Anatomy of the Attack
A targeted phishing campaign is actively hitting U.S. organizations by impersonating event invitations. Since December 2025, threat actors have deployed a consistent attack chain that begins with a CAPTCHA check, often using Cloudflare, to appear legitimate. Victims then see a realistic invitation page that prompts them to sign in, either harvesting their credentials or prompting a download of remote access tools. The process is designed to put users at ease before the malicious request appears.
Scale and Targets
The campaign relies on a single, repeatable phishing framework to generate lure sites at scale. As of late April 2026, researchers had identified roughly 160 suspicious links and 80 phishing domains, mostly registered under the .de top-level domain with names referencing parties and celebrations. The sectors most affected include Education, Banking, Government, Technology, and Healthcare. These industries rely heavily on email and remote administration, making them prime targets. Researchers at ANY.RUN noted that some page elements suggest AI assisted content generation, allowing attackers to rapidly spin up new lure pages.
Infrastructure Tracing
Despite the scale of the operation, the shared infrastructure leaves detectable patterns. All observed sessions follow the same structure: a CAPTCHA step, a fake invitation page, and then either a credential theft form or remote tool download. This consistency helps security teams connect related activity across multiple domains. The operation demonstrates how a simple, well-designed lure can be automated to target critical sectors at scale, with infections potentially leading to stolen inboxes, intercepted verification codes, or persistent remote access inside an organization’s network.
Source: Cyber Security News
