2026-05-136 minhigh

New Phishing Campaign Targets US with Credential Theft: What CISOs Need to Know

A large-scale phishing campaign is targeting U.S. organizations across multiple sectors using fake event invitations. The campaign employs a repeatable infrastructure to bypass initial defenses via CAPTCHA, subsequently leading to either credential and OTP interception or the deployment of legitimate Remote Monitoring and Management (RMM) tools for persistent access.

Sens:■ ImmediateConf:highAnalyzed:2026-05-05Google

Authors: ANY.RUN

ActorsFake Invitation Phishing Campaign

Phishing Credential Theft Fake Invitation OTP Interception RMM

Source:ANY.RUN

IOCs · 9

domain
celebratieinvitiee[.]deKnown phishing domain used to host fake event invitations
domain
festiveparty[.]usKnown phishing domain used to host fake event invitations
domain
getceptionparty[.]deKnown phishing domain used to host fake event invitations
sha256
4c373bc25cb71dbb75e73b61dff25aa184be8d327053a97202a6b1a5919cab0dHash of yahoo.png used in the phishing kit
sha256
6eaa0a448f1306bcf4159783eeafe5d37243bd8ca2728db7d90de1929241dd29Hash of office.png used in the phishing kit
sha256
887bc414bdb32b83dcfccdd3c688e90d9a87a0033e3756a840f9bdd2d65c5c74Hash of office360.png used in the phishing kit
sha256
8e94c18bbcad0644c4b04de4356fe37da9996fdf1c99bc984ba819862a9b1889Hash of aol.png used in the phishing kit
sha256
9a53e032a6e3e79861d28568c3b6ffc97f4f3c1d3af65a703ec12966420503d9Hash of email.png used in the phishing kit
sha256
a838f99537d35e48e479a34086297f76db5d3363b0456f23d10d308f0d30ed82Hash of google.png used in the phishing kit

Detection / HunterGoogle

What Happened

A new cyberattack is targeting U.S. organizations by sending fake event invitations. Employees at U.S. companies, particularly in education, banking, government, technology, and healthcare, are the primary targets. The attack steals email passwords and security codes, or installs remote access software, allowing attackers to break into company accounts or take control of computers. Employees should be cautious of unexpected event invitations and verify them before clicking links, while security teams should block the known malicious web addresses and monitor for unauthorized remote access tools.

Key Takeaways

A large-scale phishing campaign is targeting U.S. organizations with fake event invitations.
The attack leads to either credential and OTP theft or the installation of legitimate RMM tools.
The campaign uses a CAPTCHA check to evade automated analysis before presenting the lure.
Repeatable infrastructure patterns include specific URL paths like /Image/*.png, /favicon.ico, and /blocked.html.

Affected Systems

Windows
Email Accounts
Google Accounts

Attack Chain

The attack begins with a phishing link disguised as an event invitation, which first directs the victim through a CAPTCHA check to evade automated analysis. Upon passing the CAPTCHA, the victim lands on a fake invitation page that branches into two potential attack paths. In the first path, the page prompts the user to log in to view the invitation, stealing their email credentials and subsequently intercepting their OTP codes via POST requests to attacker-controlled PHP endpoints. In the second path, the page automatically or manually triggers the download of a legitimate RMM tool (such as ScreenConnect or ConnectWise), granting the attacker persistent remote access to the victim's machine.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: Yes
Platforms: ANY.RUN Threat Intelligence Lookup

The article provides a specific ANY.RUN Threat Intelligence query to identify related phishing infrastructure based on sequential URL request patterns.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the installation and execution of legitimate RMM tools, but the credential theft portion occurs entirely in the browser and network layer, which EDR may not fully inspect without network integration. Network Visibility: High — The campaign relies on highly predictable, sequential HTTP GET requests (/favicon.ico, /blocked.html, /Image/*.png) and specific POST endpoints (/processmail.php, /process.php), making network-based detection highly effective. Detection Difficulty: Moderate — While the network patterns are distinct, the use of legitimate RMM tools and CAPTCHA challenges can blend in with normal traffic and evade automated sandbox analysis.

