Fake event invitations are being used in a large phishing operation aimed at organisations in the United States, with attackers combining credential theft, one-time password interception and remote access software installation in the same campaign.
The operation marks a sharper turn in workplace phishing because it exploits a routine business habit: accepting calendar or event invitations. Rather than relying on crude attachments or obviously suspicious messages, the attackers send users to invitation-themed pages that appear to fit normal office workflows. The deception is strengthened by CAPTCHA checks, familiar sign-in prompts and downloads dressed up as event material.
Security analysis of the campaign found nearly 160 suspicious links and about 80 phishing domains tied to the activity by late April. Many domains used Germany’s. de top-level domain and appear to have been registered from December 2025 onwards, giving the infrastructure a more legitimate appearance while spreading the attack surface across multiple sites.
The attack typically begins when a user clicks a link in what appears to be a corporate or social invitation. The victim is first sent through a CAPTCHA page, often resembling a Cloudflare verification screen. That step helps block automated scanning tools while making the journey feel ordinary to the user. The next page tells the recipient that an invitation is waiting and asks them either to sign in or download details.
The campaign then follows one of two paths. Some pages harvest email credentials and prompt for one-time passwords, giving attackers a way around multi-factor authentication. Other pages push legitimate remote monitoring and management tools, including products such as ScreenConnect, ITarian, Datto RMM, ConnectWise and LogMeIn Rescue, which can give intruders remote control without the obvious signatures of custom malware.
The credential theft path is designed to reduce the chance of error. Users selecting non-Google services are shown a generic login form asking for an email address and password. After the first submission, the page displays an “incorrect password” message, prompting a second entry. That gives the attacker two sets of credentials and increases the likelihood that a mistyped password will be corrected.
Once the password is submitted, the page asks for a one-time code. If the victim enters it quickly enough, the attacker can use the code to gain access before it expires. That turns a standard phishing page into a near real-time account takeover tool, especially where organisations rely on text-message or app-generated codes without stronger phishing-resistant authentication.
The remote access route creates a different risk. A fake invitation page may start a download automatically or offer a button labelled as an invitation download. The installed tool may be legitimate software, but in the attacker’s hands it can provide screen sharing, file transfer, remote shell access and persistence inside a corporate network. Because such tools are commonly used by IT teams, they may not immediately trigger the same alarms as unknown malware.
Education, banking, government, technology and healthcare organisations appear especially exposed because they depend heavily on email identity, shared calendars and remote administration. A compromised mailbox can be used for internal phishing, invoice fraud, data theft or password resets across other business systems. A compromised endpoint with remote access software can give attackers a stronger foothold for lateral movement.
The campaign fits a wider pattern in which attackers are moving beyond the inbox and abusing trusted collaboration channels. Fake Zoom, Microsoft Teams and Google Meet lures have already been used to push signed remote management tools. Those operations relied on the urgency of joining a scheduled call, telling victims that a software update was required before they could enter a meeting.
The use of legitimate software is central to the threat. Remote monitoring tools are not inherently malicious, and many companies depend on them for support and administration. That makes blanket blocking difficult. Security teams must distinguish approved use from suspicious deployment, especially where a tool appears on an endpoint shortly after a user clicks an invitation link.
The broader cybercrime environment has made credential theft more damaging. Reported cyber-enabled losses in the United States exceeded $20 billion in 2025, with business email compromise, account takeover and social engineering continuing to drive major losses. The fake-invitation campaign shows how attackers are adapting to stronger email filtering by hiding malicious steps behind normal workplace behaviour.
The operation marks a sharper turn in workplace phishing because it exploits a routine business habit: accepting calendar or event invitations. Rather than relying on crude attachments or obviously suspicious messages, the attackers send users to invitation-themed pages that appear to fit normal office workflows. The deception is strengthened by CAPTCHA checks, familiar sign-in prompts and downloads dressed up as event material.
Security analysis of the campaign found nearly 160 suspicious links and about 80 phishing domains tied to the activity by late April. Many domains used Germany’s. de top-level domain and appear to have been registered from December 2025 onwards, giving the infrastructure a more legitimate appearance while spreading the attack surface across multiple sites.
The attack typically begins when a user clicks a link in what appears to be a corporate or social invitation. The victim is first sent through a CAPTCHA page, often resembling a Cloudflare verification screen. That step helps block automated scanning tools while making the journey feel ordinary to the user. The next page tells the recipient that an invitation is waiting and asks them either to sign in or download details.
The campaign then follows one of two paths. Some pages harvest email credentials and prompt for one-time passwords, giving attackers a way around multi-factor authentication. Other pages push legitimate remote monitoring and management tools, including products such as ScreenConnect, ITarian, Datto RMM, ConnectWise and LogMeIn Rescue, which can give intruders remote control without the obvious signatures of custom malware.
The credential theft path is designed to reduce the chance of error. Users selecting non-Google services are shown a generic login form asking for an email address and password. After the first submission, the page displays an “incorrect password” message, prompting a second entry. That gives the attacker two sets of credentials and increases the likelihood that a mistyped password will be corrected.
Once the password is submitted, the page asks for a one-time code. If the victim enters it quickly enough, the attacker can use the code to gain access before it expires. That turns a standard phishing page into a near real-time account takeover tool, especially where organisations rely on text-message or app-generated codes without stronger phishing-resistant authentication.
The remote access route creates a different risk. A fake invitation page may start a download automatically or offer a button labelled as an invitation download. The installed tool may be legitimate software, but in the attacker’s hands it can provide screen sharing, file transfer, remote shell access and persistence inside a corporate network. Because such tools are commonly used by IT teams, they may not immediately trigger the same alarms as unknown malware.
Education, banking, government, technology and healthcare organisations appear especially exposed because they depend heavily on email identity, shared calendars and remote administration. A compromised mailbox can be used for internal phishing, invoice fraud, data theft or password resets across other business systems. A compromised endpoint with remote access software can give attackers a stronger foothold for lateral movement.
The campaign fits a wider pattern in which attackers are moving beyond the inbox and abusing trusted collaboration channels. Fake Zoom, Microsoft Teams and Google Meet lures have already been used to push signed remote management tools. Those operations relied on the urgency of joining a scheduled call, telling victims that a software update was required before they could enter a meeting.
The use of legitimate software is central to the threat. Remote monitoring tools are not inherently malicious, and many companies depend on them for support and administration. That makes blanket blocking difficult. Security teams must distinguish approved use from suspicious deployment, especially where a tool appears on an endpoint shortly after a user clicks an invitation link.
The broader cybercrime environment has made credential theft more damaging. Reported cyber-enabled losses in the United States exceeded $20 billion in 2025, with business email compromise, account takeover and social engineering continuing to drive major losses. The fake-invitation campaign shows how attackers are adapting to stronger email filtering by hiding malicious steps behind normal workplace behaviour.
Topics
Technology