Threat Alert: RSVP Lures

• Threat actors leverage social event invites to coax end users into engaging with malicious materials.
• The use of social events is notably different than the financial or service cancellation lures often seen in the landscape.

How is it used in the wild?

• Threat actors create RSVP-themed messages, typically leveraging or impersonating legitimate event invitation platforms like Punchbowl.
• Then they send the invitation, typically via freemail addresses, to intended targets.
• The messages contain a link that leads to an executable that installs a range of remote access tools.
• If installation is successful, information about the infected host is sent to a Telegram chat.
• These threats previously distributed ScreenConnect, but in light of corrective action by ConnectWise have now been observed leading to Atera, SimpleHelp, and other remote monitoring and management (RMM) tools.
  

Key Action: Stay Alert!

• Avoid interacting with RSVP messages, especially if unexpected and from unknown senders.
• Avoid interacting with links or attachments in unsolicited email.
• Report ANY suspicious emails via Phish Alarm.