Phishing

Phishing campaign uses e-cards to trick users into installing remote management software

As reported by Infosecurity Magazine, a six-month phishing operation dubbed SeasonalInvite has been targeting Windows and macOS users by abusing remote monitoring and management (RMM) software, delivered through fake electronic greeting cards (eCards).

The campaign, active since at least January 2026, employs rotating lures tied to the calendar, such as tax themes in winter and Valentine's or Easter invitations later on, according to Forescout. Victims are directed through a traffic distribution system to a fake eCard service that automatically downloads an operating-system-specific installer. This operation abuses commercially signed RMM tools like ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya, and O&O Syspectr. Because these installers are legitimate and validly signed, they bypass standard security checks. On Windows, the process involves UAC prompts requiring user approval for privileged installation. For macOS, a signed Kaseya package is paired with a separate configuration file to redirect enrollment to the attacker's server, exploiting an unattended deployment feature.

The phishing pages show signs of AI generation, suggesting the use of large language models to create variants efficiently. Forescout recommends organizations maintain an approved inventory of RMM tools, enhance email filtering, and train staff to recognize that genuine e-cards should never prompt for remote support software installation or approval of privilege elevation.

Source: Infosecurity Magazine

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds