Scammers Are Sending Out Fake Invitations Containing Malware.
If you receive an email invitation to an event, verify its authenticity before confirming your attendance, as you may not be invited at all. Malwarebytes Lab has identified a new scam in which attackers use party invitations to trick users into installing a remote access tool (RAT), granting them full control over infected devices. (This particular campaign appears to be limited to the UK, but similar tactics could easily spread.)
These malicious invitations contain the ScreenConnect installer.
The scam begins with an innocuous-looking email invitation with an informal “Save the Date” message, seemingly sent by a friend or acquaintance. The message contains a “View Invitation” link for more information about the event. Clicking the link takes you to a landing page with a large “You’re Invited” headline and a button to download the invitation. However, no further action is required—your browser automatically downloads an .msi file, which is not actually a party invitation or participation confirmation form, but an installer.
The MSI package silently installs ScreenConnect Client, a legitimate IT support tool that allows remote access to a user’s computer. Once a connection is established, attackers can view your screen, control your mouse and keyboard, and upload or download files—even after the computer is rebooted. All this happens in the background, without any obvious signs of the remote access tool being installed or running, so victims are unlikely to have any cause for concern.
You should be aware of these warning signs related to remote access.
As Malwarebytes notes, this scheme is successful because it relies on common human behavior in a seemingly innocuous situation: opening an event invitation. What’s unusual is that the initial message contains virtually no pressure or urgency. Instead, the landing page uses language like “a friend sent you an invitation” and “I opened mine and it was so easy,” which serves as a form of social proof that encourages users to take the desired action.
Always be wary of unsolicited invitations sent via regular email with a link to an external website, as well as any messages asking you to download or install software. These days, invitations are often delivered through apps and digital services like Partiful, Paperless Post, Evite, or Apple Invites, which are generally more reliable than random emails with links. If you’re unsure of the invitation’s authenticity, verify its authenticity with the sender through another channel before clicking the link or downloading anything.
As mentioned, victims of this scam may not immediately notice that a RAT has been installed on their device. However, there are some warning signs, such as unexplained cursor movement or randomly opening and closing windows. You can check your computer for a file named “RSVPPartyInvitationCard.msi” or a service named ScreenConnect Client with additional random characters in the name.
If you’ve already downloaded ScreenConnect via a malicious invitation, Malwarebytes recommends disconnecting from the internet and uninstalling the program immediately. Run a malware scan on your device and change important passwords on another device.