A large-scale phishing campaign has been quietly targeting organizations across the United States, using fake event invitations as bait. Rather than sending a suspicious attachment or an obvious scam link, attackers lure victims with what appears to be a legitimate party or gathering invitation.
Once clicked, those links lead to pages designed to steal login credentials, intercept one-time passcodes, or install remote management software.
What makes this campaign stand out is how ordinary the early steps look. A victim receives an invitation, clicks the link, passes through a CAPTCHA check, and sees a polished event page.
Nothing about that sequence triggers obvious concern, and that is precisely the point. By the time any real harm occurs, whether a stolen password or a remote access tool quietly running in the background, the attack is already well underway.
Researchers at ANY.RUN were among the first to document the full scope of this operation. On April 22, 2026, analysts identified a phishing campaign targeting email service credentials, with some cases also delivering remote management software. By April 27, nearly 160 suspicious links had been submitted to ANY.RUN’s sandbox, with roughly 80 phishing domains identified, most registered under the .de top-level domain starting from December 2025.
The industries most affected include Education, Banking, Government, Technology, and Healthcare. These sectors rely heavily on email access and remote administration tools, making them attractive targets for attackers looking to blend in. A single stolen login in any of these environments can open doors far beyond one inbox.
.webp)
The campaign also shows signs of being built for scale. Threat actors appear to use a reusable phishing toolkit to spin up new event-themed lure sites quickly. Some page elements hint at AI-assisted content generation, meaning the attack surface can expand fast while the underlying structure stays consistent enough to detect.
Phishing Attack Weaponizing Event Invitations
The attack begins with a simple invitation link. After clicking, the victim is taken through a CAPTCHA check, most often served through Cloudflare, which gives the page an air of legitimacy. From there, one of two things happens depending on which version of the lure the victim encounters.
.webp)
In the credential theft version, the page presents a sign-in prompt and asks the user to log in with their email service of choice. When someone selects Google, they are redirected to a convincing fake Google authorization form. Credentials are sent via POST requests to server endpoints including /pass.php and /mlog.php.
.webp)
For all other services, the page collects the email and password, then deliberately shows an “Incorrect Password” message to push the user into entering their details a second time, capturing both attempts. Once the user submits an OTP code, that too is silently forwarded to the attacker.
In the remote management delivery version, the fake invitation page initiates a download of a legitimate remote tool such as ScreenConnect, ITarian, Datto RMM, ConnectWise, or LogMeIn Rescue. Some pages include a download button, while others begin the download automatically with no further action needed. Because these are real, widely used tools, security software may not treat the installation as a threat.
How Security Teams Can Reduce the Risk
Security teams can use shared infrastructure patterns to hunt for related domains before an incident takes shape. All phishing pages in this campaign follow a predictable request chain: a GET request to the root, followed by requests to /favicon.ico, /blocked.html, and an image path matching /Image/*.png. Analysts can run the query url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png"url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png" in threat intelligence platforms to surface connected domains.
Beyond hunting, organizations benefit most from getting visibility earlier in the chain, before credentials are used or a remote tool gains a foothold. Safely analyzing suspicious links in a sandboxed environment lets teams confirm whether a page is a fake invitation, a credential form, or an RMM delivery page before any user data is at risk.
When teams can observe the full behavior of a link during investigation, they can contain the threat much faster and avoid the costly uncertainty that comes with reacting too late.
Indicators of Compromise:-
| Type | Indicator | Description |
|---|---|---|
| URL Pattern | hxxps:// | Phishing page icon path for Office 365 branding |
| URL Pattern | hxxps:// | Phishing page icon path for Office branding |
| URL Pattern | hxxps:// | Phishing page icon path for Yahoo branding |
| URL Pattern | hxxps:// | Phishing page icon path for Google branding |
| URL Pattern | hxxps:// | Phishing page icon path for AOL branding |
| URL Pattern | hxxps:// | Phishing page icon path for generic email branding |
| URL Pattern | hxxps:// | Shared blocked page across all campaign domains |
| URL Pattern | hxxps:// | Credential submission endpoint (non-Google flow) |
| URL Pattern | hxxps:// | OTP submission endpoint |
| URL Pattern | hxxps:// | Google credential login endpoint |
| URL Pattern | hxxps:// | Google credential password endpoint |
| URL Pattern | hxxps:// | Visitor ID exfiltration endpoint (Google flow) |
| File Hash (SHA-256) | 887bc414bdb32b83dcfccdd3c688e90d9a87a0033e3756a840f9bdd2d65… | office360.png icon used in phishing pages |
| File Hash (SHA-256) | 6eaa0a448f1306bcf4159783eeafe5d37243bd8ca2728db7d90de192924… | office.png icon used in phishing pages |
| File Hash (SHA-256) | 4c373bc25cb71dbb75e73b61dff25aa184be8d327053a97202a6b1a5919… | yahoo.png icon used in phishing pages |
| File Hash (SHA-256) | a838f99537d35e48e479a34086297f76db5d3363b0456f23d10d308f0d3… | google.png icon used in phishing pages |
| File Hash (SHA-256) | 8e94c18bbcad0644c4b04de4356fe37da9996fdf1c99bc984ba819862a9… | aol.png icon used in phishing pages |
| File Hash (SHA-256) | 9a53e032a6e3e79861d28568c3b6ffc97f4f3c1d3af65a703ec129664205… | email.png icon used in phishing pages |
| Domain | festiveparty[.]us | Event-themed phishing domain observed in campaign |
| Domain | getceptionparty[.]de | Event-themed phishing domain observed in campaign |
| Domain | celebratieinvitiee[.]de | Event-themed phishing domain observed in campaign |
| TI Hunting Query | url:”/blocked.html” AND url:”/favicon.ico” and url:”/Image/.png” | Query to find related phishing domains in ANY.RUN TI Lookup |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
