FAKE party invitations are being used to coax victims into installing a remote access tool. Victims receive an informal invitation email, often from a hacked friend, prompting them to view an invitation page that redirects to download RSVPPartyInvitationCard[.]msi. When opened, the MSI launches msiexec[.]exe and silently installs ScreenConnect Client, a legitimate remote access tool, with binaries placed in C:\Program Files (x86)\ScreenConnect Client\ and a persistent Windows service created.
The attacker can then remotely access the victim’s computer, see the screen in real time, control the mouse and keyboard, and transfer files, with the connection using ScreenConnect relay domains. The campaign has so far been seen targeting people in the UK, and the landing page is designed to look like a normal invitation to lower suspicion.
According to Malwarebytes, the scam exploits normal behavioural cues around invitations and relies on the legitimate nature of remote support software to evade obvious warnings.