New Phishing Attack Weaponizing Event Invitations to Steal Login Credentials

Discover more Penetration testing service Digital forensics service Data breach prevention HomeCyber Security News New Phishing Attack Weaponizing Event Invitations to Steal Login Credentials By Tushar Subhra Dutta May 7, 2026 A large-scale phishing campaign has been quietly targeting organizations across the United States, using fake event invitations as bait. Rather than sending a suspicious attachment or an obvious scam link, attackers lure victims with what appears to be a legitimate party or gathering invitation. Once clicked, those links lead to pages designed to steal login credentials, intercept one-time passcodes, or install remote management software. What makes this campaign stand out is how ordinary the early steps look. A victim receives an invitation, clicks the link, passes through a CAPTCHA check, and sees a polished event page. Nothing about that sequence triggers obvious concern, and that is precisely the point. By the time any real harm occurs, whether a stolen password or a remote access tool quietly running in the background, the attack is already well underway. Researchers at ANY.RUN were among the first to document the full scope of this operation. On April 22, 2026, analysts identified a phishing campaign targeting email service credentials, with some cases also delivering remote management software. By April 27, nearly 160 suspicious links had been submitted to ANY.RUN’s sandbox, with roughly 80 phishing domains identified, most registered under the .de top-level domain starting from December 2025. Full attack chain of the phishing campaign (Source – Any.Run) The industries most affected include Education, Banking, Government, Technology, and Healthcare. These sectors rely heavily on email access and remote administration tools, making them attractive targets for attackers looking to blend in. A single stolen login in any of these environments can open doors far beyond one inbox. Fake invitation used as a lure (Source – Any.Run) The campaign also shows signs of being built for scale. Threat actors appear to use a reusable phishing toolkit to spin up new event-themed lure sites quickly. Some page elements hint at AI-assisted content generation, meaning the attack surface can expand fast while the underlying structure stays consistent enough to detect. Phishing Attack Weaponizing Event Invitations The attack begins with a simple invitation link. After clicking, the victim is taken through a CAPTCHA check, most often served through Cloudflare, which gives the page an air of legitimacy. From there, one of two things happens depending on which version of the lure the victim encounters. Example message to sign in an event (Source – Any.Run) In the credential theft version, the page presents a sign-in prompt and asks the user to log in with their email service of choice. When someone selects Google, they are redirected to a convincing fake Google authorization form. Credentials are sent via POST requests to server endpoints including /pass.php and /mlog.php. Google authorization form used for the phishing attack (Source – Any.Run) For all other services, the page collects the email and password, then deliberately shows an “Incorrect Password” message to push the user into entering their details a second time, capturing both attempts. Once the user submits an OTP code, that too is silently forwarded to the attacker. In the remote management delivery version, the fake invitation page initiates a download of a legitimate remote tool such as ScreenConnect, ITarian, Datto RMM, ConnectWise, or LogMeIn Rescue. Some pages include a download button, while others begin the download automatically with no further action needed. Because these are real, widely used tools, security software may not treat the installation as a threat. How Security Teams Can Reduce the Risk Security teams can use shared infrastructure patterns to hunt for related domains before an incident takes shape. All phishing pages in this campaign follow a predictable request chain: a GET request to the root, followed by requests to /favicon.ico, /blocked.html, and an image path matching /Image/*.png. Analysts can run the query url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png"url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png" in threat intelligence platforms to surface connected domains. Beyond hunting, organizations benefit most from getting visibility earlier in the chain, before credentials are used or a remote tool gains a foothold. Safely analyzing suspicious links in a sandboxed environment lets teams confirm whether a page is a fake invitation, a credential form, or an RMM delivery page before any user data is at risk. When teams can observe the full behavior of a link during investigation, they can contain the threat much faster and avoid the costly uncertainty that comes with reacting too late. Indicators of Compromise:- Type Indicator Description URL Pattern hxxps://<phish_site>/<url-pattern>/Image/office360.png Phishing page icon path for Office 365 branding URL Pattern hxxps://<phish_site>/<url-pattern>/Image/office.png Phishing page icon path for Office branding URL Pattern hxxps://<phish_site>/<url-pattern>/Image/yahoo.png Phishing page icon path for Yahoo branding URL Pattern hxxps://<phish_site>/<url-pattern>/Image/google.png Phishing page icon path for Google branding URL Pattern hxxps://<phish_site>/<url-pattern>/Image/aol.png Phishing page icon path for AOL branding URL Pattern hxxps://<phish_site>/<url-pattern>/Image/email.png Phishing page icon path for generic email branding URL Pattern hxxps://<phish_site>/blocked.html Shared blocked page across all campaign domains URL Pattern hxxps://<phish_site>/<url-pattern>/processmail.php Credential submission endpoint (non-Google flow) URL Pattern hxxps://<phish_site>/<url-pattern>/process.php OTP submission endpoint URL Pattern hxxps://<phish_site>/<url-pattern>/pass.php Google credential login endpoint URL Pattern hxxps://<phish_site>/<url-pattern>/mlog.php Google credential password endpoint URL Pattern hxxps://<phish_site>/<url-pattern>/check_telegram_updates.php Visitor ID exfiltration endpoint (Google flow) File Hash (SHA-256) 887bc414bdb32b83dcfccdd3c688e90d9a87a0033e3756a840f9bdd2d65… office360.png icon used in phishing pages File Hash (SHA-256) 6eaa0a448f1306bcf4159783eeafe5d37243bd8ca2728db7d90de192924… office.png icon used in phishing pages File Hash (SHA-256) 4c373bc25cb71dbb75e73b61dff25aa184be8d327053a97202a6b1a5919… yahoo.png icon used in phishing pages File Hash (SHA-256) a838f99537d35e48e479a34086297f76db5d3363b0456f23d10d308f0d3… google.png icon used in phishing pages File Hash (SHA-256) 8e94c18bbcad0644c4b04de4356fe37da9996fdf1c99bc984ba819862a9… aol.png icon used in phishing pages File Hash (SHA-256) 9a53e032a6e3e79861d28568c3b6ffc97f4f3c1d3af65a703ec129664205… email.png icon used in phishing pages Domain festiveparty[.]us Event-themed phishing domain observed in campaign Domain getceptionparty[.]de Event-themed phishing domain observed in campaign Domain celebratieinvitiee[.]de Event-themed phishing domain observed in campaign TI Hunting Query url:”/blocked.html” AND url:”/favicon.ico” and url:”/Image/.png” Query to find related phishing domains in ANY.RUN TI Lookup Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Malicious OpenClaw DeepSeek Skill Exploits Agentic AI Workflows to Deliver RAT and Stealer New EtherRAT Variant Uses Trojanized Tftpd64 Installer to Bridge Web2 Malware and Web3 Theft Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses New PhaaS Platform Phoenix Drives Brand-Impersonation Smishing Across Finance, Telecom, and Logistics Latest News Cyber Security News New FEMITBOT Network Uses Telegram Mini Apps to Push Crypto Fraud and Android Malware Cyber Security News Darkhub Hacking-for-Hire Portal Advertises Crypto Fraud, Message Interception, and Monitoring Cyber Security News CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs and Mobile Notifications Cyber Security News QLNX Targets Developers With Credential Theft Designed for Supply Chain Compromise Cyber Security News Member of Prolific Russian Ransomware Group Sentenced to 102 Months in Prison