#endpointprotection — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #endpointprotection, aggregated by home.social.
-
Tanium adds four products to NATO assurance catalogue https://www.byteseu.com/2013712/ #CriticalInfrastructure #cybersecurity #defence #EmployeeExperience(EX) #EndpointManagement #EndpointProtection #Europe #IncidentResponse #ManagementPlatform #NATO #NetworkSecurity #NorthernAtlanticTreatyOrganisation(NATO) #PublicSector #RemoteAccess #RiskManagement #SecurityOperationsCentres(SOCs) #Tanium #ThreatIntelligence
-
ICYMI: A security researcher recently published a working tool that extracts credentials stored in Microsoft Edge directly from the browser's parent process memory. No exploit is needed – just sufficient system privileges.
This is the kind of threat Keeper Security is designed to help address. In addition to our secure and encrypted password manager, Keeper Forcefield blocks unauthorized memory access at the kernel level – so even if a machine is compromised, there's nothing to extract.
#KeeperSecurity #Cybersecurity #PasswordSecurity #EndpointProtection #MicrosoftEdge
-
ICYMI: A security researcher recently published a working tool that extracts credentials stored in Microsoft Edge directly from the browser's parent process memory. No exploit is needed – just sufficient system privileges.
This is the kind of threat Keeper Security is designed to help address. In addition to our secure and encrypted password manager, Keeper Forcefield blocks unauthorized memory access at the kernel level – so even if a machine is compromised, there's nothing to extract.
#KeeperSecurity #Cybersecurity #PasswordSecurity #EndpointProtection #MicrosoftEdge
-
ICYMI: A security researcher recently published a working tool that extracts credentials stored in Microsoft Edge directly from the browser's parent process memory. No exploit is needed – just sufficient system privileges.
This is the kind of threat Keeper Security is designed to help address. In addition to our secure and encrypted password manager, Keeper Forcefield blocks unauthorized memory access at the kernel level – so even if a machine is compromised, there's nothing to extract.
#KeeperSecurity #Cybersecurity #PasswordSecurity #EndpointProtection #MicrosoftEdge
-
ICYMI: A security researcher recently published a working tool that extracts credentials stored in Microsoft Edge directly from the browser's parent process memory. No exploit is needed – just sufficient system privileges.
This is the kind of threat Keeper Security is designed to help address. In addition to our secure and encrypted password manager, Keeper Forcefield blocks unauthorized memory access at the kernel level – so even if a machine is compromised, there's nothing to extract.
#KeeperSecurity #Cybersecurity #PasswordSecurity #EndpointProtection #MicrosoftEdge
-
ICYMI: A security researcher recently published a working tool that extracts credentials stored in Microsoft Edge directly from the browser's parent process memory. No exploit is needed – just sufficient system privileges.
This is the kind of threat Keeper Security is designed to help address. In addition to our secure and encrypted password manager, Keeper Forcefield blocks unauthorized memory access at the kernel level – so even if a machine is compromised, there's nothing to extract.
#KeeperSecurity #Cybersecurity #PasswordSecurity #EndpointProtection #MicrosoftEdge
-
Is Your Bank Really Texting You? 3 Red Flags of a Phishing Message.
2,483 words, 13 minutes read time.
The Psychological Architecture of the Smishing Epidemic
The mobile phone is the most intimate piece of hardware in the modern world, a device that lives in our pockets and demands our immediate attention with every haptic buzz and notification chime. This proximity creates a dangerous psychological feedback loop where the user is conditioned to respond to SMS messages with a level of trust that they would never afford an unsolicited email. While email has decades of junk mail filters and visible header data to warn us of danger, the SMS interface is deceptively clean and stripped of context. When a text arrives claiming to be from a major financial institution, it enters a high-trust environment where the barrier between a legitimate service alert and a criminally organized credential harvest is virtually non-existent. Analyzing the current threat landscape, it is clear that the surge in smishing is not merely a technical failure of our telecommunications infrastructure, but a masterful exploitation of human neurobiology. Attackers understand that by bypassing the corporate firewall and landing directly on a victim’s personal device, they are catching the user in a state of cognitive vulnerability, often while they are distracted, tired, or multi-tasking.
