FTC Warns of Party-Invite Phishing Targeting Google and Microsoft
The Federal Trade Commission warned on May 26, 2026 about phishing that arrives as fake party invitations by text or email. The bait often uses familiar names and a prompt to sign in and RSVP.
FTC and fake invite pages
The campaign impersonates Evite, Paperless Post, and Punchbowl, then routes recipients to pages that mimic “Sign in with Google” and “Sign in with Microsoft.”
Those fake pages also show Yahoo and AOL login options, which gives the lure a broader look before the victim reaches a provider-specific fake login screen.
Google and Microsoft logins
Entering credentials on the fake screen sends them directly to the attacker. A stolen Google or Microsoft account can then open other services where the user chose “Continue with Google” or “Sign in with Microsoft,” including streaming services, banking portals, e-commerce sites, and healthcare platforms.
That is the practical risk here. One phished login can expose more than one account, even when the other services were never part of the original lure.
ANY.RUN tracked 80 domains
Security research firm ANY.RUN traced the campaign’s infrastructure back to at least December 2025 and identified roughly 80 phishing domains and 160 suspicious links tied to it.
The campaign does not hijack OAuth, the authorization protocol behind familiar social-login buttons. It abuses the look of those sign-in pages instead, which means the fraud lives in the interface the victim sees rather than in the underlying protocol.
Paperless Post and Punchbowl both said they were aware of the impersonation campaign. Microsoft’s Defender Security Research Team documented a separate OAuth-related campaign in March 2026 that used legitimate Google and Microsoft authorization endpoints to bounce victims to attacker-controlled pages, and that operation targeted government and public-sector organizations.
For anyone who gets an unexpected invitation asking for a login before RSVP, the safe move is simple: stop at the sign-in prompt and verify the invite through a channel you already trust, not the page that asked for credentials.
One open question remains: how many people entered credentials before the FTC warning, and how many accounts have already been reused across linked services.
