For instances of unrecognized Screenconnect we've seen overwhelmingly malicious instances have the join with a code feature turned off on the web interface, additionally in WHOIS the date of registration is usually less than 3-6 months. If we can get that detail on the screenconnect hosts page itself and/or if Huntress can improve the alerts for this particular threat that'd be great.