Phishing Attack Initiated Event Invitations to Steal U.S. Credentials
“U.S. Credentials have been stolen via Event Invitations initiated by Phishing Attacks.”

In order to gather email credentials, collect OTP codes, and covertly install remote management tools, a massive phishing effort is actively targeting U.S. firms. This creates a multi-layered assault chain that security teams are finding difficult to identify before harm is done.
After examining about 160 dubious links connected to about 80 phishing domains, the majority of which were registered under the .de top-level domain starting in December 2025, researchers at ANY.RUN discovered the effort.
With education, banking, government, technology, and healthcare emerging as the most affected industries, where email access and remote management are integrated into everyday workflows, the campaign demonstrates a clear sectoral focus.

Phishing Attack Uses Event Invitations
This targeting is in line with more general Q1 2026 phishing trends monitored by Microsoft, which found almost 8.3 billion email-based phishing threats throughout the quarter, with CAPTCHA-gated phishing quickly changing across payload types.
Threat actors have progressively weaponized a social dynamic, which is exploited by the phony invitation lure itself.
Phishing pages that mimic digital invitation platforms like Punchbowl and Paperless Post direct victims to login portals with recognizable brand logos, such as Microsoft, Google, Yahoo, AOL, and Dropbox, in order to increase credential submission rates, as Cofense's Phishing Defense Center noted in a related campaign.
The attack chain starts with an event invitation page that asks the victim to sign in in order to view details, followed by a Cloudflare CAPTCHA check that gives the impression of validity.
The campaign splits into two different directions from this one point of entry. Victims of the credential theft path are shown a phony login form that collects their password and email.
ANY.RUN.
|
In order to encourage a second submission in the event that the initial entry contains a typo, the website purposefully displays a "Incorrect Password" error. This strategy aids attackers in obtaining clean credentials. |
The following OTP form completes the account takeover sequence by exfiltrating the one-time code through a POST request to /process.php.

Credentials for Google account victims are divided between the /pass.php and /mlog.php endpoints, and a request to /check_telegram_updates.php indicates that stolen data is sent in real time via Telegram to the operator.
Legitimate remote management products, such as ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue, are installed silently and automatically by the page in the RMM delivery path.
With no malicious payload that endpoint tools would normally detect, ScreenConnect creates encrypted outbound connections after installation, granting the attacker complete remote control screen visibility, keyboard and mouse input, file transfer, and persistence between reboots.
The campaign is based on an architecture for reusable phishing kits. Event-related keywords like festiveparty[.]us, getceptionparty[.]de, and celebratieinvitiee[.]de are frequently embedded in domain names.
Every phishing session initiates a predictable request chain: GET / → GET /favicon.ico → GET /blocked.html → GET //Image/*.png. Service icons are kept under a fixed /Image/*.png path with consistent SHA-256 hashes across all domains.
ANY.RUN Report
|
Additionally, operator-facing modification instructions verifying the use of a shared deployment kit are included in the embedded page source code. |

Phishing URLs have been reported as harmful.
The following Threat Intelligence Lookup query can be used by SOC teams to find associated infrastructure: url="/blocked.html" AND url="/favicon.ico" AND url="/Image/*.png".
|
S.No. |
IOC Type |
Indicator |
Description |
|
1. |
Domain |
festiveparty[.]us |
Phishing lure domain |
|
2. |
Domain |
getceptionparty[.]de |
Phishing lure domain |
|
3. |
Domain |
celebratieinvitiee[.]de |
Phishing lure domain |
|
4. |
Endpoint |
/processmail.php |
Exfiltrates email & password |
|
5. |
Endpoint |
/process.php |
Exfiltrates OTP code |
|
6. |
Endpoint |
/check_telegram_updates.php |
Routes credentials to the attacker via Telegram |
|
7. |
TI Hunt Query |
url:"/blocked.html" AND url:"/favicon.ico" AND url:"/Image/*.png" |
ANY.RUN TI Lookup surfaces related infrastructure |
Note: To avoid unintentional resolution or hyperlinking, IP addresses and domains are purposefully defanged (e.g., [.]). Restricted threat intelligence systems like MISP, VirusTotal, or your SIEM are the only places to refang.
Mitigation
A CAPTCHA and an invitation are common user experiences; the campaign's effectiveness stems from the fact that no single step seems obviously harmful.
Security teams should monitor for outgoing connections to ScreenConnect and ConnectWise relay servers, impose limits on unauthorized RMM installations, and flag newly registered domains with event-related keywords under .de or .us TLDs.
Conclusion
Now, if we look at what such phishing attacks can do to your confidential data, you might want to protect yourself against such attempts. For that, you can go for Phish Next, a dedicated phishing simulation platform offered by Craw Security.
You will be able to train yourself with various phishing simulations on this platform, and with time, you will be able to identify such attempts with ease & evade them. What are you waiting for? Contact, Now!
Read More:
OAuth Consent Phishing: Why It’s Rising & How Awareness Programs Stop It?



