Security researchers have identified an ongoing, sophisticated phishing campaign dubbed "SeasonalInvite" that leverages social engineering and legitimate enterprise software to achieve persistent remote access. Active since at least January 2026, the campaign uses phishing emails disguised as seasonal eCard invitations to lure victims. Instead of dropping traditional malware, the attack tricks users into installing commercially available Remote Monitoring and Management (RMM) tools. This "Living off the Trusted Land" approach allows attackers to bypass many security controls and gain administrator-level access to compromised systems for long-term espionage or follow-on attacks.
The SeasonalInvite campaign follows a clear attack chain:
The campaign is notable for its abuse of trusted, legitimate software, a technique that makes detection difficult for security products that may have these tools on an allowlist.
By using legitimate RMM tools, attackers gain a powerful set of capabilities, including:
This access effectively gives the attacker the same power as an IT support administrator, which can be used for data exfiltration, deploying ransomware, or pivoting to other systems on the network.
The primary impact is the establishment of a persistent, stealthy backdoor into the victim's environment. Because the C2 traffic is directed to legitimate RMM service domains and is encrypted, it blends in with normal network activity and is difficult to detect with traditional network monitoring. This long-term access can be sold to other threat actors or used to conduct devastating follow-on attacks at a later date.
No specific IP addresses or domains were provided in the source articles. The primary indicators are the presence of unexpectedly installed RMM software.
Security teams should hunt for the following patterns to detect this type of activity:
ScreenConnect.Client.exe, LogMeIn.exe*.screenconnect.com, *.logmein.comeCard.exe, invitation.scrEducate users to be skeptical of unsolicited emails and to not download or install software from untrusted sources.
Use application control solutions to prevent the execution of unauthorized RMM tools on endpoints.
Employ web filtering to block access to known phishing sites and newly registered domains often used in such campaigns.
The 'SeasonalInvite' campaign is observed to be active since at least this month.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.