The sheer volume of these attacks indicates a shift toward the industrialization of mobile deception. According to recent data, bank impersonation via text message has skyrocketed to become one of the most reported scams, primarily because the return on investment is staggering compared to traditional phishing. It costs almost nothing for an adversary to blast out thousands of messages using automated scripts and cheap gateway services, yet the potential payoff is total access to a victim’s financial life. This is not a hobbyist’s game; it is a highly refined business model that relies on the trusted screen effect. We have been trained to view our phone numbers as a secure second factor for authentication, which ironically makes us more susceptible to the very messages that seek to undermine that security. Consequently, the first step in defending against these attacks is to dismantle the inherent trust we place in the SMS protocol, recognizing that the medium itself is fundamentally insecure and easily manipulated by anyone with a malicious intent and a basic understanding of social engineering.
Red Flag #1: The False Sense of Urgency and Emotional Manipulation
The most potent weapon in a smisher’s arsenal is not a sophisticated zero-day exploit, but the manufactured crisis. Every successful bank-themed phishing message is designed to trigger a physiological response that prioritizes immediate action over rational analysis. When you receive a text stating that your account has been suspended due to suspicious activity or that a large transfer is pending your approval, the attacker is forcing you into a high-stakes decision window. They know that a panicked user is unlikely to look for the subtle technical flaws in the message because their primary focus is on resolving the perceived threat to their financial stability. This artificial urgency is a deliberate tactic to bypass the critical thinking filters that would otherwise identify the message as fraudulent. In the world of social engineering, time is the enemy of the victim and the best friend of the predator. By imposing a deadline, the adversary effectively shuts down the user’s ability to verify the claim through official channels.
Furthermore, these messages often utilize a push-pull dynamic of fear and relief. The initial fear of a compromised account is immediately followed by the perceived relief of a simple solution provided in the form of a link. This emotional roller coaster is a hallmark of sophisticated phishing kits where the goal is to drive the victim toward a pre-built landing page that mimics the bank’s actual login portal. I see this pattern repeated across thousands of observed samples: the language is always direct, the consequence is always severe, and the solution is always a single click away. Professionals must understand that a legitimate financial institution will never use a medium as volatile and insecure as SMS to demand immediate, high-stakes action involving sensitive credentials. If a message makes your heart rate spike before you’ve even finished reading the first sentence, that is not a customer service alert; it is a psychological exploit in progress. The grit of the situation is that these attackers are betting on your human instinct to protect what is yours, and they are winning because our biological hardware hasn’t evolved as fast as their social engineering software.
Red Flag #2: Deconstructing the Malicious URL and Domain Spoofing
The technical linchpin of a bank impersonation scam is the hyperlink, a digital trapdoor designed to look like a bridge to safety. In a legitimate banking environment, URLs are predictable, branded, and hosted on top-level domains that the institution has spent millions of dollars securing. However, attackers rely on the fact that the average mobile user rarely inspects the full string of a URL on a five-inch screen. To obscure their intent, they leverage URL shorteners or link-in-bio services that strip away the destination’s identity, replacing a recognizable bank domain with a sanitized, high-trust string of characters. When you see a link that begins with a generic shortening service, you are looking at a deliberate attempt to hide a malicious redirection chain. This infrastructure is often backed by sophisticated Phishing-as-a-Service platforms which generate unique, one-time-use links for every target. This makes it significantly harder for automated security filters to flag the domain as malicious because the URL effectively dies after it has been clicked by the intended victim, leaving no trail for threat researchers to follow in real-time.
Beyond simple shortening, more advanced adversaries utilize typosquatting or punycode attacks to create a visual illusion of legitimacy. They might register a domain that replaces a lowercase letter with a similarly shaped number, or they use international character sets that look identical to the English alphabet but lead to an entirely different server in a jurisdiction where law enforcement is non-existent. These spoofed domains are often hosted on legitimate cloud infrastructure, which allows them to bypass reputation-based filters that only look for bad neighborhoods on the internet. Once you click that link, you aren’t just visiting a website; you are entering a controlled environment where every pixel has been engineered to mirror your bank’s actual interface. The gritty reality is that by the time you realize the URL in the address bar is off by a single character, your keystrokes have already been captured by a headless browser or an Adversary-in-the-Middle proxy. Analyzing these landing pages reveals a level of craft that includes working help links and legitimate-looking privacy policies, all designed to keep you in the trust zone just long enough to hand over your credentials.
