What seems like a friendly invitation to a party can actually be a cleverly disguised cyberattack. In a recent scam uncovered by researchers, threat actors are using fake party invitations sent via email to trick unsuspecting users into installing remote access tools (RATs) on their Windows computers — essentially giving attackers full, covert control of the infected machine.

The Setup: Friendly Email, Hidden Threat

The attack begins with an email, often styled as a casual invitation with a simple subject like “You’re invited!” or similar wording. The message may even appear to come from someone you know — for example, from an email address that seems to belong to a friend or colleague whose account has actually been compromised.

Once the recipient clicks a link in the message, they’re taken to a convincingly-designed landing page that continues the party theme. The site encourages the user to download an “invitation” file, generally disguised to seem friendly and harmless.

The Payload: More Than Just an Invitation

Instead of an event calendar or party details, clicking the download link delivers a file called RSVPPartyInvitationCard.msi. This MSI installer silently installs ScreenConnect Client, a legitimate remote access tool typically used by IT support professionals. However, in this context it’s repurposed by attackers to gain unauthorized access to the victim’s system.

Once ScreenConnect is installed:

• It creates a persistent Windows service that runs in the background.
• It establishes encrypted connections to remote servers controlled by the attackers.
• The attackers can see your screen, control the mouse and keyboard, transfer files, and maintain access even after restarts — all without your knowledge.

Because ScreenConnect is legitimate software, its presence can be hard to detect for an ordinary user — especially if there are no obvious signs at first.

Why This Scam Works

This social-engineering trick is effective because it exploits trust and curiosity. Most people don’t think an invitation could be dangerous. Opening a friendly message feels low-risk, and emails that mimic social contexts don’t trigger the typical alarms that warnings or urgent security notices do.

Warning Signs of Infection

If your system has been compromised by this scam, you might notice:

• An unexpected file named RSVPPartyInvitationCard.msi
• ScreenConnect components installed without your knowledge
• A Windows service related to ScreenConnect running with random characters in its name
• Outbound encrypted connections to unfamiliar domains associated with the campaign

How to Protect Yourself

To reduce your risk of falling for these attacks:

• Treat any unsolicited invitations with caution — especially if they prompt you to download or run software.
• Never open .msi or other installer files from emails unless you’re absolutely sure of the source.
• If you’ve already downloaded the file, disconnect from the internet immediately, scan your system with reputable security software, and change important passwords using a clean device.

For Organizations

Businesses should educate users about the dangers of unsolicited downloads and consider restricting the execution of MSI installers where feasible. Remote support tools should be treated as high-risk software unless explicitly authorized.