If you receive an event invitation via email, verify it’s legit before you RSVP, as you may not actually be invited to anything. Malwarebytes Labs has identified a new scam in which threat actors are using party invites to trick users into installing a remote access tool (RAT) that gives them full control over infected devices. (This specific campaign seems to be limited to the UK, but similar tactics could easily spread.)

These malicious invites contain a ScreenConnect installer

The scam starts with an innocuous-looking email invitation with an informal “Save the Date” vibe that may appear to come from a friend or acquaintance. The message contains a link to “View Invitation” for event details. If you click through, you’ll end up on a landing page with a bold “You’re Invited” header and a button to download your invitation, but you don’t actually need to take any further action—your browser automatically triggers the download of a .msi file, which is not actually a party invitation or RSVP form but an installer.

The MSI silently installs ScreenConnect Client, a legitimate IT support tool that allows remote access into the user’s machine. Once this connection is established, attackers have the ability to see your screen, control your mouse and keyboard, and upload or download files—even if you restart your computer. All of this happens in the background with no obvious indicators that a remote access tool has been installed and is now running, so victims are unlikely to have cause for concern.

You should know these remote access red flags

As Malwarebytes points out, this scheme is successful because it relies on normal human behavior around a seemingly low-risk situation: opening an event invitation. What’s unusual is that there’s little pressure or urgency in the initial message. Instead, the landing page has language like “a friend has sent you an invitation” and “I opened mine and it was so easy,” which is a form of social proof that guides users to take the desired action.

You should always be alert to unsolicited invites sent via regular email with a link to an external site as well as any communication that prompts you to download or install software. These days, invitations are commonly delivered through apps and digital services like Partiful, Paperless Post, Evite, or Apple Invites, which are generally more trustworthy than random emails with hyperlinked text. If you’re unsure whether the invite is real, verify with the sender through another channel before clicking or downloading anything.

As mentioned, victims of this scam may not immediately notice that a RAT has been installed on their device. But there are some red flags, such as unexplained cursor movement or windows opening or closing on their own. You can check your machine for a file named “RSVPPartyInvitationCard.msi” or a service called ScreenConnect Client with additional random characters in the title.

If you’ve already downloaded ScreenConnect from a malicious invite, Malwarebytes recommends disconnecting from the internet and uninstalling the program immediately. Run a security scan to check your device for malware, and change important passwords from a separate device.