Key Points
- Threat actors are leveraging the holiday season by impersonating legitimate party invitation services like Punchbowl to distribute remote monitoring and management (RMM) tools
- Targeting US businesses predominately in the Finance, Professional Services (Accounting, Legal) and Real Estate industries
- Links within these fake invitations redirect users through Google Sites and HubSpot to download ScreenConnect RMM client software
Campaign Overview
The Mimecast Threat Research team has identified an ongoing campaign exploiting the holiday season to distribute remote access tools disguised as holiday party invitations, with over 2,300 domains identified as targets primarily in the United States with notable concentration in Australia. This technique builds on established patterns of impersonation of legitimate invitation services such as Evite and Punchbowl to deliver both credential phishing pages and malware. The current campaign represents an evolution of this tactic, specifically targeting the increased volume of corporate holiday event communications.
Attack Flow
The attack begins with emails sent from legitimate but compromised business email accounts, lending immediate credibility to the message. These compromised accounts often belong to trusted third-party service providers such as accounting firms, legal practices, or business consultants. Recipients receive what appears to be a genuine invitation to a holiday party or holiday event. The email contains a link purporting to provide event details or RSVP options.
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