Red Flag #3: Inconsistencies in Delivery Architecture and Metadata
If you want to spot a fraudster, you have to look at the plumbing of the message itself. Legitimate financial institutions invest heavily in Short Code registries—those five or six-digit numbers that are strictly regulated and vetted by telecommunications carriers. When a bank sends an automated alert, it almost always originates from one of these verified short codes because they allow for high-throughput, reliable delivery that is difficult for scammers to spoof at scale. In contrast, most smishing attacks originate from standard ten-digit Long Codes or, increasingly, from email addresses masquerading as phone numbers via the SMS gateway. If a message claiming to be from a multi-billion dollar global bank arrives from a random area code in a different state or a Gmail address, the architecture of the delivery is screaming that it is a fraud. These long codes are essentially burner numbers, bought in bulk through VoIP providers or generated via automated botnets of compromised mobile devices. The disconnect between the supposed sender and the technical origin of the message is a massive red flag that is hiding in plain sight.
Furthermore, the metadata and lack of personalization provide critical clues to the message’s illegitimacy. A real bank notification is tied to a specific account and a specific customer profile; it will often include a partial account number or use a specific format that matches previous interactions you have had with that institution. Smishing messages, however, are designed for the spray and pray method. They use generic salutations like “Dear Customer” or “Valued Member” because the attacker doesn’t actually know who you are; they only know that your phone number was part of a massive data leak from a social media breach or a compromised e-commerce database. These messages are sent to thousands of people simultaneously, betting on the statistical probability that a certain percentage will actually have an account with the bank being impersonated. This lack of specificity is a hallmark of industrial-scale social engineering. When you receive a text that feels like a form letter with an artificial sense of emergency, it is a clear sign that you are being targeted by an automated script rather than a legitimate service department. The absence of your name or specific account details isn’t just a lapse in customer service; it is a fundamental technical indicator of a malicious campaign.
The Failure of Traditional MFA against Modern Smishing
The most dangerous misconception in modern personal security is the belief that Multi-Factor Authentication (MFA) via SMS is an impenetrable shield. While having any MFA is better than none, the grit of the current threat landscape is that smishing has evolved to bypass these secondary layers with ease. Modern phishing kits are no longer static pages that just steal a password; they are dynamic proxies that facilitate Adversary-in-the-Middle (AiTM) attacks. When a victim enters their credentials into a fraudulent bank portal, the attacker’s server passes those credentials to the real bank’s login page in real-time. The bank then sends a legitimate MFA code to the victim’s phone. The victim, thinking they are on the real site, enters that code into the attacker’s portal. The attacker then intercepts that code and uses it to complete the login on the real site, effectively hijacking the session. Within seconds, the adversary has bypassed the very security measure designed to stop them, proving that SMS-based codes are a liability in a world of proxied attacks.
This technical reality necessitates a shift toward more robust authentication standards. Analyzing the successful breaches of the last few years, it is evident that the only reliable defense against smishing-induced MFA bypass is the implementation of hardware-backed security keys or FIDO2/WebAuthn standards. These methods use public-key cryptography to ensure that the authentication attempt is tied to the specific, legitimate domain of the service provider. If an attacker directs a victim to a spoofed domain, the security key will simply refuse to authenticate because the domain signature doesn’t match. Consequently, relying on “text-to-verify” is essentially building a house of cards in a hurricane. We must move toward a zero-trust model for mobile interactions where no incoming text message is considered valid until it is verified through a separate, trusted out-of-band channel, such as calling the official number on the back of your physical debit card or using the bank’s official, sandboxed mobile application.
Hardening the Human and Technical Perimeter
Defeating the smishing threat requires more than just a sharp eye for typos; it requires a fundamental change in how we interact with our mobile devices. The first line of defense is a technical one: treat every unsolicited message as a potential payload. This means never clicking a link in an SMS, regardless of how legitimate it looks or how much pressure the message applies. Instead, the standard operating procedure should be to close the messaging app and navigate directly to the bank’s official website by typing the address into the browser yourself, or by opening the official app. This simple act of “breaking the chain” completely neutralizes the attacker’s redirection infrastructure. Furthermore, users should take advantage of mobile threat defense (MTD) tools and carrier-level spam reporting features. By forwarding suspicious messages to the “7726” (SPAM) short code used by most major carriers, you are contributing to a global database that helps telecommunications providers block these malicious origin points before they reach the next victim.
