Event invitations used to steal credentials and deploy remote access

A campaign targeting healthcare, banking, government, and technology organizations uses party invitation lures to walk victims through a credential theft or remote access tool installation without triggering obvious suspicion.

What happened

Security researchers have identified an active phishing campaign using fake event and party invitations to steal login credentials and install remote monitoring and management (RMM) tools on victim systems. According to The Hacker News, the campaign uses bogus email invitations to direct recipients to CAPTCHA-gated phishing pages, after which one of two attack paths follows, depending on the variant encountered. In the credential theft variant, the page prompts the victim to sign in with their email provider, capturing their username, password, and one-time passcode in real time before deliberately displaying an incorrect password message to solicit a second entry. In the RMM variant, the page initiates a download of a legitimate remote access tool such as ScreenConnect, ITarian, Datto RMM, ConnectWise, or LogMeIn Rescue, in some cases without requiring any additional click. Healthcare is among the top sectors affected, alongside education, banking, government, and technology. Researchers identified approximately 80 phishing domains associated with the campaign, most registered under the .de top-level domain from December 2025 onward, with nearly 160 suspicious links submitted to analysis sandboxes in the days following initial detection.

Going deeper

The invitation lure is effective because it carries none of the warning signals that phishing awareness training targets. There is no request for urgent financial action, no impersonation of an executive, and no suspicious attachment. A recipient receives what appears to be a social invitation, clicks through a Cloudflare CAPTCHA that adds a veneer of legitimacy, and arrives at a page that either asks them to log in or initiates what appears to be a routine software download. Researchers noted the campaign shows signs of being built for scale, with a reusable phishing toolkit that allows new event-themed lure sites to be spun up quickly, and page elements suggesting AI-assisted content generation. For organizations in the credential theft variant, both the first and second password attempts are captured, along with any OTP code entered, giving the attacker a full authenticated session. For those in the RMM variant, the attacker gains persistent unattended remote access to the victim's machine through software that security tools may not flag because it is legitimately signed and widely used in corporate environments.

What was said

Researchers described the attack in The Hacker News as turning legitimate RMM software into a persistent backdoor, stating that "instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust. By stealing a 'skeleton key' to the system, they turn legitimate Remote Monitoring and Management software into a persistent backdoor." Researchers noted the attack unfolds in two distinct waves, with credential theft in the first stage and RMM deployment in the second, using the stolen credentials to authenticate the installation.

In the know

Event and invitation-themed lures have become a consistent phishing vector across multiple campaigns in 2025 and 2026. According to BleepingComputer, a separate campaign using fake Calendly meeting invitations impersonating more than 75 major brands, including LVMH, Mastercard, and Uber, ran through late 2025, using the same CAPTCHA-then-AiTM-page structure to steal Google Workspace credentials. KnowBe4's April 2026 phishing trends report documented a 49% increase in calendar invite phishing attacks in the six months to April 2026, confirming that invitation-format lures are growing as a deliberate category of attack rather than an isolated tactic.

The big picture

Healthcare's inclusion among the top targeted sectors in this campaign reflects the same targeting logic documented across 2025 and into 2026: organizations that rely heavily on email access and remote administration tools for daily operations present a higher-value target when those accounts are compromised. Microsoft's April 2026 large-scale credential theft campaign analysis found healthcare and life sciences were the most targeted sector, accounting for 19 percent of victims across 35,000 users and 13,000 organizations in 26 countries. A stolen email credential in a clinical environment provides access to patient records, referral communications, prescription authorizations, and insurance correspondence simultaneously. A silently installed RMM tool in the same environment gives an attacker persistent access to all of that without any further phishing attempt required.

FAQs

Why does an invitation lure work better than a standard phishing email?

Invitation emails carry no financial urgency, no executive impersonation, and no obvious request for sensitive information. Recipients are conditioned to scrutinize emails that ask for passwords or payments, but are less guarded about social notifications. The lure reaches recipients in a lower-alert state and moves them through a seemingly routine interaction before the malicious step occurs.

What is the risk of the RMM installation variant compared to credential theft?

Credential theft gives an attacker access to accounts that can be locked out with a password reset. An installed RMM tool gives persistent remote access to the physical machine, surviving password changes and, in some cases, account resets, because the tool runs as a service on the endpoint rather than through the compromised account.

Why does showing an incorrect password message after the first entry increase damage?

Victims who see an error message assume they mistyped and re-enter their credentials, giving the attacker two captured password attempts. When organizations force a password reset after a suspected compromise, having both attempts also increases the probability that one matches credentials reused on other systems.

How does Cloudflare's CAPTCHA make the phishing page appear legitimate?

Cloudflare's Turnstile and similar CAPTCHA services are used by legitimate organizations to protect against automated traffic. Their presence on a page signals to recipients that the site is managed infrastructure rather than a hastily assembled fake, and also serves a secondary purpose of blocking automated security scanners from reaching and analyzing the phishing content behind it.

What should healthcare organizations do to reduce exposure to this campaign?

Monitoring endpoints for unauthorized RMM installations is the most direct control against the second attack variant. For the credential theft variant, enforcing phishing-resistant MFA removes the value of stolen passwords and OTP codes. Staff training should specifically address invitation-format lures as a category, not just the more commonly covered urgent executive or payment request patterns.