A new large-scale phishing campaign is targeting U.S. organizations with fake event invitations that lead to credential theft, OTP interception, or RMM tool installation.<\/p>\n\n\n\n
ANY.RUN<\/a> researchers found that the campaign uses a repeatable phishing framework to create event-themed lure pages at scale. Some pages steal email credentials and OTP codes, while others deliver legitimate remote management tools such as ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue.<\/p>\n\n\n\n For CISOs, the risk is not just another phishing wave. It is the combination of credential theft, trusted remote access tools, and infrastructure designed to look legitimate. That mix can delay detection, stretch SOC triage, weaken response confidence, and create a path to remote access before the business fully understands what happened.<\/p>\n\n\n\n Most enterprise security programs are built to catch obvious signs of compromise: known malicious domains, suspicious payloads, credential abuse, or unauthorized remote access. This campaign creates a harder problem because the early stages can look like normal user behavior.<\/p>\n\n\n\n The attack starts with a CAPTCHA check and a fake event invitation. From there, it can lead to credential theft, OTP interception, or the installation of a legitimate RMM tool. Each step may look harmless inisolation, but together they create a path to account compromise or remote access.<\/p>\n\n\n\n For CISOs, the risk is clear: if the SOC only reacts after credentials are stolen or remote access is established, the organization is already behind the attack.<\/p>\n\n\n\n The outcome can be serious: <\/p>\n\n\n\nKey Takeaways<\/h2>\n\n\n\n
\n
\/Image\/*.png<\/code>, and requests to \/favicon.ico<\/code> and \/blocked.html<\/code> help connect related activity.<\/li>\n\n\n\nThe Phishing Blind Spot CISOs Need to Close <\/h2>\n\n\n\n
\n