SeasonalInvite Phishing Campaign Exposes Risks of Abused RMM Tools

Article Content
In the modern cyber-threat landscape, security teams are facing a highly organized, systematic shift in adversary tactics. Instead of constructing highly customized, easily flaggable malware strains, modern threat groups are increasingly turning to commercially signed, legitimate enterprise software. On July 14, 2026, Forescout Research’s Vedere Labs exposed an extensive, multi-platform threat operation known as the SeasonalInvite phishing campaign, which perfectly illustrates this trend. Active since at least January 2026, this ongoing campaign represents a sophisticated convergence of seasonal social engineering, automated traffic filtering, artificial intelligence-assisted coding, and the tactical abuse of trusted Remote Monitoring and Management (RMM) utilities.
By bypassing traditional endpoint detection and response (EDR) platforms that inherently trust commercially signed administration software, the threat actors behind this campaign have successfully compromised both Windows and macOS systems. The tactical sophistication of this operation highlights why organizations can no longer rely on standard signature-based security paradigms and must instead re-evaluate how they defend their administrative boundaries.
Inside the Mechanics of the SeasonalInvite Phishing Infrastructure
The scale of the SeasonalInvite phishing campaign is remarkably vast, supported by a highly resilient network infrastructure designed to maximize victim yield while minimizing exposure to security researchers and automated scanning platforms. Rather than directing targets straight to a payload delivery page, the attackers have constructed a multi-layered funnel consisting of a massive, globally distributed front end.
Forescout’s investigation revealed that the operation relies on 959 unique eCard-themed domains used in phishing emails or poisoned search engine results. To shield these domains from premature detection and takedown, the attackers route inbound traffic through a highly sophisticated Traffic Distribution System (TDS) consisting of 2,658 gate pages. The primary function of this TDS is to perform rigorous bot-filtering and browser verification before allowing any visitor to proceed to the actual phishing kit.
When a visitor clicks on a malicious link, the gate page executes a client-side JavaScript challenge to detect automated headless browsers or security crawlers. Specifically, the TDS checks the browser environment for the following technical indicators:
- WebDriver Flags: Checking for the presence of properties such as
navigator.webdriver, which indicates automated browser control. - PhantomJS Artifacts: Detecting signatures like
window._phantomandwindow.phantom, which are characteristic of headless browsing environments. - Selenium and Automation Signatures: Scanning for additional automated testing frameworks and simulated user agents commonly utilized by threat intelligence platforms and automated URL scanners.
If any automation flags are detected, the TDS halts execution. The automated scanner or security sandbox is trapped on the gate page, viewing a blank spinner indefinitely, which prevents it from retrieving the payload or logging the actual phishing page. Conversely, if the visitor passes these client-side checks—confirming they are a legitimate human victim using a standard web browser—the script initiates a 600ms delay, sets a session cookie named _pre_check, and executes a page reload. The second request, validated by the _pre_check cookie, triggers a server-side redirect that forwards the user directly to the phishing landing page.
The Evolution of Calendar-Themed Lures
The campaign’s name, “SeasonalInvite,” stems from the attackers’ clever strategy of aligning their social engineering lures with the seasonal calendar. Threat actors have historically capitalized on urgency and curiosity, but the operators of this campaign have demonstrated a unique ability to rapidly shift their narratives to remain highly relevant throughout the year:
- Winter 2026 (Tax and Government Lures): The campaign initially emerged in January 2026, utilizing high-pressure tax-themed social engineering and lures masquerading as the Social Security Administration (SSA) to target accounting departments and individual filers.
- Spring and Summer 2026 (Greeting Cards & eCards): As the tax season subsided, the operators transitioned to a softer, curiosity-driven lure. Phishing emails and search-poisoned links offered targets invitations to view electronic greeting cards (eCards).
- Future Document-Themed Lures: During analysis, researchers identified a page variant displaying the phrase “Open the e-Card to reveal your secured documents!”. This indicates a impending transition to business-centric document lures, potentially targeting corporate HR or procurement departments with fake purchase orders, contracts, or onboarding materials.
In the spring/summer eCard iteration, victims who bypass the TDS are directed to a page designed to closely mimic legitimate greeting card platforms like BlueMountain. Upon arrival, the victim is presented with a clean user interface featuring a loading animation and the text: “Your exclusive eCard will download automatically in 3 seconds.”. This brief countdown creates a sense of expectation, prompting the user to wait for and accept the incoming file. Behind the scenes, the countdown triggers a silent, OS-aware download query that serves a payload customized to the victim’s operating system.
AI-Assisted Delivery Kits and Back-End Operations
Technical analysis of the HTML delivery pages associated with the SeasonalInvite phishing campaign yielded compelling evidence of AI-assisted development. While threat actors have traditionally coded their kits manually or modified leaked templates, the operators of SeasonalInvite are actively leveraging Large Language Models (LLMs) to write, refine, and maintain their front-end assets.
Vedere Labs identified several distinct code comments within the HTML source files of the phishing pages that match the output formatting, structure, and structural hygiene of AI-generated code. In particular, the code contained highly descriptive comments accompanied by structured emojis:
// ✓ OS-SPECIFIC DOWNLOAD PATHS// ✓ SECURE REPORTING - Sends data to Telegram via PHP// ✓ UI ANIMATION SVGs// ✓ TRIGGER DOWNLOAD WITH OS-AWARE LOGIC
This organized, annotated coding style suggests that the operators are utilizing conversational AI interfaces to assemble their delivery code on demand. This integration of LLMs allows the threat group to rapidly adapt their delivery kits, correct runtime errors on the fly, and dynamically retool the interface depending on the seasonal lure they are deploying.
