Adobe Acrobat Secure Document Email Virus

Daniel Zimmermann
Daniel Zimmermann
10 Min Read
Fake Adobe Acrobat Sign request leading to a ScreenConnect installer warning
A fake Acrobat Sign request can hide a remote-access installer behind a document review button.

An email titled Adobe Acrobat – Secure Document is being used as a malware lure, not as a normal Acrobat Sign request. The message says a secure document is waiting for review, pushes a 48-hour expiry, and uses a Review and sign Document button. In the reported campaign, that button leads to a fake Adobe-style page that downloads ScreenConnect.ClientSetup.msi, a remote-access installer that should never be treated as an Adobe Reader or Acrobat Sign update.

If you only opened the email, delete it and report it. If you clicked the link but did not run the MSI, remove the download and clear the browser download history. If you ran ScreenConnect.ClientSetup.msi, disconnect the computer from the network, remove the unexpected ScreenConnect client, scan for persistence, and change passwords from a clean device.

What This Fake Acrobat Sign Email Looks Like

The lure borrows the trust of document-signing workflows. It may use an Adobe Acrobat Sign display name, a secure-document subject, and wording about a contract project or business collaboration. The risky part is not the idea of an e-signature request by itself; it is the chain from the button to a software installer.

Desktop email mockup showing a fake Adobe Acrobat Secure Document message and ScreenConnect MSI warning
Example desktop view of the fake secure-document email. The sender domain is not Adobe, and the follow-up file is an MSI installer.

Example Of The Fake Email Wording

The exact sender and subject can change, but the campaign pattern is recognizable:

  • Subject: Adobe Acrobat – Secure Document
  • Sender display: Adobe Acrobat Sign
  • Sender address example: secure-document [at] notice-documents [dot] example
  • Opening line: You have received a secure document for contract-project collaboration.
  • Pressure line: This request expires in 48 hours.
  • Button: Review and sign Document
  • Suspicious follow-up: ScreenConnect.ClientSetup.msi or another Windows installer presented as a required update.
Mobile email mockup showing the fake Acrobat Sign request and ScreenConnect ClientSetup MSI warning
Mobile version of the lure. A real signing request should not require you to install a remote-access MSI from an unknown site.

Why A ScreenConnect MSI Is Dangerous Here

ScreenConnect, now ConnectWise ScreenConnect, is legitimate remote support software when an organization installs and manages it on purpose. Attackers abuse that trust by delivering a configured client through phishing, fake document pages, and fake software-update prompts. Once the attacker-controlled client runs, it can give someone remote visibility and control over the computer.

That is why the file name matters. ScreenConnect.ClientSetup.msi is not an Adobe document, not an Acrobat Reader update, and not a normal requirement for signing a PDF. It is a Windows installer. Treat it as a remote-access incident if it came from an unexpected email, unknown domain, or fake update page.

How To Check If The Adobe Request Is Real

Before clicking a signing link, use checks that do not depend on the button inside the message:

  1. Expand the sender details and check the real address, not only the display name.
  2. Hover over the button or long-press it on mobile to inspect the destination. A signing request should not send you to an unrelated domain or direct MSI download.
  3. Ask the supposed sender through a separate channel if they actually sent a document.
  4. Open Acrobat Sign from a known bookmark or your organization’s normal Adobe workflow instead of trusting the email button.
  5. If the message claims to be Adobe abuse or a false Adobe request, report it to Adobe through the official phishing or Acrobat Sign abuse channels.

Adobe provides reporting paths for suspicious messages that claim to represent Adobe and for abusive Acrobat Sign agreements. Those reports are useful when a fake request uses Adobe branding or tries to abuse the signing workflow.

What To Do If You Clicked The Button

Your next step depends on how far the chain went:

  • You only opened the email: delete it, report it, and do not reply.
  • You clicked the button but no file ran: close the page, delete any downloaded MSI, and avoid returning to the site.
  • You downloaded the MSI but did not run it: remove it from Downloads, empty the Recycle Bin, and scan the file only through a trusted scanner if you need confirmation.
  • You ran the MSI: disconnect from Wi-Fi or Ethernet, remove the unexpected ScreenConnect client, scan the system, and rotate passwords from a different trusted device.

