Threat actors are employing Windows screensaver files (.scr) as a new spear phishing technique to breach defenses and compromise companies This article explores screensaver attack people. . Today, ReliaQuest Threat Research released a study describing how attackers tricked several users into launching a Windows screensaver file that installs a remote monitoring and management (RMM) tool, providing the attacker with interactive remote control over the target's operating system.

Exploiting unusual file types is not new; for example, APTs and similar programs have long exploited Windows shortcut files to run malicious code. An innovative take on this type of attack is the screensaver attack.

Many people don't consider this type of file in their daily lives, but as Andrew Adams of ReliaQuest notes in the research blog post, "they're executables that don't always receive executable-level controls." "A discrepancy between perception and reality is the reason the risk endures. Related: Notepad++ Updates Are Taken by Chinese Hackers for Six Months ReliaQuest suggests a three-pronged action plan for organizations to counter this.

Treat.scr files as executables first and foremost. Execution from trusted, signed, and/or authorized sources can be enabled by application control solutions (such as Windows Defender). Second, keep an approved RMM allowlist up to date and keep an eye out for installations of unauthorized RMM agents. Third, block "non-business file-hosting services at the DNS or web proxy layer" to lower the risk associated with third-party file hosting websites.