
Roundup states the attack started with an Outlook email that redirected users to a fake Word Online / OneDrive-style page.
e2 url <fake Word Online / OneDrive page>
Roundup states users were redirected to a fake Word Online / OneDrive-style page rather than an obvious malware download.
e3 file <multi-stage software installer>
Roundup states the chain moved through software-installation stages before reaching remote access.
e4 domain <ScreenConnect relay endpoint>
Roundup states the chain eventually led to remote access through ScreenConnect, with additional activity used to hide the installed tools.

ATT&CK annotations

optional complementary mapping
T1566.002Phishing: Spearphishing Link

Outlook email link.

T1204.002User Execution: Malicious File

User proceeds through software-install stages.

T1219Remote Access Software

ScreenConnect remote access.

T1564Hide Artifacts

Additional activity hides the installed tooling.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect",
  "title": "Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access",
  "description": "IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.",
  "actor_id": "unknown",
  "observed_at": "2026-05-01T00:00:00Z",
  "confidence": "likely",
  "needs_review": true,
  "x_source": {
    "title": "Major Cyber Attacks in May 2026 (monthly roundup)",
    "publisher": "ANY.RUN",
    "url": "https://any.run/cybersecurity-blog/major-cyber-attacks-may-2026/",
    "published_at": "2026-05",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "vendor monthly roundup (summary-level)"
  },
  "x_source_title": "Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access",
  "x_source_url": "https://any.run/cybersecurity-blog/major-cyber-attacks-may-2026/",
  "x_iocs": {
    "lure_brand": "fake Word Online / OneDrive page",
    "delivery_vector": "Outlook email redirect",
    "remote_access_tool": "ScreenConnect",
    "operational_note": "reusable templates + rotating infrastructure (campaign-level, not single-domain)"
  },
  "x_limitations": [
    "This is a summary-level roundup entry: no domains, URLs, hashes, or file names were published. e1-e4 are placeholders.",
    "Whether the fake Word Online / OneDrive page is hosted on an actual trusted platform (T006) or on a lookalike disposable domain (T010) is not stated; T006 is asserted with 'likely' confidence and T010 noted as the alternative.",
    "Tool-concealment activity is endpoint defense-evasion (ATT&CK), not infrastructure.",
    "Confidence is set to 'likely' at chain level to reflect the summary-only sourcing."
  ],
  "entities": [
    {
      "id": "e1",
      "type": "url",
      "value": "<Outlook phishing email link>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "ANY.RUN May 2026 roundup",
      "evidence": [
        "Roundup states the attack started with an Outlook email that redirected users to a fake Word Online / OneDrive-style page."
      ],
      "x_placeholder": true,
      "x_chain_stage": "email_lure_entry"
    },
    {
      "id": "e2",
      "type": "url",
      "value": "<fake Word Online / OneDrive page>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "ANY.RUN May 2026 roundup",
      "evidence": [
        "Roundup states users were redirected to a fake Word Online / OneDrive-style page rather than an obvious malware download."
      ],
      "x_placeholder": true,
      "x_chain_stage": "trusted_brand_lookalike_redirector"
    },
    {
      "id": "e3",
      "type": "file",
      "value": "<multi-stage software installer>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "ANY.RUN May 2026 roundup",
      "evidence": [
        "Roundup states the chain moved through software-installation stages before reaching remote access."
      ],
      "x_placeholder": true,
      "x_chain_stage": "multistage_installer_staging"
    },
    {
      "id": "e4",
      "type": "domain",
      "value": "<ScreenConnect relay endpoint>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "ANY.RUN May 2026 roundup",
      "evidence": [
        "Roundup states the chain eventually led to remote access through ScreenConnect, with additional activity used to hide the installed tools."
      ],
      "x_placeholder": true,
      "x_chain_stage": "rmm_remote_access_c2"
    }
  ],
  "chain": [
    {
      "entity_id": "e1",
      "role": "entry",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "Outlook email lure; sender infrastructure not published."
    },
    {
      "entity_id": "e2",
      "role": "redirector",
      "techniques": [
        "IIM-T006"
      ],
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "review_notes": "Fake Word Online / OneDrive leverages trusted-brand styling. If lookalike-domain-hosted rather than on a trusted platform, reclassify to IIM-T010."
    },
    {
      "entity_id": "e3",
      "role": "staging",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "Multi-stage installer; specific staging host not published."
    },
    {
      "entity_id": "e4",
      "role": "c2",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "ScreenConnect RMM as C2 (same RMM-as-C2 gap as the VENOMOUS#HELPER chain)."
    }
  ],
  "relations": [
    {
      "from": "e1",
      "to": "e2",
      "type": "redirect",
      "sequence_order": 1,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Outlook email redirects to the fake Word Online / OneDrive page."
      ]
    },
    {
      "from": "e2",
      "to": "e3",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "The fake page leads into software-installation stages."
      ]
    },
    {
      "from": "e3",
      "to": "e4",
      "type": "connect",
      "sequence_order": 3,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Installation stages culminate in ScreenConnect remote access."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.002",
      "name": "Phishing: Spearphishing Link",
      "tactic": "Initial Access",
      "comment": "Outlook email link."
    },
    {
      "technique_id": "T1204.002",
      "name": "User Execution: Malicious File",
      "tactic": "Execution",
      "comment": "User proceeds through software-install stages."
    },
    {
      "technique_id": "T1219",
      "name": "Remote Access Software",
      "tactic": "Command and Control",
      "comment": "ScreenConnect remote access."
    },
    {
      "technique_id": "T1564",
      "name": "Hide Artifacts",
      "tactic": "Defense Evasion",
      "comment": "Additional activity hides the installed tooling."
    }
  ]
}