CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

A large-scale phishing campaign is actively targeting U.S. organizations, using fake event invitations as bait to steal login credentials, intercept one-time passwords, or install remote access tools. The operation has been running since at least December 2025, with researchers tracking a growing pool of malicious domains built around the same repeatable framework. What makes this […] The post Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft appeared first on Cy

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft By Tushar Subhra Dutta May 21, 2026 A large-scale phishing campaign is actively targeting U.S. organizations, using fake event invitations as bait to steal login credentials, intercept one-time passwords, or install remote access tools. The operation has been running since at least December 2025, with researchers tracking a growing pool of malicious domains built around the same repeatable framework. What makes this campaign stand out is not just its scale, but how carefully it is designed to look normal at every step. The attackers use event-themed lure pages that blend in with legitimate platforms. Victims are walked through a CAPTCHA check, often powered by Cloudflare, and then shown what appears to be an event invitation asking them to sign in. By the time the page asks for a password or downloads a file, many users have already lowered their guard. Researchers at ANY.RUN said in a report shared with Cyber Security News (CSN) that the campaign uses a single phishing framework to mass-deploy event-themed lure sites at scale. As of April 27, 2026, nearly 160 suspicious links tied to this campaign had been submitted to ANY.RUN’s sandbox, alongside around 80 identified phishing domains. Most of those domains were registered under the .de top-level domain and carry names related to parties, celebrations, and invitations. The sectors most affected include Education, Banking, Government, Technology, and Healthcare. These are industries where email access and remote administration tools are part of daily operations, making them especially attractive targets. One phishing link, if clicked by the wrong person, can lead to a stolen inbox, intercepted verification codes, or a remote tool running silently inside the organization’s network. The scale of the operation also hints at automation. Some page elements in the campaign suggest possible AI-assisted content generation, meaning new lure sites can be spun up quickly and cheaply. Even so, the shared infrastructure leaves patterns that security teams can use to connect related activity and act faster. Fake Invitation Phishing Campaign On April 22, 2026, ANY.RUN researchers identified the campaign actively targeting email service credentials. The attack chain follows the same structure across all observed sessions: a CAPTCHA check comes first, followed by a fake invitation page, and then either a credential theft form or a remote tool download. This consistency is deliberate, as it gives the operation a predictable and scalable flow while still appearing genuine to victims. Full attack chain of the phishing campaign (Source – Any.Run) When the goal is credential theft, the lure page prompts users to sign in using services like Google, Yahoo, AOL, or Microsoft. After entering a password, the victim sees a fake “Incorrect Password” message, which is a trick designed to collect a second attempt in case the first had a typo. The page then sends captured credentials via POST requests to server-side endpoints like /processmail.php, followed by an OTP interception form that submits verification codes to /process.php. Fake invitation used as a lure (Source – Any.Run) For Gmail users, a spoofed Google authorization form routes login data through /pass.php and /mlog.php, and checks for a Telegram-linked user ID via /check_telegram_updates.php. Repeatable Infrastructure and Detection Signals The campaign’s infrastructure is built for reuse, not just one-time deployment. Credential theft pages share a consistent layout, changing only the logo at the top while keeping the same form structure underneath. Fake entry form used in all phishing sites (Source – Any.Run) Service icons such as office360.png, yahoo.png, google.png, and aol.png are stored under the same /Image/ path across all phishing domains, meaning that once a defender spots one domain, the same fingerprint can be used to find others. Security teams can use the TI Lookup query url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png" to surface related domains in threat intelligence platforms. Monitoring for sequential GET requests hitting /favicon.ico, /blocked.html, and an /Image/*.png path is another reliable signal that a phishing session is underway. For remote access delivery, the campaign pushes tools including ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue, sometimes triggering the download automatically without any button click. Security teams should flag unexpected RMM installations as a potential indicator and investigate surrounding network activity immediately. Indicators of Compromise (IoCs):- Type Indicator Description URL Pattern hxxps://<phish_site>/<url-pattern>/Image/office360.png Phishing site icon path for Microsoft Office 360 login option URL Pattern hxxps://<phish_site>/<url-pattern>/Image/office.png Phishing site icon path for Microsoft Office login option URL Pattern hxxps://<phish_site>/<url-pattern>/Image/yahoo.png Phishing site icon path for Yahoo login option URL Pattern hxxps://<phish_site>/<url-pattern>/Image/google.png Phishing site icon path for Google login option URL Pattern hxxps://<phish_site>/<url-pattern>/Image/aol.png Phishing site icon path for AOL login option URL Pattern hxxps://<phish_site>/<url-pattern>/Image/email.png Phishing site icon path for generic email login option URL Pattern hxxps://<phish_site>/blocked.html Consistent resource path loaded across all phishing domains URL Pattern hxxps://<phish_site>/<url-pattern>/processmail.php Endpoint receiving POST with stolen email and password (non-Google) URL Pattern hxxps://<phish_site>/<url-pattern>/process.php Endpoint receiving POST with stolen OTP code URL Pattern hxxps://<phish_site>/<url-pattern>/pass.php Endpoint receiving Gmail login credential URL Pattern hxxps://<phish_site>/<url-pattern>/mlog.php Endpoint receiving Gmail password credential URL Pattern hxxps://<phish_site>/<url-pattern>/check_telegram_updates.php Endpoint checking Telegram-linked visitor ID during Google phishing flow File Hash (SHA-256) 887bc414bdb32b83dcfccdd3c688e90d9a87a0033e3756a840f9bdd2d65... office360.png icon used on phishing login pages File Hash (SHA-256) 6eaa0a448f1306bcf4159783eeafe5d37243bd8ca2728db7d90de1929241... office.png icon used on phishing login pages File Hash (SHA-256) 4c373bc25cb71dbb75e73b61dff25aa184be8d327053a97202a6b1a5919... yahoo.png icon used on phishing login pages File Hash (SHA-256) a838f99537d35e48e479a34086297f76db5d3363b0456f23d10d308f0d3... google.png icon used on phishing login pages File Hash (SHA-256) 8e94c18bbcad0644c4b04de4356fe37da9996fdf1c99bc984ba819862a9b... aol.png icon used on phishing login pages File Hash (SHA-256) 9a53e032a6e3e79861d28568c3b6ffc97f4f3c1d3af65a703ec129664205... email.png icon used on phishing login pages Domain festiveparty[.]us Observed phishing domain using event-themed naming convention Domain getceptionparty[.]de Observed phishing domain under .de TLD Domain celebratieinvitiee[.]de Observed phishing domain under .de TLD TI Query url:"/blocked.html" AND url:"/favicon.ico" and url:"/Image/*.png" ANY.RUN TI Lookup query to find related phishing infrastructure Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News 600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack PinTheft Linux Vulnerability Let Attackers Gain Root Access – PoC Released Critical ExifTool Vulnerability Allows Attackers to Compromise Macs via Single Malicious Image Authorities Have Taken Down “First VPN” Used in Ransomware Attacks BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites Latest News Chrome Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now! Cyber Security Authorities Have Taken Down “First VPN” Used in Ransomware Attacks Cyber Security News Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials Cyber Security Flipper Unveils New Flipper One Modular Linux Cyberdeck Cyber Security News P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