What's Happening?
A phishing campaign, identified as SeasonalInvite, has been deceiving users into installing legitimate remote monitoring and management (RMM) software through fake electronic greeting cards (eCards). According to research by Forescout, the operation has been active
since January 2026 and continues to distribute payloads. The campaign uses a rotating set of lures based on the calendar, such as tax and Social Security themes in winter, and Valentine's and Easter invitations in spring. Victims are directed to a page mimicking the greeting card service BlueMountain, which automatically downloads an installer specific to the user's operating system. The campaign abuses four commercially signed RMM products, including ConnectWise ScreenConnect and LogMeIn Resolve, which pass security checks due to their legitimate signatures. The phishing pages also collect visitor data, such as IP addresses and browser information, and are suspected to be assembled using AI-generated code.
Why It's Important?
This phishing campaign highlights the increasing sophistication of cyber threats, leveraging legitimate software to bypass security measures. By using genuine RMM tools, attackers can evade detection, posing significant risks to both individual users and organizations. The campaign's ability to adapt its lures to seasonal themes increases its effectiveness, potentially leading to widespread data breaches and unauthorized access to sensitive information. Organizations must enhance their cybersecurity measures, including maintaining an approved inventory of RMM tools and training staff to recognize phishing attempts. The use of AI in assembling phishing kits also underscores the evolving nature of cyber threats, necessitating continuous updates to security protocols.
What's Next?
Organizations are advised to strengthen their email filtering systems against seasonal phishing themes and ensure that employees are aware of the risks associated with installing remote support software from unverified sources. Forescout recommends maintaining a strict inventory of approved RMM tools and alerting on any unauthorized installations. As the campaign continues to evolve, cybersecurity experts will likely monitor its developments and update defensive strategies accordingly. The potential for similar campaigns to emerge using AI-generated code suggests that ongoing vigilance and adaptation are crucial in combating such threats.













