anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect
Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access
IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsurl
<Outlook phishing email link>
url
<fake Word Online / OneDrive page>
file
<multi-stage software installer>
domain
<ScreenConnect relay endpoint>
Relations
directed infrastructure edgese1redirecte2
likely
e2downloade3
likely
e3connecte4
likely
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e1 |
url | <Outlook phishing email link> |
Roundup states the attack started with an Outlook email that redirected users to a fake Word Online / OneDrive-style page. |
e2 |
url | <fake Word Online / OneDrive page> |
Roundup states users were redirected to a fake Word Online / OneDrive-style page rather than an obvious malware download. |
e3 |
file | <multi-stage software installer> |
Roundup states the chain moved through software-installation stages before reaching remote access. |
e4 |
domain | <ScreenConnect relay endpoint> |
Roundup states the chain eventually led to remote access through ScreenConnect, with additional activity used to hide the installed tools. |
ATT&CK annotations
optional complementary mappingOutlook email link.
User proceeds through software-install stages.
ScreenConnect remote access.
Additional activity hides the installed tooling.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect",
"title": "Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access",
"description": "IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.",
"actor_id": "unknown",
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"needs_review": true,
"x_source": {
"title": "Major Cyber Attacks in May 2026 (monthly roundup)",
"publisher": "ANY.RUN",
"url": "https://any.run/cybersecurity-blog/major-cyber-attacks-may-2026/",
"published_at": "2026-05",
"accessed_at": "2026-05-30T00:00:00Z",
"source_type": "vendor monthly roundup (summary-level)"
},
"x_source_title": "Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access",
"x_source_url": "https://any.run/cybersecurity-blog/major-cyber-attacks-may-2026/",
"x_iocs": {
"lure_brand": "fake Word Online / OneDrive page",
"delivery_vector": "Outlook email redirect",
"remote_access_tool": "ScreenConnect",
"operational_note": "reusable templates + rotating infrastructure (campaign-level, not single-domain)"
},
"x_limitations": [
"This is a summary-level roundup entry: no domains, URLs, hashes, or file names were published. e1-e4 are placeholders.",
"Whether the fake Word Online / OneDrive page is hosted on an actual trusted platform (T006) or on a lookalike disposable domain (T010) is not stated; T006 is asserted with 'likely' confidence and T010 noted as the alternative.",
"Tool-concealment activity is endpoint defense-evasion (ATT&CK), not infrastructure.",
"Confidence is set to 'likely' at chain level to reflect the summary-only sourcing."
],
"entities": [
{
"id": "e1",
"type": "url",
"value": "<Outlook phishing email link>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "ANY.RUN May 2026 roundup",
"evidence": [
"Roundup states the attack started with an Outlook email that redirected users to a fake Word Online / OneDrive-style page."
],
"x_placeholder": true,
"x_chain_stage": "email_lure_entry"
},
{
"id": "e2",
"type": "url",
"value": "<fake Word Online / OneDrive page>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "ANY.RUN May 2026 roundup",
"evidence": [
"Roundup states users were redirected to a fake Word Online / OneDrive-style page rather than an obvious malware download."
],
"x_placeholder": true,
"x_chain_stage": "trusted_brand_lookalike_redirector"
},
{
"id": "e3",
"type": "file",
"value": "<multi-stage software installer>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "ANY.RUN May 2026 roundup",
"evidence": [
"Roundup states the chain moved through software-installation stages before reaching remote access."
],
"x_placeholder": true,
"x_chain_stage": "multistage_installer_staging"
},
{
"id": "e4",
"type": "domain",
"value": "<ScreenConnect relay endpoint>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "ANY.RUN May 2026 roundup",
"evidence": [
"Roundup states the chain eventually led to remote access through ScreenConnect, with additional activity used to hide the installed tools."
],
"x_placeholder": true,
"x_chain_stage": "rmm_remote_access_c2"
}
],
"chain": [
{
"entity_id": "e1",
"role": "entry",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "n/a",
"review_notes": "Outlook email lure; sender infrastructure not published."
},
{
"entity_id": "e2",
"role": "redirector",
"techniques": [
"IIM-T006"
],
"role_confidence": "likely",
"technique_confidence": "likely",
"review_notes": "Fake Word Online / OneDrive leverages trusted-brand styling. If lookalike-domain-hosted rather than on a trusted platform, reclassify to IIM-T010."
},
{
"entity_id": "e3",
"role": "staging",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "n/a",
"review_notes": "Multi-stage installer; specific staging host not published."
},
{
"entity_id": "e4",
"role": "c2",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "n/a",
"review_notes": "ScreenConnect RMM as C2 (same RMM-as-C2 gap as the VENOMOUS#HELPER chain)."
}
],
"relations": [
{
"from": "e1",
"to": "e2",
"type": "redirect",
"sequence_order": 1,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"Outlook email redirects to the fake Word Online / OneDrive page."
]
},
{
"from": "e2",
"to": "e3",
"type": "download",
"sequence_order": 2,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"The fake page leads into software-installation stages."
]
},
{
"from": "e3",
"to": "e4",
"type": "connect",
"sequence_order": 3,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"Installation stages culminate in ScreenConnect remote access."
]
}
],
"attack_annotations": [
{
"technique_id": "T1566.002",
"name": "Phishing: Spearphishing Link",
"tactic": "Initial Access",
"comment": "Outlook email link."
},
{
"technique_id": "T1204.002",
"name": "User Execution: Malicious File",
"tactic": "Execution",
"comment": "User proceeds through software-install stages."
},
{
"technique_id": "T1219",
"name": "Remote Access Software",
"tactic": "Command and Control",
"comment": "ScreenConnect remote access."
},
{
"technique_id": "T1564",
"name": "Hide Artifacts",
"tactic": "Defense Evasion",
"comment": "Additional activity hides the installed tooling."
}
]
}