Fake event invitations are being used to attack U.S. organizations with RMM tools

A large phishing campaign is targeting U.S. organizations with fake event invitations that can lead to credential theft, one-time password interception, and remote access tool installation. The campaign focuses on high-value sectors, including banking, government, technology, healthcare, finance, education, and manufacturing.

The campaign uses a simple idea that works well in business settings. Employees receive or land on what looks like an event invitation, file download, or meeting-related page. From there, attackers push users toward fake login forms or remote management software that gives them access to the device.

Researchers at ANY.RUN have warned that phishing-to-RMM attacks create a major blind spot for security teams because the payload may look legitimate. Tools such as ScreenConnect, Datto RMM, ITarian, LogMeIn Rescue, and similar platforms are widely used by IT teams, which makes unauthorized installs harder to spot quickly.

Attackers are mixing phishing with remote access

This campaign does not stop at stealing passwords. Attackers combine fake pages, CAPTCHA gates, credential harvesting, OTP interception, and RMM deployment into one attack chain. That gives them more than one way to break into a company environment.

The CAPTCHA page helps filter out automated scanners before the victim reaches the real lure. After that, the user may see a convincing event invitation or business-themed download page designed to look familiar and safe.

🚨 𝗔𝗟𝗘𝗥𝗧: 𝗨𝗦-𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱 #𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗶𝗻𝗴 𝗥𝗲𝗺𝗼𝘁𝗲 𝗔𝗰𝗰𝗲𝘀𝘀 𝗕𝗹𝗶𝗻𝗱 𝗦𝗽𝗼𝘁𝘀
A large-scale campaign is targeting U.S. organizations with fake event invitations. Attackers combine credential theft with OTP… pic.twitter.com/RiX1OYhiS6

— ANY.RUN (@anyrun_app) April 29, 2026

In some cases, the campaign leads to a fake login page. In others, the page starts a download for an RMM installer. Once installed, that tool can give attackers direct remote access while appearing similar to software used for normal IT support.

At a glance

Item	Details
Main lure	Fake event invitations and business-themed pages
Primary targets	U.S. organizations
High-risk sectors	Banking, government, technology, healthcare, finance, education, and manufacturing
Main goals	Credential theft, OTP interception, and remote access
Tools abused	ScreenConnect, Datto RMM, ITarian, LogMeIn Rescue, and other RMM tools
Detection challenge	RMM tools can look legitimate when viewed without attack-chain context

Why this campaign is difficult to catch early

Security tools often look for clearly malicious files. This campaign avoids that pattern by using software that can pass basic checks because it has legitimate business use. The danger comes from how the tool reaches the user and what happens after installation.

ANY.RUN notes that phishing-to-RMM attacks require defenders to connect the full chain. That includes the phishing page, download behavior, endpoint execution, RMM installation, and outbound connections to remote access infrastructure.

This is why domain reputation alone does not solve the problem. Some campaigns use trusted platforms, compromised websites, or legitimate vendor infrastructure, which can make the activity look less suspicious at first glance.

Fake invitations make the attack feel normal

Event and meeting lures work because they fit daily workplace behavior. Employees expect calendar invites, shared files, webinars, vendor meetings, and internal events. Attackers use that routine to lower suspicion.

Microsoft also observed phishing campaigns in 2026 that used workplace meeting lures, PDF attachments, and fake app installers to deploy RMM backdoors. That shows the same broader trend: attackers increasingly use trusted workplace workflows to deliver remote access.

Malwarebytes separately reported a fake invitation campaign where users were pushed toward a download that installed ScreenConnect, a legitimate remote support tool. The page used social pressure and invitation wording to make the file feel harmless.

How the attack flow works

• The victim reaches a CAPTCHA or verification page.
• The page redirects to a fake event invitation or business-themed landing page.
• The victim sees a fake login form or a download prompt.
• Credentials and one-time passwords may be captured.
• An RMM installer may download or run on the device.
• The attacker gains remote access through a legitimate-looking tool.
• The compromised device can then support account takeover, data theft, or deeper network access.

The automatic download path creates a serious risk because remote access may begin before the victim understands what happened. A user may think they opened an invitation while the attacker gains control through a remote management agent.

This is also why security teams need to review installer activity tied to browsers, email links, and unusual web redirects. A legitimate tool installed from an unexpected path should trigger investigation.

What security teams should monitor

Organizations should track RMM installations outside approved IT workflows. A new ScreenConnect, Datto, ITarian, LogMeIn, AnyDesk, Syncro, or similar agent should not appear on an endpoint without a valid support ticket or admin record.

Security teams should also watch for redirect chains that move from CAPTCHA pages to unfamiliar domains and then to download prompts. Fixed resource paths, repeated image directories, and predictable web request patterns can help defenders spot reused phishing kits.

RMM allowlisting also matters. Red Canary has warned that many remote management tools have been abused by adversaries and that a strong allowlist or blocklist policy remains one of the most useful controls.

Recommended defenses

• Build an approved list of RMM tools and block unauthorized remote access software.
• Alert when RMM installers launch from downloads, browsers, temporary folders, or email attachments.
• Require MFA for remote access tools and admin portals.
• Review outbound connections to RMM platforms that your IT team does not use.
• Train users to treat unexpected event invitations and download prompts as suspicious.
• Inspect CAPTCHA-to-download redirect chains in web proxy and DNS logs.
• Correlate phishing reports with endpoint software installation events.
• Remove local admin rights where users do not need them.

Companies should not block every RMM tool without planning. Many IT teams depend on remote support platforms. The safer approach is to define which tools are approved, which teams can use them, and which installation paths should never occur.

For incident response, teams should review newly installed RMM agents first. They should check who installed the tool, what account launched it, what URL delivered it, and which external systems it contacted after launch.

Why this matters for U.S. organizations

The campaign’s focus on U.S. organizations makes it especially relevant for industries that rely on distributed IT support. Banking, healthcare, government, and technology environments often use remote administration tools, which can make malicious use harder to separate from normal support work.

The broader lesson is clear. Attackers do not need custom malware when legitimate tools can provide the same access. Once a trusted remote access platform enters the environment through a phishing page, defenders need context to prove whether it belongs there.

Security teams should treat fake event invitations as more than ordinary phishing. In this campaign, the invite can become the entry point for direct remote access.

FAQ