Required Log Sources

Proxy/Web Gateway Logs
DNS Logs
EDR Process Creation Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for sequential HTTP GET requests to /favicon.ico followed immediately by /blocked.html from the same source IP within a short timeframe.	Proxy/Web Gateway Logs	Delivery	Low
Monitor for unexpected downloads or executions of RMM tools (ScreenConnect, ITarian, Datto RMM, ConnectWise, LogMeIn Rescue) originating from web browsers.	EDR Process Creation Logs	Execution	Medium

Control Gaps

Automated Sandbox Analysis (evaded by CAPTCHA)
MFA (bypassed via real-time OTP interception)

Key Behavioral Indicators

Sequential requests to /favicon.ico and /blocked.html
POST requests to /processmail.php and /process.php
Loading of specific PNG hashes for login icons

False Positive Assessment

Recommendations

Immediate Mitigation

Block known phishing domains and URL patterns associated with the campaign.
Hunt for unauthorized installations of RMM tools like ScreenConnect, ITarian, and ConnectWise.

Infrastructure Hardening

Implement FIDO2/WebAuthn hardware security keys to prevent real-time OTP interception.
Restrict the execution of unapproved RMM tools via AppLocker or WDAC.

User Protection

Deploy browser-based phishing protection to block newly registered malicious domains.
Enforce strict conditional access policies for remote logins.

Security Awareness

Train employees to recognize fake event invitations and the risks of entering OTPs on non-standard login pages.
Educate users on the dangers of downloading unexpected files from event invites.

MITRE ATT&CK Mapping

T1566.002 - Phishing: Spearphishing Link
T1111 - Multi-Factor Authentication Interception
T1219 - Remote Access Software
T1056.002 - Input Capture: GUI Input Capture

Additional IOCs

Urls:
- hxxps://<phish_site>/<url-pattern>/pass.php - Endpoint used to exfiltrate Google account usernames
- hxxps://<phish_site>/<url-pattern>/mlog.php - Endpoint used to exfiltrate Google account passwords
- hxxps://<phish_site>/<url-pattern>/Image/office360.png - Predictable URL path for loading the Office365 icon on the phishing page
- hxxps://<phish_site>/<url-pattern>/Image/office.png - Predictable URL path for loading the Office icon on the phishing page
- hxxps://<phish_site>/<url-pattern>/Image/yahoo.png - Predictable URL path for loading the Yahoo icon on the phishing page
- hxxps://<phish_site>/<url-pattern>/Image/google.png - Predictable URL path for loading the Google icon on the phishing page
- hxxps://<phish_site>/<url-pattern>/Image/aol.png - Predictable URL path for loading the AOL icon on the phishing page
- hxxps://<phish_site>/<url-pattern>/Image/email.png - Predictable URL path for loading the generic email icon on the phishing page
File Hashes:
- 887bc414bdb32b83dcfccdd3c688e90d9a87a0033e3756a840f9bdd2d65c5c74 (SHA256) - Hash of office360.png used in the phishing kit
- 6eaa0a448f1306bcf4159783eeafe5d37243bd8ca2728db7d90de1929241dd29 (SHA256) - Hash of office.png used in the phishing kit
- 4c373bc25cb71dbb75e73b61dff25aa184be8d327053a97202a6b1a5919cab0d (SHA256) - Hash of yahoo.png used in the phishing kit
- a838f99537d35e48e479a34086297f76db5d3363b0456f23d10d308f0d30ed82 (SHA256) - Hash of google.png used in the phishing kit
- 8e94c18bbcad0644c4b04de4356fe37da9996fdf1c99bc984ba819862a9b1889 (SHA256) - Hash of aol.png used in the phishing kit
- 9a53e032a6e3e79861d28568c3b6ffc97f4f3c1d3af65a703ec12966420503d9 (SHA256) - Hash of email.png used in the phishing kit