Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft

A large-scale phishing campaign is actively targeting U.S. organizations, using fake event invitations as bait to steal login credentials, intercept one-time passwords, or install remote access tools.

The operation has been running since at least December 2025, with researchers tracking a growing pool of malicious domains built around the same repeatable framework.

What makes this campaign stand out is not just its scale, but how carefully it is designed to look normal at every step.

The attackers use event-themed lure pages that blend in with legitimate platforms. Victims are walked through a CAPTCHA check, often powered by Cloudflare, and then shown what appears to be an event invitation asking them to sign in.

By the time the page asks for a password or downloads a file, many users have already lowered their guard.

Researchers at ANY.RUN said in a report shared with Cyber Security News (CSN) that the campaign uses a single phishing framework to mass-deploy event-themed lure sites at scale.

As of April 27, 2026, nearly 160 suspicious links tied to this campaign had been submitted to ANY.RUN’s sandbox, alongside around 80 identified phishing domains.

Most of those domains were registered under the .de top-level domain and carry names related to parties, celebrations, and invitations.

The sectors most affected include Education, Banking, Government, Technology, and Healthcare. These are industries where email access and remote administration tools are part of daily operations, making them especially attractive targets.

One phishing link, if clicked by the wrong person, can lead to a stolen inbox, intercepted verification codes, or a remote tool running silently inside the organization’s network.

The scale of the operation also hints at automation. Some page elements in the campaign suggest possible AI-assisted content generation, meaning new lure sites can be spun up quickly and cheaply.

Even so, the shared infrastructure leaves patterns that security teams can use to connect related activity and act faster.

Fake Invitation Phishing Campaign

On April 22, 2026, ANY.RUN researchers identified the campaign actively targeting email service credentials. The attack chain follows the same structure across all observed sessions: a CAPTCHA check comes first, followed by a fake invitation page, and then either a credential theft form or a remote tool download.

This consistency is deliberate, as it gives the operation a predictable and scalable flow while still appearing genuine to victims.

When the goal is credential theft, the lure page prompts users to sign in using services like Google, Yahoo, AOL, or Microsoft. After entering a password, the victim sees a fake “Incorrect Password” message, which is a trick designed to collect a second attempt in case the first had a typo.

The page then sends captured credentials via POST requests to server-side endpoints like /processmail.php, followed by an OTP interception form that submits verification codes to /process.php.

For Gmail users, a spoofed Google authorization form routes login data through /pass.php and /mlog.php, and checks for a Telegram-linked user ID via /check_telegram_updates.php.

Repeatable Infrastructure and Detection Signals

The campaign’s infrastructure is built for reuse, not just one-time deployment. Credential theft pages share a consistent layout, changing only the logo at the top while keeping the same form structure underneath.

Service icons such as office360.png, yahoo.png, google.png, and aol.png are stored under the same /Image/ path across all phishing domains, meaning that once a defender spots one domain, the same fingerprint can be used to find others.

Security teams can use the TI Lookup query url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png" to surface related domains in threat intelligence platforms. Monitoring for sequential GET requests hitting /favicon.ico, /blocked.html, and an /Image/*.png path is another reliable signal that a phishing session is underway.

For remote access delivery, the campaign pushes tools including ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue, sometimes triggering the download automatically without any button click.

Security teams should flag unexpected RMM installations as a potential indicator and investigate surrounding network activity immediately.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
URL Pattern	hxxps://<phish_site>/<url-pattern>/Image/office360.png	Phishing site icon path for Microsoft Office 360 login option
URL Pattern	hxxps://<phish_site>/<url-pattern>/Image/office.png	Phishing site icon path for Microsoft Office login option
URL Pattern	hxxps://<phish_site>/<url-pattern>/Image/yahoo.png	Phishing site icon path for Yahoo login option
URL Pattern	hxxps://<phish_site>/<url-pattern>/Image/google.png	Phishing site icon path for Google login option
URL Pattern	hxxps://<phish_site>/<url-pattern>/Image/aol.png	Phishing site icon path for AOL login option
URL Pattern	hxxps://<phish_site>/<url-pattern>/Image/email.png	Phishing site icon path for generic email login option
URL Pattern	hxxps://<phish_site>/blocked.html	Consistent resource path loaded across all phishing domains
URL Pattern	hxxps://<phish_site>/<url-pattern>/processmail.php	Endpoint receiving POST with stolen email and password (non-Google)
URL Pattern	hxxps://<phish_site>/<url-pattern>/process.php	Endpoint receiving POST with stolen OTP code
URL Pattern	hxxps://<phish_site>/<url-pattern>/pass.php	Endpoint receiving Gmail login credential
URL Pattern	hxxps://<phish_site>/<url-pattern>/mlog.php	Endpoint receiving Gmail password credential
URL Pattern	hxxps://<phish_site>/<url-pattern>/check_telegram_updates.php	Endpoint checking Telegram-linked visitor ID during Google phishing flow
File Hash (SHA-256)	887bc414bdb32b83dcfccdd3c688e90d9a87a0033e3756a840f9bdd2d65...	office360.png icon used on phishing login pages
File Hash (SHA-256)	6eaa0a448f1306bcf4159783eeafe5d37243bd8ca2728db7d90de1929241...	office.png icon used on phishing login pages
File Hash (SHA-256)	4c373bc25cb71dbb75e73b61dff25aa184be8d327053a97202a6b1a5919...	yahoo.png icon used on phishing login pages
File Hash (SHA-256)	a838f99537d35e48e479a34086297f76db5d3363b0456f23d10d308f0d3...	google.png icon used on phishing login pages
File Hash (SHA-256)	8e94c18bbcad0644c4b04de4356fe37da9996fdf1c99bc984ba819862a9b...	aol.png icon used on phishing login pages
File Hash (SHA-256)	9a53e032a6e3e79861d28568c3b6ffc97f4f3c1d3af65a703ec129664205...	email.png icon used on phishing login pages
Domain	festiveparty[.]us	Observed phishing domain using event-themed naming convention
Domain	getceptionparty[.]de	Observed phishing domain under .de TLD
Domain	celebratieinvitiee[.]de	Observed phishing domain under .de TLD
TI Query	url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png"	ANY.RUN TI Lookup query to find related phishing infrastructure

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.