Phishing Campaign Abuses eCards to Deploy RMM Tools

Written by

A six-month phishing operation has been tricking Windows and macOS users into installing legitimate remote monitoring and management (RMM) software through fake electronic greeting cards (eCards).

According to new research published by Forescout on July 14, the campaign, which it dubbed SeasonalInvite, has been active since at least January 2026 and was still serving payloads in late June.

Its defining trait is a rotating set of lures pegged to the calendar, moving from tax and Social Security themes in winter to Valentine's, Easter and spring invitations later on.

The researchers identified 959 domains used in phishing emails and poisoned search results. Victims were screened by a traffic distribution system (TDS) before reaching a page impersonating greeting card service BlueMountain, which displayed a loading animation and, after three seconds, automatically downloaded an operating-system-specific installer.

Read more on RMM abuse: New Phishing Campaign Abuses ConnectWise ScreenConnect to Take Over Devices

Legitimate Tools, Attacker Consoles

The investigation confirmed abuse of four commercially signed RMM products: ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya and German tool O&O Syspectr. Because the installers were genuine and validly signed, they passed security checks that would flag conventional malware.

On Windows, batch and VBScript droppers fetched an installer and relaunched themselves to trigger a User Account Control (UAC) prompt, so the victim was asked to approve the privileged install rather than having it bypassed.

The macOS path split the delivery in two, pairing a signed Kaseya package with a separate config.data file that redirected enrollment to the attacker's server, abusing an unattended-deployment feature built for managed service providers.

Each landing page also quietly harvested the visitor's IP address, city and browser and posted them to a backend, giving the operator a record of everyone who reached the page.

Signs of an AI-Assembled Kit

The phishing pages carry indicators of AI-generated code, including emoji-prefixed task comments and references to combining a "first snippet" and "second snippet."

Forescout assessed the operator likely used a large language model (LLM) to stitch pieces of code into a single landing page with operating-system detection, Telegram-based reporting and animation logic, lowering the cost of producing fresh variants.

The TDS itself appears to be a larger, shared platform. A search for pages matching its gate-page fingerprint returned 2658 URLs, many appearing benign to automated scanners while quietly routing real users onward.

Because not all carried the SeasonalInvite fingerprint, Forescout suggested the system may serve several unrelated phishing operations at once. Microsoft separately documented overlapping infrastructure in March, when the same operation leaned on tax-themed lures.

Forescout urged organizations to keep an approved inventory of RMM tools and alert on any others, harden email filtering against seasonal themes and train staff that a genuine eCard should never require installing remote support software or approving an elevation prompt.

What’s Hot on Infosecurity Magazine?