Mimecast Logo
Obtenga una cotización

    Holiday Party Invitations Deliver Remote Access Tools

    5 December 2025

    By Hiwot Mendahun, Ankit Gupta and the Mimecast Threat Research Team

    Key Points
    • Threat actors are leveraging the holiday season by impersonating legitimate party invitation services like Punchbowl to distribute remote monitoring and management (RMM) tools
    • Targeting US businesses predominately in the Finance, Professional Services (Accounting, Legal) and Real Estate industries
    • Links within these fake invitations redirect users through Google Sites and HubSpot to download ScreenConnect RMM client software

    Campaign Overview

    The Mimecast Threat Research team has identified an ongoing campaign exploiting the holiday season to distribute remote access tools disguised as holiday party invitations, with over 2,300 domains identified as targets primarily in the United States with notable concentration in Australia. This technique builds on established patterns of impersonation of legitimate invitation services such as Evite and Punchbowl to deliver both credential phishing pages and malware. The current campaign represents an evolution of this tactic, specifically targeting the increased volume of corporate holiday event communications.

    Attack Flow

    The attack begins with emails sent from legitimate but compromised business email accounts, lending immediate credibility to the message. These compromised accounts often belong to trusted third-party service providers such as accounting firms, legal practices, or business consultants. Recipients receive what appears to be a genuine invitation to a holiday party or holiday event. The email contains a link purporting to provide event details or RSVP options.

    Holiday Party 1.png

    When clicked, the link initiates a multi-stage redirection chain designed to evade detection. In some campaigns we see users redirected through Google Sites or HubSpot's engagement service further obscuring the malicious destination. Other campagins we see a landing page which instructs the user to click on ‘Download File” button which will initate the download. The final landing pages host ScreenConnect RMM client installers masquerading as party invitation downloads.

    Holiday Party 2.png

    Holiday Party 3.png

    Holiday Party 4.png

    Why RMM Tools Are Dangerous

    Unlike traditional malware, ScreenConnect is a legitimate remote administration tool used by IT professionals for system management. However, when deployed by threat actors, it provides persistent remote access that often appears benign to security tools, particularly in mid-market organizations (500-5,000 employees) which often lack enterprise-grade detection capabilities. Once installed, attackers can:

    • Execute commands with administrative privileges
    • Exfiltrate sensitive data including credentials, financial information and intellectual property
    • Deploy additional malware or ransomware
    • Move laterally across the network to compromise additional systems
    • Maintain long-term access for future attacks
    • Exploit trusted vendor relationships to move to client organizations, enabling supply chain compromises

    Mimecast Protection

    Mimecast provides multiple layers of defence against these holiday-themed social engineering attacks:

    IOCs

    File Names:

    • Christmas_Invite_from_Bluewep
    • ScreenConnect.ClientSetup
    • CHRISTMAS_BUNDLE_AGENT_468181_V10_14_4_RW.MSI

    File Hashes (SHA256):

    • FE5AA50D5DED1FF44138D6125188F531EF9DF1FCB64374EEB90A33E95941585C
    • 5E3DEA219DD75763719D82DE99136318F0D224608EC310E5372010EFF6FF0D67
    • ee5b6da2a0a0ce53dd8a2542fd68aadf99920746bec57805b95447482c524916

    URLs:

    • hxxp://sites.google.com/view/party-invite-download-e-card/home
    • dxmc1w04.na2.hs-service-engage[.]com
    • hxxps://rac[.]am/MINE
    • hxxps://stashie-co[.]com/

    Targets

    Mid-market organizations (500-5,000 employees) in the United States (83% of targets) and Australia (4%), predominantly in Finance, Professional Services (Accounting, Legal), Real Estate/Mortgage, Healthcare and Government sectors

    Recommendations

    User Security Awareness

    • Educate users Remind employees to verify unexpected party invitations through secondary channels, especially when they contain download links. Emphasize that legitimate corporate event invitations typically don't require software downloads. Organizations should be particularly vigilant during year-end periods when financial transaction volumes increase and staffing may be reduced

    Proactive Threat Hunting

    • URL log analysis: Search URL logs for technical indicators associated with these campaigns
    • Implement monitoring with a focus on accounts with external business relationships, particularly those in accounting, legal, and financial advisory services which are disproportionately targeted

    Control RMM Tool Deployment

    • Establish application allow-listing policies to prevent unauthorized remote access tool installation
    • If ScreenConnect or similar RMM tools are used legitimately, ensure only IT-approved versions can be deployed through controlled channels

    Keep your edge in threat intelligence

    Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.

    Sign up successful

    Thank you for signing up to receive updates for our threat intelligence notifications.

    We will be in touch!

    Back to Top