Skip to main content
Emerging ThreatsMalware & Ransomware

Phishing Campaign Exploits eCards to Deploy Legitimate RMM Tools

A typical office cubicle with a laptop and stack of blank greeting cards on the desk.

959 domains were used to deliver fake electronic greeting cards that quietly installed legitimate remote monitoring and management (RMM) software, according to new research published by Forescout on July 14.

Timeline and scale of the SeasonalInvite operation

Forescout dubbed the six‑month phishing campaign SeasonalInvite and reported it had been active since at least January 2026, with payloads still being served in late June. The researchers identified 959 domains used in phishing emails and in poisoned search results; those domains routed victims through a traffic distribution system (TDS) to campaign landing pages.

How the eCard lure turned into an installer

The campaign used landing pages that impersonated the greeting‑card service BlueMountain. Each page displayed a loading animation and, after three seconds, automatically downloaded an operating‑system‑specific installer. Because the installers were genuine and commercially signed, they passed typical security checks that would flag conventional malware.

On Windows, the delivery used batch and VBScript droppers that fetched an installer and relaunched themselves to trigger a User Account Control (UAC) prompt — asking the victim to approve a privileged install rather than silently bypassing protections. The macOS delivery paired a signed Kaseya package with a separate config.data file that redirected enrollment to the operator’s server, abusing an unattended‑deployment feature intended for managed service providers.

Forescout confirmed abuse of four commercially signed RMM products: ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya and German tool O&O Syspectr.

Data collection, attacker consoles, and shared infrastructure

Each landing page quietly harvested the visitor’s IP address, city and browser and posted those details to a backend, giving the operator a record of everyone who reached the page. The attackers redirected enrollment for legitimate RMM tools to attacker‑controlled consoles, effectively turning valid remote‑support software into a foothold for follow‑on access.

The TDS used to screen visitors appears to be a larger, shared platform: a search for pages matching its gate‑page fingerprint returned 2,658 URLs, many of which appeared benign to automated scanners while routing real users onward. Because not all the pages carried the SeasonalInvite fingerprint, Forescout suggested the system may serve several unrelated phishing operations simultaneously. Microsoft separately documented overlapping infrastructure in March when the same operation leaned on tax‑themed lures.

Signs the kit was assembled with an LLM

Forescout observed indicators suggesting the landing pages were stitched together with a large language model. The pages contained emoji‑prefixed task comments and references to combining a "first snippet" and "second snippet." The firm assessed the operator likely used an LLM to combine pieces of code into a single landing page with operating‑system detection, Telegram‑based reporting and animation logic — a set of techniques that lowers the cost of producing fresh variants.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: Forescout urged organizations to keep an approved inventory of RMM tools and to alert on any others. The combination of validly signed installers and redirected enrollment means defenders should look not just for malicious binaries but for unexpected enrollment targets and console activity.
  • Procurement and managed‑service buyers: The campaign abused an unattended‑deployment feature built for managed service providers; procurement leaders should account for the operational risks of remote‑management capabilities and ensure suppliers’ deployment controls are constrained to approved endpoints.
  • End users and staff: Forescout recommended hardening email filtering against seasonal themes and training staff that "a genuine eCard should never require installing remote support software or approving an elevation prompt."

SeasonalInvite exposes a practical, low‑cost approach: use calendar‑driven lures, valid vendor installers, and a shared distribution platform to turn everyday interactions into a channel for attacker consoles. Forescout’s findings leave a clear and narrow set of actions — maintain an RMM inventory, detect unexpected enrollments, and reinforce simple user guidance about eCards and elevation prompts — even as questions remain about who operates the shared TDS and how many unrelated campaigns it may serve.

Original report