The phishing kit’s backend relies on a script named report.php. This script is responsible for gathering telemetry from the victim’s system and relaying it to an attacker-controlled backend server. Additionally, the commented code strongly suggests that report.php forwards this telemetry to a designated Telegram channel via an API bot. This Telegram exfiltration model has become highly popular among commodity phishing kits, allowing attackers to receive instant, real-time notifications when a new system is successfully compromised.
Intriguingly, during infrastructure analysis, researchers identified an IP address—46.4.120[.]162—that hosted both a SeasonalInvite kit page and an unconfigured instance of LogoKit, a well-known credential-harvesting template. This co-hosted LogoKit template contained hardcoded Telegram credentials, including a bot token (8513217271:AAF-sTaXGySLnCL6DsD_ASoNnMwHLI9yZgM) and a group ID (7437073596). While this overlap does not definitively prove a single threat actor is running both campaigns, it highlights a shared operational infrastructure and a collaborative ecosystem of tools utilized by modern phishing syndicates.
The Abuse of Trusted Remote Monitoring and Management (RMM) Software
The core danger of the SeasonalInvite phishing campaign lies in the payloads delivered once the 3-second timer expires. Instead of initiating the download of standard remote access trojans (RATs) or custom malware, which would likely trigger immediate security alerts, the download serves commercially signed, legitimate Remote Monitoring and Management (RMM) applications.
These preconfigured RMM installers are designed to quietly establish a connection back to the attacker’s own RMM tenant, granting them permanent, administrative, and interactive remote access to the victim’s device. Because these software packages are legitimate enterprise tools used globally by corporate IT support and Managed Service Providers (MSPs), they carry valid cryptographic signatures and run entirely in memory or via standard registry keys. To endpoint protection systems, the installation appears to be a standard administrative action, allowing the threat actors to bypass traditional security controls entirely.
Forescout confirmed the active abuse of four major enterprise-grade RMM software suites in this campaign:
- ConnectWise ScreenConnect: Widely used for remote support, ScreenConnect installers are modified to register compromised endpoints to the attacker’s tenant.
- LogMeIn Resolve: Commercially signed binaries that allow attackers to bypass local execution restrictions.
- Kaseya: Another widely respected enterprise software suite used to deploy remote agents.
- O&O Syspectr: A German-designed RMM tool. Attackers have been observed pushing custom
oo-syspectr-setupfiles to target specific geographic or organizational demographics.
Additionally, overlapping campaign infrastructure investigated by Microsoft in March 2026 revealed the delivery of SimpleHelp, another legitimate RMM utility. The ability to pivot between different RMM programs demonstrates that the threat actors maintain a diverse portfolio of legitimate administrative tools, allowing them to select the tool that best fits their specific target’s industry or defense posture. Once these tools are running on a device, the attackers have effectively established an interactive console that allows them to perform lateral movement, deploy ransomware, exfiltrate files, or steal credentials—all under the guise of authorized administrative operations.
Enterprise Defense and Risk Mitigation Strategies
Defending against the SeasonalInvite phishing campaign requires a strategic shift in how security teams approach endpoint security and employee awareness. Because the attack relies on “living off the land” by utilizing trusted software, simply monitoring for file signatures or suspicious executables is no longer sufficient. Organizations must implement a comprehensive multi-layered defense strategy:
1. Implement Strict Application Control and RMM Inventories
Organizations must establish and enforce a strict, authorized inventory of approved RMM applications. Any execution of an unapproved RMM tool—even if commercially signed and valid—must be blocked at the endpoint level by default. Application control policies, such as those configured via Microsoft AppLocker, Windows Defender Application Control (WDAC), or macOS enterprise management profiles, should be used to restrict administrative tools to a predefined, securely managed list.
2. Analyze Outbound Traffic and Network Activity
Security teams should continuously monitor outbound network connections for anomalous activity associated with remote management endpoints. Connections to RMM staging sites or known RMM server IP ranges (such as those associated with LogMeIn, ConnectWise, or Kaseya) should be cross-referenced with active IT tickets or authorized administrative workflows. Any unrecognized, persistent outbound RMM connection should trigger an immediate incident response investigation.
3. Harden Web Filters and Email Gateways
Ensure that email and web gateway filters are optimized to block recognized domains associated with the SeasonalInvite campaign. Inbound emails containing external invitations, eCard links, or calendar-themed attachments should be scrutinized using advanced threat protection (ATP) filters. High-risk top-level domains (TLDs) and freshly registered domains used in the campaign’s massive front-end infrastructure should be blocked proactively.
4. Shift User Awareness to “Execution Decisions”
Traditional user awareness training focuses heavily on teaching employees “not to click on links.” However, campaigns like SeasonalInvite prove that social engineering will inevitably bypass some users. Training programs must pivot to focus on down-the-line execution choices. Employees must be taught to identify unexpected browser-initiated downloads. If clicking a link results in an executable, setup file, or installer prompt (such as asking the user to click “Run,” “Install,” or input local administrative credentials), they must halt execution and immediately report the incident to their security operations center.
Written by
TempMail Ninja
Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.


