New Phishing Campaign Targets US with Credential Theft: What CISOs Need to Know

ANY.RUN researchers identified a large-scale phishing campaign targeting U.S. organizations that uses fake event invitation pages (preceded by CAPTCHA checks) to either harvest email credentials and OTPs or to deliver legitimate remote management tools (ScreenConnect, ITarian, Datto RMM, ConnectWise, LogMeIn Rescue). The campaign uses repeatable infrastructure and consistent URL/resource patterns (e.g., /Image/*.png, /favicon.ico, /blocked.html, endpoints like processmail.php, process.php, pass.php, mlog.php, check_telegram_updates.php), enabling broad, rapid deployment across ~160 suspicious links and ~80 domains; the mix of credential theft and RMM delivery increases the risk of delayed detection and rapid unauthorized access.