A sophisticated, large-scale phishing operation is currently sweeping across the United States, targeting high-value employees with a deceptively simple lure: a fake event invitation.
Uncovered by analysts at ANY.RUN in April 2026, this campaign isn’t just looking for passwords. It is a multi-stage assault designed to grant attackers full remote control over corporate networks. By targeting sensitive sectors—including banking, government, technology, and healthcare—the threat actors are making a calculated play for the nation’s most protected data.
The AI Edge: Why These Invites Look So Real
Traditional phishing often relies on “spray and pray” tactics with broken English and messy formatting. This campaign is different. Security researchers have found clear evidence of AI-assisted content creation, allowing the attackers to:
- Generate Hyper-Realistic Lures: The emails mimic corporate tone and branding with “pixel-perfect” precision.
- Scale Rapidly: Using automated tools and known phishing kits, the operators can spin up dozens of fresh, legitimate-looking domains in minutes if their old infrastructure gets flagged.
- Bypass Mental Filters: By framing the attack as a “Scheduled Event” or “Project Bid,” they exploit the victim’s professional urgency.
The “Double-Tap” Attack Chain
What makes this campaign truly dangerous is its layered execution. Once a victim clicks the link, they encounter a CAPTCHA—a clever trick used to block automated security scanners from analyzing the site. After passing the CAPTCHA, the attack splits into two simultaneous paths:
1. The Credential Theft
The victim is presented with a fake login page (mimicking Microsoft Teams, Zoom, or internal portals) to “view the invitation details.” This captures their corporate credentials and One-Time Passwords (OTP) in real time.
2. The Silent RMM Backdoor
While the user is busy typing their password, an RMM (Remote Monitoring and Management) installer—such as ScreenConnect, ITarian, or Datto RMM—begins downloading automatically.
The “RMM” Trap: Because these are legitimate IT tools used by real admins, they rarely trigger antivirus alerts. Once installed, they provide the attacker with a persistent, “quiet” foothold that looks identical to standard IT support traffic.+1
Detection Patterns for Security Teams
Despite the sophistication, the attackers leave behind predictable fingerprints. Security teams can catch this activity by monitoring for specific “fixed paths” and sequences in web traffic:
- Predictable Requests: Watch for web sequences moving from
/favicon.ico→/blocked.html→ to the final phishing content. - Static Resource Paths: Many of these AI-generated domains use identical resource folders, such as
/Image/*.png. - Unsanctioned RMM Activity: Audit your network for any outbound connections to RMM platforms (like ConnectWise or Datto) that have not been explicitly authorized by your IT department.
Remediation: Protect Your Organization
If you suspect your organization has been targeted, act immediately:
- Review RMM Logs: Check for new installations of ScreenConnect or ITarian that occurred outside of scheduled maintenance windows.
- Enforce MFA Reset: If an employee interacted with a fake invitation, reset their credentials and revoke all active sessions immediately.
- Block CAPTCHA Redirects: Use web filters to flag and block redirect chains that use CAPTCHAs to mask unfamiliar third-party domains.
