A large-scale phishing campaign is actively targeting U.S. organizations, using fake event invitations as bait to steal login credentials, intercept one-time passwords, or install remote access tools.
The operation has been running since at least December 2025, with researchers tracking a growing pool of malicious domains built around the same repeatable framework.
What makes this campaign stand out is not just its scale, but how carefully it is designed to look normal at every step.
The attackers use event-themed lure pages that blend in with legitimate platforms. Victims are walked through a CAPTCHA check, often powered by Cloudflare, and then shown what appears to be an event invitation asking them to sign in.
By the time the page asks for a password or downloads a file, many users have already lowered their guard.
Most of those domains were registered under the .de top-level domain and carry names related to parties, celebrations, and invitations.
The sectors most affected include Education, Banking, Government, Technology, and Healthcare. These are industries where email access and remote administration tools are part of daily operations, making them especially attractive targets.
One phishing link, if clicked by the wrong person, can lead to a stolen inbox, intercepted verification codes, or a remote tool running silently inside the organization’s network.
The scale of the operation also hints at automation. Some page elements in the campaign suggest possible AI-assisted content generation, meaning new lure sites can be spun up quickly and cheaply.
Even so, the shared infrastructure leaves patterns that security teams can use to connect related activity and act faster.
Fake Invitation Phishing Campaign
This consistency is deliberate, as it gives the operation a predictable and scalable flow while still appearing genuine to victims.
When the goal is credential theft, the lure page prompts users to sign in using services like Google, Yahoo, AOL, or Microsoft. After entering a password, the victim sees a fake “Incorrect Password” message, which is a trick designed to collect a second attempt in case the first had a typo.
The page then sends captured credentials via POST requests to server-side endpoints like /processmail.php, followed by an OTP interception form that submits verification codes to /process.php.
For Gmail users, a spoofed Google authorization form routes login data through /pass.php and /mlog.php, and checks for a Telegram-linked user ID via /check_telegram_updates.php.
Repeatable Infrastructure and Detection Signals
The campaign’s infrastructure is built for reuse, not just one-time deployment. Credential theft pages share a consistent layout, changing only the logo at the top while keeping the same form structure underneath.
Service icons such as office360.png, yahoo.png, google.png, and aol.png are stored under the same /Image/ path across all phishing domains, meaning that once a defender spots one domain, the same fingerprint can be used to find others.
Security teams can use the TI Lookup query url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png" to surface related domains in threat intelligence platforms. Monitoring for sequential GET requests hitting /favicon.ico, /blocked.html, and an /Image/*.png path is another reliable signal that a phishing session is underway.
For remote access delivery, the campaign pushes tools including ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue, sometimes triggering the download automatically without any button click.
Security teams should flag unexpected RMM installations as a potential indicator and investigate surrounding network activity immediately.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