Ultimately, we have to accept that the SMS protocol was never designed with security in mind; it was designed for convenience. In a professional context, this means that organizations must stop using SMS for sensitive customer communications and move toward encrypted, authenticated in-app messaging. For the individual, it means adopting a mindset of aggressive skepticism. If your bank really needs to reach you, they will use a secure channel or a verified notification system that doesn’t rely on a fragile, easily spoofed text message. The gritty truth is that as long as people keep clicking, criminals will keep texting. By identifying these red flags—the manufactured urgency, the mangled URLs,
Call to Action
The digital battlefield is no longer confined to server rooms and encrypted tunnels; it is in the palm of your hand, vibrating in your pocket every time a predator decides to test your defenses. You can no longer afford to treat an SMS as a “simple text.” In an era where organized crime syndicates use automated botnets to exploit human fear, your only real firewall is a shift in mindset. You have the technical red flags—the artificial urgency, the mangled URLs, and the broken delivery architecture. Now, you have to use them.
Don’t wait until your balance hits zero to start taking mobile security seriously. Audit your accounts today. If you’re still relying on SMS-based two-factor authentication for your primary banking, you are leaving the door unlocked for any adversary with a proxy kit. Switch to a hardware-backed security key or an authenticator app immediately. The next time you receive a “critical alert” from your bank, don’t click. Don’t reply. Delete the message, open your browser, and go to the source yourself. The criminals are betting that you’ll be too distracted to notice the trap; prove them wrong by staying relentlessly skeptical. Your data is your responsibility—defend it like it.
SUPPORTSUBSCRIBECONTACT MED. Bryan King
Sources
- Verizon 2024 Data Breach Investigations Report (DBIR)
- CISA: Identifying and Mitigating SMS Phishing (Smishing)
- NIST: Behavioral Science and Cybersecurity Phishing Research
- MITRE: Strategies for Stopping Phishing Attacks
- Krebs on Security: The Era of Easy Smishing
- FCC: New Rules on Combating Illegal Robotexts and Smishing
- MITRE ATT&CK: Phishing: Forging Communications (SMS)
- Proofpoint: The Smishing Landscape and Mobile Threat Trends
- Zscaler: The Rise of Phishing-as-a-Service (PhaaS)
- Microsoft Security: Evolving Trends in Smishing
- FTC: Reports of Phishing Texts Top All Other Impersonation Scams
- Scamwatch: Deep Dive into Bank Impersonation Tactics
- ENISA Threat Landscape: Social Engineering and Phishing Trends
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#accountSuspensionScam #adversaryInTheMiddle #AiTMAttacks #amygdalaHijack #bankTextScams #botnets #caffeinePhishing #CISAGuidelines #credentialHarvesting #cyberHygiene #cybercrimeSyndicates #cybersecurity #dataBreach #digitalForensics #domainSpoofing #endpointProtection #EvilProxy #fakeBankNotifications #FCCRegulations #FIDO2 #financialFraud #fraudAlerts #fraudPrevention #hardwareSecurityKeys #identityTheft #longCodes #maliciousURLs #MFABypass #mobileSecurity #mobileThreatDefense #mobileVulnerabilities #MTD #multiFactorAuthentication #networkSecurity #NISTCybersecurity #onlineBankingSecurity #PhaaS #phishingKits #phishingRedFlags #phishingAsAService #psychologicalTriggers #robotexts #scamAlerts #shortCodes #smishing #SMSGateway #SMSPhishing #socialEngineering #socialEngineeringTactics #technicalAnalysis #threatIntelligence #typosquatting #unauthorizedAccess #urgentAlerts #urlShorteners #VerizonDBIR #WebAuthn #zeroTrust -
#checkpoint basically says whoever is developing #public #internet facing software needs #AI to find #exploits before others find them (any program that exchanges messages)
#firewall #virusscanner #endpointprotection good but not enoughhttps://blog.checkpoint.com/artificial-intelligence/claude-mythos-wake-up-call-what-ai-vulnerability-discovery-means-for-cyber-defense/ #cyber #cybersecurity
-
This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now
997 words, 5 minutes read time.
If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.
This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.
What this scam actually is
You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.
It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:
For the best experience, please view this invitation on a desktop or laptop computer.
If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.
And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.
Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.
Why this is an absolute nightmare for security teams
Let me give you the numbers that no one is putting in the official advisories:
- As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
- Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
- This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
- Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.
I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.
This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.
How to not get burned
I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.
For everyone
- Real Punchbowl invites will only ever come from an address ending in
@punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately. - Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
- Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.
For SOC Analysts and Security Teams
These are the steps you can go and implement right now before you finish reading this post:
- Add an email detection rule for the exact string
for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate. - Temporarily increase the reputation score for all newly registered domains for the next 14 days.
- Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
- If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.
Closing Thought
The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.
If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
- Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
- CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
- Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
- Punchbowl Official Public Warning
- Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
- Proofpoint Threat Insight: Punchbowl Phishing Campaign
- MITRE ATT&CK T1566.001: Spearphishing Link
- Verizon DBIR 2025: Phishing Effectiveness
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust -
This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now
997 words, 5 minutes read time.
If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.
This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.
What this scam actually is
You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.
It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:
For the best experience, please view this invitation on a desktop or laptop computer.
If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.
And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.
Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.
Why this is an absolute nightmare for security teams
Let me give you the numbers that no one is putting in the official advisories:
- As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
- Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
- This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
- Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.
I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.
This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.
How to not get burned
I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.
For everyone
- Real Punchbowl invites will only ever come from an address ending in
@punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately. - Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
- Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.
For SOC Analysts and Security Teams
These are the steps you can go and implement right now before you finish reading this post:
- Add an email detection rule for the exact string
for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate. - Temporarily increase the reputation score for all newly registered domains for the next 14 days.
- Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
- If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.
Closing Thought
The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.
If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
- Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
- CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
- Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
- Punchbowl Official Public Warning
- Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
- Proofpoint Threat Insight: Punchbowl Phishing Campaign
- MITRE ATT&CK T1566.001: Spearphishing Link
- Verizon DBIR 2025: Phishing Effectiveness
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust -
This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now
997 words, 5 minutes read time.
If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.
This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.
What this scam actually is
You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.
It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:
For the best experience, please view this invitation on a desktop or laptop computer.
If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.
And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.
Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.
Why this is an absolute nightmare for security teams
Let me give you the numbers that no one is putting in the official advisories:
- As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
- Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
- This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
- Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.
I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.
This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.
How to not get burned
I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.
For everyone
- Real Punchbowl invites will only ever come from an address ending in
@punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately. - Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
- Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.
For SOC Analysts and Security Teams
These are the steps you can go and implement right now before you finish reading this post:
- Add an email detection rule for the exact string
for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate. - Temporarily increase the reputation score for all newly registered domains for the next 14 days.
- Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
- If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.
Closing Thought
The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.
If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
- Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
- CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
- Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
- Punchbowl Official Public Warning
- Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
- Proofpoint Threat Insight: Punchbowl Phishing Campaign
- MITRE ATT&CK T1566.001: Spearphishing Link
- Verizon DBIR 2025: Phishing Effectiveness
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust -
In 2025, the top 5 known exploited vulnerability (#KEV) vendors as of https://cyble.com/blog/cisa-kev-2025-exploited-vulnerabilities-growth/ were:
Microsoft (39)
#Apple (9)
#Cisco (8)
#Fortinet (8)
#Google #Chromium (7)If you like to minimize your #security risk here, avoiding those vendors could improve your overall exposure.
As you can see, this is particularly true for #Microsoft.
Mitigation using #AntiMalware or #EndPointProtection is not the answer as we've learned in the previous year where the "Most Frequently Exploited #Vulnerabilities" have been security products!
Source: https://services.google.com/fh/files/misc/m-trends-2025-en.pdfIf you have high requirements for #ITsecurity, you need to migrate your systems to #Linux which is also part of KEV but on a *much* better level!
-
In 2025, the top 5 known exploited vulnerability (#KEV) vendors as of https://cyble.com/blog/cisa-kev-2025-exploited-vulnerabilities-growth/ were:
Microsoft (39)
#Apple (9)
#Cisco (8)
#Fortinet (8)
#Google #Chromium (7)If you like to minimize your #security risk here, avoiding those vendors could improve your overall exposure.
As you can see, this is particularly true for #Microsoft.
Mitigation using #AntiMalware or #EndPointProtection is not the answer as we've learned in the previous year where the "Most Frequently Exploited #Vulnerabilities" have been security products!
Source: https://services.google.com/fh/files/misc/m-trends-2025-en.pdfIf you have high requirements for #ITsecurity, you need to migrate your systems to #Linux which is also part of KEV but on a *much* better level!
-
In 2025, the top 5 known exploited vulnerability (#KEV) vendors as of https://cyble.com/blog/cisa-kev-2025-exploited-vulnerabilities-growth/ were:
Microsoft (39)
#Apple (9)
#Cisco (8)
#Fortinet (8)
#Google #Chromium (7)If you like to minimize your #security risk here, avoiding those vendors could improve your overall exposure.
As you can see, this is particularly true for #Microsoft.
