A large-scale cyberattack has been uncovered in which cybercriminals are stealing users’ email credentials and login information through fake event invitation links. The campaign, which has been observed across multiple countries including the United States, uses highly convincing social engineering techniques to trick users into believing they are accessing legitimate event pages.
The attack begins with what appears to be a normal event invitation message. When the user clicks the link, they are first shown a CAPTCHA verification screen, creating an illusion of legitimacy. After passing this step, a professionally designed event page opens, closely resembling a genuine website. At this stage, users are prompted to enter their email credentials, and in some cases, even one-time passwords (OTPs), which are silently captured by attackers.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Cybersecurity researchers report that the campaign was first identified through analysis conducted by security teams at ANY.RUN. The investigation revealed dozens of suspicious domains and hundreds of phishing links. Many of these domains were registered starting from December 2025 and continue to generate new phishing pages at scale, indicating an ongoing and evolving operation.
The primary targets of this attack include sectors such as education, banking, government institutions, technology companies, and healthcare organizations. These industries rely heavily on email communication and remote access systems, making them highly vulnerable to credential theft. Even a single compromised login can potentially expose entire organizational networks.
Two main attack techniques have been identified. In the first method, victims are redirected to a fake Google authentication page where both passwords and OTPs are harvested. In the second method, users are tricked into downloading legitimate remote management tools such as ScreenConnect, ConnectWise, LogMeIn, and similar software. Once installed, attackers gain full control over the victim’s system under the guise of legitimate administrative tools.
Security analysts have also identified common structural patterns in these phishing pages, including endpoints such as /blocked.html, /favicon.ico, and /Image/ directories. These consistent patterns make it possible to track and analyze related malicious domains. In some cases, signs of AI-generated content have also been observed, suggesting that attackers may be using automated tools to rapidly scale their operations.
The attack flow is designed to manipulate user behavior. After entering credentials once, victims are often shown an “incorrect password” message, prompting them to re-enter details. This results in multiple rounds of credential harvesting, increasing the attackers’ success rate. Once the OTP is entered, it is immediately transmitted to attacker-controlled servers, enabling full account takeover.
Cybersecurity expert and former IPS officer Prof. Triveni Singh stated, “Today’s cybercriminals rely more on social engineering than technical exploitation. Breaking user trust has become their most powerful weapon. Even simple messages like event invitations are now being weaponized into serious cyber threats.”
Experts strongly advise users not to click on unknown event invitation links, to always log in through official websites, and never share OTPs under any circumstances. Organizations are also being urged to strengthen their threat intelligence systems and deploy sandbox analysis tools to detect malicious activity before credentials are compromised.
This campaign highlights a growing trend in cybercrime where attackers are shifting from complex technical hacks to simpler yet highly effective psychological manipulation techniques. Instead of breaking systems, they are increasingly targeting human behavior and trust.
Security professionals further emphasize that identifying such attacks requires attention to subtle technical indicators. These include suspicious domain names, irregular HTTPS certificates, and repeated password requests on login pages. Organizations are also encouraged to implement multi-factor authentication across email systems and thoroughly verify URLs before opening any external links.
In addition, security teams are advised to monitor traffic patterns involving suspicious endpoints such as /blocked.html and /Image/ structures, which have been consistently linked to this phishing campaign. Early detection of such indicators can significantly reduce the risk of large-scale data breaches and financial losses.
The ongoing campaign serves as a reminder that cyber threats are becoming more sophisticated, not necessarily through advanced hacking techniques, but through increasingly convincing deception strategies. Awareness, caution, and strict verification remain the most effective defenses against such attacks.
