SeasonalInvite Phishing Abuses RMM Tools for Access

SeasonalInvite Phishing Campaign Abuses Legitimate RMM Tools

MEDIUM
July 15, 2026
5m read
PhishingCyberattackSecurity Operations

Related Entities

Organizations

ForescoutConnectWise LogMeInKaseya

Products & Tech

O&O Syspectr

Full Report

Executive Summary

Security researchers have identified an ongoing, sophisticated phishing campaign dubbed "SeasonalInvite" that leverages social engineering and legitimate enterprise software to achieve persistent remote access. Active since at least January 2026, the campaign uses phishing emails disguised as seasonal eCard invitations to lure victims. Instead of dropping traditional malware, the attack tricks users into installing commercially available Remote Monitoring and Management (RMM) tools. This "Living off the Trusted Land" approach allows attackers to bypass many security controls and gain administrator-level access to compromised systems for long-term espionage or follow-on attacks.


Threat Overview

The SeasonalInvite campaign follows a clear attack chain:

  1. Initial Access: The victim receives a phishing email with a lure related to a seasonal eCard or greeting.
  2. Social Engineering: The email contains a link that directs the user to a phishing website. The campaign is supported by a large infrastructure, including 959 domains and a Traffic Distribution System (TDS) with over 2,600 gate pages to filter out security researchers and bots.
  3. Tool Installation: The user is tricked into downloading and executing an installer, which installs a legitimate RMM agent on their system.
  4. Command and Control: The installed RMM agent connects back to the attacker-controlled RMM server, providing the threat actor with persistent remote access to the victim's machine.

The campaign is notable for its abuse of trusted, legitimate software, a technique that makes detection difficult for security products that may have these tools on an allowlist.

Technical Analysis

  • Threat Actor: Unidentified, but demonstrating sophistication in infrastructure management and social engineering.
  • Abused Tools (T1219): The campaign has been confirmed to abuse at least four popular RMM platforms:
  • Infrastructure: The use of a complex Traffic Distribution System (TDS) indicates a high level of operational maturity. The TDS is used to profile visitors and only present the malicious content to genuine, targeted victims, while serving benign content to security scanners and sandboxes.
  • AI-Assisted Development: Reports note the use of AI-assisted techniques in the campaign, likely for generating convincing phishing lures and managing the complex infrastructure.

By using legitimate RMM tools, attackers gain a powerful set of capabilities, including:

  • Remote desktop control
  • File transfer
  • Command-line access
  • Process and service management
  • System inventory

This access effectively gives the attacker the same power as an IT support administrator, which can be used for data exfiltration, deploying ransomware, or pivoting to other systems on the network.

Impact Assessment

The primary impact is the establishment of a persistent, stealthy backdoor into the victim's environment. Because the C2 traffic is directed to legitimate RMM service domains and is encrypted, it blends in with normal network activity and is difficult to detect with traditional network monitoring. This long-term access can be sold to other threat actors or used to conduct devastating follow-on attacks at a later date.

IOCs — Directly from Articles

No specific IP addresses or domains were provided in the source articles. The primary indicators are the presence of unexpectedly installed RMM software.

Cyber Observables — Hunting Hints

Security teams should hunt for the following patterns to detect this type of activity:

Type
Process Name
Value
ScreenConnect.Client.exe, LogMeIn.exe
Description
Monitor for the execution of RMM client processes on systems outside of the IT department or on servers where they are not expected.
Type
Network Traffic Pattern
Value
Connections to *.screenconnect.com, *.logmein.com
Description
Look for network connections to known RMM service domains from non-IT assets. Baselining normal RMM usage is key.
Type
File Name
Value
eCard.exe, invitation.scr
Description
Hunt for executables with names related to eCards or invitations, especially in user download folders.
Type
Log Source
Value
Email Gateway Logs
Description
Search for emails with subjects related to "eCard," "greeting," or "invitation" from unknown senders.

Detection & Response

  1. Application Allowlisting: Implement application control policies to prevent the execution of unauthorized software, including legitimate RMM tools installed without IT approval. This is a key part of Executable Allowlisting (D3-EAL).
  2. EDR/Process Monitoring: Configure EDR alerts for the installation and execution of RMM software. Create rules that trigger an alert if an RMM tool is run by a user who is not in an IT support group.
  3. Network Egress Filtering: While the traffic is to legitimate domains, it's still possible to baseline which machines should be communicating with RMM services. Alert on deviations from this baseline.
  4. Email Security: Enhance email filtering to block messages with suspicious links and attachments. Use URL rewriting and sandboxing to analyze links at time-of-click.

Mitigation

  1. User Training (M1017): Conduct regular security awareness training focused on identifying phishing attempts. Emphasize the danger of downloading and running software from unsolicited emails, even if it appears legitimate.
  2. Restrict Software Installation (M1033): Remove local administrator rights from standard user accounts to prevent them from installing unauthorized software.
  3. Centralized RMM Management: For organizations that use RMM tools, ensure they are deployed and managed centrally by the IT department. Any RMM instance not under central control should be considered suspicious and investigated.
  4. Web Content Filtering (M1021): Use web filtering solutions to block access to newly registered domains and known phishing sites.

Timeline of Events

1
January 1, 2026
The 'SeasonalInvite' campaign is observed to be active since at least this month.
2
July 15, 2026
This article was published

MITRE ATT&CK Mitigations

Educate users to be skeptical of unsolicited emails and to not download or install software from untrusted sources.

Use application control solutions to prevent the execution of unauthorized RMM tools on endpoints.

Employ web filtering to block access to known phishing sites and newly registered domains often used in such campaigns.

Timeline of Events

1
January 1, 2026

The 'SeasonalInvite' campaign is observed to be active since at least this month.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

PhishingRMMSocial EngineeringLiving off the LandConnectWiseKaseya

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.