New Phishing Campaign Targets US with Credential Theft: What CISOs Need to Know

MITRE Techniques

• [T1598.003 ] Phishing: Spearphishing Link – Victims are directed to fake event invitation pages through suspicious links that begin the attack chain (‘fake event invitation pages as the main lure’).
• [T1056.003 ] Input Capture: Web Portal Capture – The phishing pages collect entered email addresses, passwords, and OTP codes through login and submission forms (‘the page sends a POST request… submitting the email address and password’ and ‘submitting the OTP code’).
• [T1105 ] Ingress Tool Transfer – The campaign delivers remote management tools to the victim system via automatic or user-initiated downloads (‘deliver legitimate remote management tools such as ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue’).
• [T1219 ] Remote Access Software – Legitimate RMM products are installed to provide the attacker with trusted remote control or access (‘delivery of remote management tools’ and ‘remote access tool running inside the environment’).
• [T1036 ] Masquerading – The infrastructure and pages imitate legitimate services and event-related content to appear trustworthy (‘fake event invitation’, ‘disguised as a Google authorization form’, and infrastructure designed to look legitimate’).
• [T1566.002 ] Phishing: Spearphishing Link – The campaign uses lure pages and service-selection flows to trick users into credential submission (‘the user is shown an event invitation message and prompted to sign in’).
• [T1110.001 ] Brute Force: Password Guessing – The page prompts a second password entry after an intentional ‘Incorrect Password’ message, capturing another attempt (‘After the first password entry, the page always displays an “Incorrect Password” message’).