Phishing Campaigns Abuse Digital Invites and Fake Meeting Pages to Steal Credentials and Deploy RMM Tools
Threat actors are abusing the familiarity of digital invitation and meeting platforms to increase phishing success rates. Cofense reported malicious Punchbowl/Paperless Post-themed invitations that prompt recipients to “log in to view event details,” then redirect to phishing infrastructure offering branded sign-in options (e.g., Microsoft, Yahoo, AOL, Google, Dropbox) to harvest credentials. The phishing flow may solicit multiple credential sets by returning fake login errors and urging users to try alternate accounts; submitted credentials are exfiltrated to attacker-controlled domains, often leveraging newly registered domains to evade reputation-based defenses.
Separately, Netskope research (reported by KnowBe4) described fake video meeting invites for Zoom, Microsoft Teams, Google Meet, and similar services that lead to spoofed “join meeting” pages showing purported coworkers already on the call. Victims are instructed to install a required “update” to join; the payload is a digitally signed remote monitoring and management (RMM) tool such as Datto RMM, LogMeIn, or ScreenConnect, enabling remote access and potential follow-on activity including data theft or deployment of additional malware. The use of legitimate, signed RMM software can blend into normal enterprise traffic and may bypass controls where such tools are pre-approved.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Malwarebytes warns of Google Calendar invite subscription scam
Malwarebytes warned of a phishing campaign abusing Google Calendar invites to deliver fake subscription renewal notices with alarming charges. The scam directs victims to call a phone number, where operators try to obtain payment details, persuade them to install remote-access software, or send money.
Researchers report fake meeting invites delivering legitimate RMM tools
Netskope researchers documented a social-engineering campaign using spoofed Zoom, Microsoft Teams, and Google Meet invitations to trick users into downloading supposed meeting software updates. The downloaded payloads were legitimate signed RMM tools such as Datto RMM, LogMeIn, and ScreenConnect, giving attackers potential remote administrative access while blending into normal enterprise activity.
Researchers observe invite-themed credential phishing using fake Punchbowl pages
Cofense analyzed a phishing attack in which emails masquerading as digital event invitations redirected recipients to spoofed login pages styled after invitation services and common SSO providers. The campaign used fake login errors to coax victims into submitting multiple credential sets and exfiltrated the data to attacker-controlled infrastructure on newly registered disposable domains.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Scammers Abuse Calendar Invites to Plant Phony Subscription Notices
blog.knowbe4.com
Open sourcePunchbowl Phishing Attack Explained: How Digital Invites Are Used to Steal Credentials
cofense.com
Open sourceFake Video Meeting Invites Trick Users Into Installing RMM Tools
blog.knowbe4.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
Mar 21, 2026
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
Mar 21, 2026
Spearphishing Campaigns Abuse PDF and Windows Screensaver Files to Install Legitimate RMM Tools
Threat actors have been observed using spearphishing lures and *non-traditional* attachment types—particularly Windows screensaver (`.scr`) executables—to trick users into running code that silently installs legitimate **remote monitoring and management (RMM)** agents (e.g., **SimpleHelp**). ReliaQuest research described business-themed filenames (e.g., `InvoiceDetails.scr`, `ProjectSummary.scr`) delivered via links hosted on legitimate cloud services (e.g., GoFile), with the `.scr` format helping bypass controls that don’t treat screensavers as executables. Once installed, the RMM tooling provides interactive remote access that can enable data theft, lateral movement, and follow-on payload deployment, including ransomware, while blending into normal IT administration traffic. Separately, researchers also reported a spam operation using **fake PDF attachments** that display an error message and redirect victims to a lookalike *Adobe Acrobat* download flow, but instead installs trusted, digitally signed RMM software to establish persistent access. A different phishing campaign used a multi-stage **PDF chain** hosted on reputable infrastructure (e.g., **Vercel Blob**) to redirect victims to a credential-harvesting page and exfiltrate stolen data via a **Telegram bot**, emphasizing how attackers are increasingly abusing high-reputation cloud platforms and document-based lures to evade email and web filtering (including scenarios where the initial email contains no malicious link and can pass SPF/DKIM/DMARC checks).
Mar 21, 2026