Remove Unexpected ScreenConnect Access

After an unexpected ScreenConnect install, focus on stopping access first, then cleanup:

  1. Disconnect the computer from the network if you suspect the client is active.
  2. Open Settings > Apps or Control Panel > Programs and Features and look for ScreenConnect Client or ConnectWise Control.
  3. Check Services for ScreenConnect-related services if the app entry is unclear.
  4. Reboot, then confirm the client did not return.
  5. Review browser sessions, email rules, startup entries, scheduled tasks, and recently created administrator accounts if the installer ran with elevated permissions.
  6. Change email, banking, work, and password-manager credentials from a clean device if the remote session may have been active.

If the installer ran, the visible ScreenConnect entry may be only part of the problem. A phishing download can also leave a loader, scheduled task, browser change, startup entry, or second payload behind. Run a full Gridinsoft Anti-Malware scan after removing the visible client, remove detections, reboot, and scan again if alerts or remote-access symptoms return.

Scan files downloaded from this scam.

If the page or email made you download an invoice, coupon, tracking app, browser extension, or support tool, scan the PC before opening it again or logging into sensitive accounts.

Scan after running the fake document installer

How This Differs From Other ScreenConnect Scams

This page is about the Adobe Acrobat – Secure Document lure. If your email mentioned Social Security documents, use our Social Security Statement ScreenConnect scam guide instead. If you found ScreenConnect installed but do not know which email or fake page caused it, start with our broader ScreenConnect Client scam cleanup guide. For background on why remote access tools are dangerous when installed by an attacker, see our remote access trojan explainer.

How To Avoid This Lure Next Time

  • Do not install software because a document-signing email says a viewer or reader is outdated.
  • Verify unexpected contract, invoice, legal, HR, or procurement requests through a separate channel.
  • Block or investigate direct MSI downloads from email links.
  • Use browser and email security controls that show the real sender and target URL.
  • Monitor for unexpected remote-access tools such as ScreenConnect, AnyDesk, TeamViewer, or similar clients.

FAQ

Is the Adobe Acrobat – Secure Document email real?

Treat it as fake if it came unexpectedly, uses a non-Adobe sender domain, pushes a 48-hour deadline, or leads to a software download. A normal signing request should not require ScreenConnect.ClientSetup.msi.

Is ScreenConnect always malware?

No. ScreenConnect is legitimate remote support software. It becomes dangerous in this situation because an attacker is trying to make you install a remote-access client from a fake document page.

Am I infected if I only read the email?

No. Reading the message is not enough to install the remote-access client. The risk starts when you click through, download the MSI, and run it.

What if I ran ScreenConnect.ClientSetup.msi?

Disconnect the computer, remove the unexpected client, scan for persistence and other malware, then change important passwords from a clean device. If this happened on a work computer, notify IT immediately.

Should I report the email to Adobe?

Yes, especially if it uses Adobe branding or appears to abuse Acrobat Sign. Reporting helps Adobe review phishing and service-abuse patterns.

References

  1. Adobe. “Notifying Adobe of Security Issues.” Adobe Help Center, accessed June 18, 2026. https://helpx.adobe.com/security/alertus.html
  2. Adobe. “Report Abuse Links.” Adobe Acrobat Sign Help, updated August 2025, accessed June 18, 2026. https://helpx.adobe.com/sign/admin/report-abuse-links.html
  3. Microsoft Threat Intelligence. “Signed Malware Impersonating Workplace Apps Deploys RMM Backdoors.” Microsoft Security Blog, March 3, 2026, accessed June 18, 2026. https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/
What Is a Bootkit? Symptoms, Removal, and Protection
PyPI Malware Storm Forces to Suspend New Uploads
Itchupd.pages.dev Virus: Automatic Updater_v3.3.zip Download Cleanup
Norton Scam Email: Fake Invoice and Renewal Warning
Can You Get a Virus From Porn Sites? Risks & What to Do
TAGGED:
Share This Article
ByDaniel Zimmermann
Follow:
With a strong background in consumer safety and fraud prevention, Daniel specializes in providing actionable tips and advice to users. His focus is on helping individuals understand the risks of interacting with fraudulent sites and services
Previous Article ScreenConnect scam warning showing unexpected remote access on a Windows PC ScreenConnect Client Scam: Remove Unexpected Remote Access
Next Article Fake LinkedIn purchase inquiry email shown as a business quote request used for credential theft. LinkedIn Purchase Inquiry Email Scam
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?