What's Happening?
A phishing campaign, identified as SeasonalInvite, has been targeting Windows and macOS users by tricking them into installing legitimate remote monitoring and management (RMM) software through fake electronic greeting cards (eCards). According to research
by Forescout, the campaign has been active since January 2026 and continues to operate. The phishing operation uses a variety of seasonal themes, such as tax and Social Security in winter, and Valentine's and Easter in spring, to lure victims. The campaign involves 959 domains used in phishing emails and poisoned search results. Victims are directed to a page impersonating the greeting card service BlueMountain, which automatically downloads an installer specific to the victim's operating system. The campaign abuses four commercially signed RMM products: ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya, and O&O Syspectr. These tools, being legitimate and signed, bypass conventional security checks. The phishing pages also collect the visitor's IP address, city, and browser information.
Why It's Important?
This phishing campaign highlights the increasing sophistication of cyber threats, where attackers leverage legitimate software to bypass security measures. The use of genuine RMM tools allows the attackers to evade detection by security systems that typically flag malware. This poses a significant risk to individuals and organizations, as it can lead to unauthorized access and control over devices. The campaign's ability to adapt its themes to seasonal events increases its effectiveness, making it more likely to deceive users. The involvement of AI-generated code in creating phishing pages suggests a trend towards more automated and scalable cyber attacks, potentially lowering the barrier for entry for cybercriminals. Organizations need to be vigilant in monitoring the use of RMM tools and enhancing their email filtering systems to prevent such attacks.
What's Next?
Organizations are advised to maintain a strict inventory of approved RMM tools and to alert on any unauthorized installations. Strengthening email filtering systems to detect and block seasonal-themed phishing attempts is crucial. Training staff to recognize phishing attempts, especially those involving eCards that require software installation, is essential. As the campaign continues to evolve, cybersecurity teams must stay informed about new tactics and techniques used by attackers. Collaboration between cybersecurity firms and law enforcement may be necessary to dismantle the infrastructure supporting such phishing operations.
Beyond the Headlines
The use of AI-generated code in phishing campaigns represents a shift towards more sophisticated and automated cyber threats. This development could lead to an increase in the frequency and complexity of phishing attacks, as AI can be used to quickly generate new variants of phishing pages. The campaign's ability to evade detection by using legitimate software highlights the need for improved security measures that can identify and block unauthorized use of such tools. The broader implications for cybersecurity include the need for continuous adaptation and innovation in defense strategies to keep pace with evolving threats.













