Phishing Campaign Abuses eCards to Deploy Legitimate RMM Tools
A six-month phishing campaign, dubbed SeasonalInvite, is tricking users into installing legitimate RMM software like AnyDesk and TeamViewer via fake eCard lures.

A sophisticated, six-month phishing campaign has been observed leveraging seasonal electronic greeting card (eCard) lures to trick both Windows and macOS users into downloading and installing legitimate Remote Monitoring and Management (RMM) software. The operation, identified by Forescout and named "SeasonalInvite," has been active since at least January 2026 and was still serving malicious payloads as of late June.
The campaign's primary tactic involves rotating its lures to align with current calendar events, shifting from themes like tax season and Social Security in winter to Valentine's Day, Easter, and general spring invitations as the year progresses. Researchers identified 959 malicious domains used in phishing emails and poisoned search results, which directed victims through a traffic distribution system (TDS). This system screened visitors before presenting them with a fake landing page, impersonating the legitimate eCard service BlueMountain. After a brief loading animation, the page automatically initiated the download of an operating-system-specific installer.
This operation notably abuses four commercially signed RMM products: ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya, and O&O Syspectr. The use of genuine, validly signed installers allows the malicious payloads to bypass standard security checks that would typically flag conventional malware. On Windows systems, batch and VBScript droppers were used to fetch the installer and relaunch themselves, prompting the user for User Account Control (UAC) approval for a privileged installation, rather than attempting to bypass it.
For macOS users, the delivery mechanism involved a two-part process. A signed Kaseya package was paired with a separate config.data file. This configuration file redirected the enrollment process to an attacker-controlled server, effectively exploiting an unattended-deployment feature designed for managed service providers. As a secondary data collection measure, each landing page discreetly harvested visitor information, including IP address, city, and browser details, which were then transmitted to a backend server, providing the operator with a record of all individuals who accessed the page.
Indicators within the phishing pages suggest the potential use of AI in their assembly. These include emoji-prefixed task comments and references to combining code "snippets." Forescout's analysis indicates that the threat actor likely employed a large language model (LLM) to combine various code components into a cohesive landing page. This AI-assisted approach would have significantly reduced the cost and effort required to produce and deploy fresh variants of the phishing infrastructure.
The underlying traffic distribution system (TDS) appears to be a shared platform, as searches for pages matching its fingerprint revealed thousands of additional URLs. Many of these pages appeared benign to automated scanners but quietly rerouted real users to malicious content. Microsoft had previously documented overlapping infrastructure in March, noting that the same operation had utilized tax-themed lures.
Forescout recommends that organizations implement strict inventory controls for approved RMM tools, alerting on any unauthorized installations. They also advise hardening email filtering systems to better detect seasonal themes and conducting user training to emphasize that legitimate eCards should never necessitate the installation of remote support software or require the approval of privilege elevation prompts.