New research from Forescout has uncovered a sophisticated phishing campaign that uses fake seasonal eCard invitations to trick victims into installing legitimate remote management software, giving attackers long-term access to compromised devices.
The campaign, dubbed SeasonalInvite by Forescout Research’s Vedere Labs, has been active since at least January 2026 and demonstrates how cybercriminals are increasingly combining social engineering, trusted enterprise software, and AI assisted development techniques to evade traditional security defences.
The full research is available here: SeasonalInvite research
Fake eCards lure victims
According to the report, the attackers use phishing emails disguised as seasonal eCard invitations to persuade users to install legitimate Remote Monitoring and Management (RMM) tools.
Rather than deploying traditional malware, the campaign abuses commercially available software that is commonly used by IT administrators for remote support. Once installed, the tools provide attackers with persistent remote access to compromised systems.
The campaign targets both Windows and macOS users.
During its investigation, Forescout confirmed the abuse of four legitimate RMM platforms:
- ConnectWise ScreenConnect
- LogMeIn Resolve
- Kaseya
- O&O Syspectr
Because these applications are widely trusted within enterprise environments, they are less likely to trigger traditional security controls.
Hundreds of phishing domains identified
Researchers identified a large infrastructure supporting the campaign, including 959 domains themed around electronic greeting cards.
The attackers also operated a sophisticated Traffic Distribution System (TDS) consisting of 2,658 gate pages. The infrastructure was designed to direct legitimate victims to phishing websites while preventing automated security scanners from detecting malicious content.
According to Forescout, this approach makes the campaign significantly harder for security researchers and automated detection systems to identify.
Evidence points to AI generated phishing pages
One of the report’s most notable findings is evidence suggesting the phishing kit itself was created with the assistance of artificial intelligence.
Researchers found indicators that the phishing pages contained AI generated code, leading them to believe the threat actor used a large language model to build delivery pages and quickly adapt the campaign over time.
The findings reflect a growing trend of cybercriminals using AI to accelerate phishing operations, reduce development time, and rapidly generate convincing attack infrastructure.
Trusted software becomes the attack vector
Forescout said SeasonalInvite demonstrates how attackers are shifting away from custom malware in favour of abusing legitimate enterprise tools that organisations already trust.
By combining social engineering with legitimate remote management software and AI assisted development, threat actors can bypass many traditional endpoint security controls while maintaining long-term access to victim devices.
The researchers warn that organisations should not rely solely on malware detection to identify these attacks. Instead, they recommend monitoring for the unauthorised installation and use of remote management tools, strengthening phishing awareness training, and implementing controls that can detect suspicious behaviour rather than simply malicious files.
As attackers continue to refine their techniques, campaigns like SeasonalInvite highlight how trusted software and artificial intelligence are becoming powerful tools in the modern cybercriminal’s arsenal.




