Phishing Operation Targets Users with Fake eCards: A Six-Month Scheme Exposed
A recent investigation has uncovered a sophisticated six-month phishing operation that has been deceiving Windows and macOS users into unwittingly installing legitimate remote monitoring and management (RMM) software under the guise of fake electronic greeting cards (eCards). The campaign, identified by researchers at Forescout and dubbed "SeasonalInvite," has reportedly been active since at least January 2026, with evidence of its continued operation extending into late June.
Seasonal Phishing Tactics
The SeasonalInvite campaign has developed a complex series of tactics based on the calendar, shifting its lures to align with various seasonal events. Initially, it leveraged themes associated with tax season and Social Security during the winter months. As spring approached, the phishing tactics evolved to incorporate Valentine’s Day and Easter-themed invitations, making it appear more relevant and appealing to potential victims.
Forescout’s research highlighted the extensive scale of this operation, revealing that it utilized an astounding 959 different domains in phishing emails and manipulated search results to enhance its reach. Victims were guided through a traffic distribution system (TDS) that screened users before redirecting them to a landing page designed to impersonate the legitimate greeting card service, BlueMountain. On these pages, a deceptive loading animation accompanied an automatic download of an installer specific to the victim’s operating system after just three seconds of waiting.
Abuse of Legitimate Tools
The ruse was particularly insidious because the installed software was not malware in the traditional sense; rather, it involved legitimate RMM products, which had been commercially signed. The investigators confirmed that the operation exploited four such products: ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya, and the German tool O&O Syspectr. Since these installers were genuine and possessed valid signatures, they were able to pass through security measures that typically flag malicious content.
On Windows systems, the attackers employed batch and VBScript droppers that not only downloaded an installer but also relaunched themselves to trigger a User Account Control (UAC) prompt. This tactic effectively coerced users into approving the installation of the software, making it seem legitimate rather than malicious. In contrast, macOS users faced a more complex delivery system, where a signed Kaseya package was accompanied by a separate configuration file that redirected services to the attackers’ server, exploiting an unattended deployment feature meant for managed service providers.
Data Harvesting and AI Indicators
Each phishing landing page was engineered to gather vital user data quietly. The pages collected information such as the visitor’s IP address, city, and browser, sending this data to a backend system that maintained a record of everyone who accessed the page. Such information could be instrumental in refining subsequent phishing strategies or targeting future campaigns.
Interestingly, some signs suggested that AI technologies may have been incorporated into the operation. The phishing pages exhibited characteristics often associated with AI-generated code, including the use of emoji-prefixed comments and references to assembling snippets of code. Forescout speculated that the operators likely leveraged large language models (LLMs) to efficiently combine multiple code components into a cohesive landing page equipped with OS detection and reporting functionalities via Telegram.
The structure of the TDS itself also hinted at a broader, shared platform being utilized, as a search identified over 2,658 URLs matching its gate-page fingerprint. Many of these pages appeared benign to automated scanning tools while covertly redirecting unsuspecting users. Moreover, Forescout noted that not all the URLs carried the SeasonalInvite branding, suggesting the possibility of a broader phishing ecosystem utilizing the same infrastructure. Microsoft had similarly documented overlapping phishing tactics based on tax themes in March 2026.
Recommendations for Organizations
Given the severity of this ongoing phishing threat, Forescout urges organizations to take proactive measures to mitigate risks. They recommend maintaining a verified inventory of RMM tools and implementing alerts for any unauthorized software. Organizations are also advised to enhance email filtering processes, particularly around seasonal themes, and to educate staff members. Employees should be trained to recognize that legitimate eCards will never necessitate the installation of remote support software or require approving an elevation prompt for installation.
This phishing campaign underscores the evolving nature of cyber threats and the creative strategies employed by malicious actors, making vigilance and education essential components of organizational cybersecurity practices.

