DATEV-Themed Phishing Abuses PDQ Connect for Remote Access Control

revel8’s recent analysis uncovered a phishing campaign impersonating DATEV eG that weaponizes PDQ Connect, a legitimate remote-management platform, to establish unauthorized administrative control over victim devices. DATEV is a major German software and IT services provider, widely used in the German business ecosystem.

Although the email was delivered through SendGrid and technically passed SPF/DKIM for sendgrid.net, the campaign relied on brand impersonation, website crawling, and staged delivery to deploy PDQ Connect as a remote-access foothold.

Executive summary

Recon: Attackers crawled the victim’s website to harvest contact details, identify targeted departments, and copy language. They built a convincing DATEV-themed HTML lure referencing accounting statements, financial reports, and invoices.
Delivery: Emails were relayed via SendGrid, passing SPF/DKIM for SendGrid’s domain.
The main button was rewritten to ct.sendgrid.net click-tracking URLs, which logged the victim’s fingerprint (email, timestamp, IP/geolocation, user agent, device type, repeat status) before redirecting to the destination - in this case, downloading PDQ Connect.
Anti-analysis: When accessed from outside the victim’s IP/geolocation, the same URL redirected to a benign page, indicating geo/IP-aware redirect logic designed to evade automated analysis.
Payload: Successful clicks were routed to an attacker-controlled site that provided a PDQ Connect MSI. Once installed, PDQ Connect could be abused as an RMM-style foothold for potential remote access and RAT-like activity.

The attack chain

The message was sent through SendGrid infrastructure (outbound-mail.sendgrid.net) with SPF/DKIM pass. However, the sender display name posed as “DATEV-Serviceinformationen”, while the actual From field was a Gmail address, causing DMARC to fail.

The email was routed through multiple servers and contained extremely long tracking and unsubscribe links. The redirector (SendGrid) implemented logic that returned different content depending on IP, geolocation, user-agent, or referrer. Testing from outside the victim’s region consistently returned a benign Facebook homepage - demonstrating geo/IP filtering, where malicious content is shown only to intended targets while benign content is served to others to evade detection.

After SendGrid logs the click, it redirects the user to the attacker’s final landing page which, in this case, provides an MSI that installs PDQ Connect. PDQ Connect is legitimate RMM/agent software, but when installed under attacker control it functions essentially as a RAT, enabling remote administrative control.

PDQ Connect installs as a service/agent and can be configured to persist across reboots. With that foothold, attackers can execute commands remotely, harvest credentials and tokens, trigger ransomware and install malware.

Conclusion

This DATEV-themed phishing campaign used SendGrid delivery, website-scraped branding, and long tracked redirects to guide users to PDQ Connect, a legitimate remote-management tool. Because the activity was identified early, no endpoints were compromised. In controlled testing, the full delivery chain could not be observed, as the click-tracking system prevented access to the intended payload. All IOCs identified in the message headers, URLs, and delivery chain were flagged and reported to the appropriate service providers.

This threat model matches NJCCIC reporting describing PDQ Connect-based campaigns distributing MSI installers through phishing themes such as tax forms and voicemail notices.