Sophisticated Phishing Campaign Weaponizes Event Invitations to Bypass MFA and Deploy RMM Tools
A highly organized, large-scale phishing campaign is currently targeting U.S.-based organizations, utilizing a multi-stage attack vector that cleverly mimics legitimate corporate workflows.
This isn’t a simple “spray and pray” operation; instead, it is a sophisticated orchestration that combines credential harvesting, Multi-Factor Authentication (MFA) interception, and the deployment of legitimate Remote Monitoring and Management (RMM) software to establish persistent access.
What makes this campaign particularly dangerous is its ability to blend into the “noise” of daily business operations. By leveraging familiar user behaviors and reputable-looking infrastructure, attackers are successfully delaying detection by Security Operations Centers (SOCs) until the compromise is already deep within the network.
The attack lifecycle begins with a social engineering lure: an email appearing to be a formal corporate or social event invitation. Upon clicking the embedded link, victims aren’t immediately met with a suspicious login prompt. Instead, they encounter a CAPTCHA page—frequently mimicking a Cloudflare challenge. This serves a dual purpose: it filters out automated security scanners that might flag the site, and it builds a false sense of security by making the environment feel “protected” and routine.
Once the CAPTCHA is cleared, the user is directed to a highly polished, event-themed landing page. This page informs the victim that they must sign in or download specific event details to proceed. Research from ANY.RUN indicates that the attackers utilize a highly repeatable phishing framework, allowing them to mass-produce these convincing, themed lure pages across various domains.
At this junction, the attack path diverges into two distinct technical objectives: Credential/OTP Theft or RMM Deployment.
The Mechanics of Credential and OTP Interception
In the credential theft branch, the site prompts the user to select their identity provider (e.g., Microsoft 365, Google, or Yahoo). For non-Google services, the attackers use a deceptive UI pattern: after the user enters their credentials once, the page displays a fake “Incorrect Password” error. This is a tactical move designed to trick the user into re-entering their password, ensuring the attackers capture two attempts to mitigate any potential typos.
The technical exfiltration occurs via standard HTTP POST requests. The initial credentials are sent to attacker-controlled endpoints (such as /processmail.php). Immediately following this, a second form is presented, requesting a One-Time Password (OTP). The OTP is then exfiltrated through a separate POST request (e.g., to /process.php). This allows the adversary to perform a real-time adversary-in-the-middle (AiTM) style attack, bypassing MFA and gaining full session control over the victim’s account.
In cases involving Google users, the workflow shifts toward a deceptive authorization flow, where the victim is redirected to a fraudulent page designed to mimic a Google OAuth authorization prompt.

The RMM Delivery Path: Establishing Persistence
Alternatively, the campaign may opt for direct endpoint compromise via RMM software. The fake invitation page triggers a download—either automatically upon page load or via a “Download invitation” button—that installs legitimate remote management tools such as ScreenConnect, ITarian, Datto RMM, ConnectWise, or LogMeIn Rescue.

This is a highly effective “Living off the Land” (LotL) tactic. Because these tools are standard in modern IT environments, their execution on an endpoint often fails to trigger traditional Endpoint Detection and Response (EDR) alerts. Once installed, the attackers gain a persistent, legitimate-looking backdoor for lateral movement and data exfiltration.
Threat Hunting and Defensive Strategies
The campaign’s underlying infrastructure exhibits a highly consistent signature. Analysts should look for the following technical indicators in network logs:
- Consistent Request Chains: A characteristic sequence of
GET /, followed byGET /favicon.ico,GET /blocked.html, and requests to//Image/*.png. - Predictable Resource Paths: The use of specific service icons (e.g.,
office360.png,yahoo.png,google.png) hosted in fixed directories. - Domain Patterns: URLs often use domain names related to parties, greetings, or invitations, following a predictable structural pattern.

Recommendations for Security Teams:
- Tuning Detection: Implement alerts for the specific URL patterns and resource request chains identified by threat intelligence.
- RMM Monitoring: Monitor for the installation of RMM tools by non-IT administrative accounts or via web-based downloads.
- User Awareness: Educate staff to treat unsolicited event invitations, especially those requiring external logins or software downloads, as high-risk.
- Proactive Analysis: Utilize interactive sandboxes like ANY.RUN to safely detonate suspicious files and observe the exfiltration endpoints before they reach the production environment.