Targeted Large-Scale Campaign Attacking U.S. Organizations with

Analysis of embedded code within these phishing pages confirms the attackers’ reliance on well-known phishing kits. This methodology allows operators to rapidly generate new phishing sites and swiftly replace infrastructure when security vendors flag or take existing domains offline. For a detailed overview of this targeted large-scale campaign, which attacks U.S. organizations with fake event invitations, refer to the full report.

The campaign’s infrastructure adds another layer of difficulty for defenders. Phishing domains are carefully built to look legitimate, closely mimicking trusted business websites. This convincing appearance delays detection and gives attackers more time inside a target environment before anyone realizes something is wrong.

The real danger, however, comes after the phishing page. Instead of stopping at credential theft, the attackers go on to install recognized RMM tools like ScreenConnect, ITarian, and Datto RMM onto victim machines, establishing a persistent and difficult-to-detect foothold inside the corporate environment.

These tools are part of everyday life for many legitimate IT departments, which is exactly what makes them so useful to threat actors.

Security filters rarely block RMM software outright, and their presence tends to blend in with normal administrative activity across a network.

This gives attackers the ability to maintain quiet, long-term access to compromised systems without drawing immediate attention.

How the Attack Flows

The infection sequence begins when a target lands on a CAPTCHA page, which acts as a filter designed to separate real users from automated scanners. Once through, the victim is shown what appears to be a genuine event invitation.

At this point, the attack splits into two distinct paths. Along one path, the victim is taken to a fake login page where credentials are captured.

Along the other, an RMM installer begins downloading to the victim’s machine automatically, with no additional action required from the user.

The automatic download is particularly significant because access can be established before the victim realizes anything is wrong.

The attacker gains a foothold early in the execution chain, well before a typical security alert would fire. Even as the campaign’s infrastructure shifts over time, the attackers maintain consistent and repeatable patterns.

Fixed resource paths such as /Image/*.png appear across phishing domains, and sequential web requests moving from /favicon.ico through /blocked.html into phishing content stay predictable across different campaign versions. These stable patterns make early detection possible, before credentials are even entered.

Security teams are advised to closely monitor for RMM tool installations that occur outside of approved IT workflows. Outbound connections to RMM platforms that have not been explicitly authorized by the organization should be reviewed and restricted.

Flagging CAPTCHA-based redirect chains linked to unfamiliar domains, and watching for web request sequences that match known phishing patterns, can help teams catch this activity before it reaches the credential harvesting or remote access stage.