Mitigation using #AntiMalware or #EndPointProtection is not the answer as we've learned in the previous year where the "Most Frequently Exploited #Vulnerabilities" have been security products!
Source: https://services.google.com/fh/files/misc/m-trends-2025-en.pdfIf you have high requirements for #ITsecurity, you need to migrate your systems to #Linux which is also part of KEV but on a *much* better level!
-
In 2025, the top 5 known exploited vulnerability (#KEV) vendors as of https://cyble.com/blog/cisa-kev-2025-exploited-vulnerabilities-growth/ were:
Microsoft (39)
#Apple (9)
#Cisco (8)
#Fortinet (8)
#Google #Chromium (7)If you like to minimize your #security risk here, avoiding those vendors could improve your overall exposure.
As you can see, this is particularly true for #Microsoft.
Mitigation using #AntiMalware or #EndPointProtection is not the answer as we've learned in the previous year where the "Most Frequently Exploited #Vulnerabilities" have been security products!
Source: https://services.google.com/fh/files/misc/m-trends-2025-en.pdfIf you have high requirements for #ITsecurity, you need to migrate your systems to #Linux which is also part of KEV but on a *much* better level!
-
In 2025, the top 5 known exploited vulnerability (#KEV) vendors as of https://cyble.com/blog/cisa-kev-2025-exploited-vulnerabilities-growth/ were:
Microsoft (39)
#Apple (9)
#Cisco (8)
#Fortinet (8)
#Google #Chromium (7)If you like to minimize your #security risk here, avoiding those vendors could improve your overall exposure.
As you can see, this is particularly true for #Microsoft.
Mitigation using #AntiMalware or #EndPointProtection is not the answer as we've learned in the previous year where the "Most Frequently Exploited #Vulnerabilities" have been security products!
Source: https://services.google.com/fh/files/misc/m-trends-2025-en.pdfIf you have high requirements for #ITsecurity, you need to migrate your systems to #Linux which is also part of KEV but on a *much* better level!
-
WhatsApp accounts targeted in ‘GhostPairing’ attack https://www.csoonline.com/article/4108925/whatsapp-accounts-targeted-in-ghostpairing-attack.html #CommunicationsSecurity #EndpointProtection #MessagingSecurity #NetworkSecurity #MobileSecurity #Security
-
Hundreds of Ivanti EPM systems exposed online as critical flaw patched https://www.csoonline.com/article/4104158/hundreds-of-ivanti-epm-systems-exposed-online-as-critical-flaw-patched.html #EndpointProtection #Vulnerabilities #Security
-
Gemini for Chrome gets a second AI agent to watch over it https://www.csoonline.com/article/4103346/gemini-for-chrome-gets-a-second-ai-agent-to-watch-over-it-2.html #ArtificialIntelligence #EndpointProtection #BrowserSecurity #Security
-
Neue bösartige Browser-Erweiterungen entdeckt https://www.csoonline.com/article/4100071/neue-bosartige-browser-erweiterungen-entdeckt.html #EndpointProtection #BrowserSecurity #Security
-
Newly discovered malicious extensions could be lurking in enterprise browsers https://www.csoonline.com/article/4099446/newly-discovered-malicious-extensions-could-be-lurking-in-enterprise-browsers.html #EndpointProtection #BrowserSecurity #Cybercrime #Security #Malware
-
Microsoft gives Windows admins a legacy migration headache with WINS sunset https://www.csoonline.com/article/4098729/microsoft-gives-windows-admins-a-legacy-migration-headache-with-wins-sunset-2.html #NetworkAdministrator #EndpointProtection #NetworkSecurity #WindowsSecurity #Security #Careers #Roles
-
AI browsers can be tricked with malicious prompts hidden in URL fragments https://www.csoonline.com/article/4097087/ai-browsers-can-be-tricked-with-malicious-prompts-hidden-in-url-fragments.html #ArtificialIntelligence #EndpointProtection #BrowserSecurity #Security
-
New ClickFix attacks use fake Windows Update screens to fool employees https://www.csoonline.com/article/4096241/new-clickfix-attacks-use-fake-windows-update-screens-to-fool-employees.html #EndpointProtection #WindowsSecurity #Cybercrime #Security #Malware
-
Recognizing and responding to cyber threats: What differentiates NDR, EDR and XDR https://www.csoonline.com/article/4091641/recognizing-and-responding-to-cyber-threats-what-differentiates-ndr-edr-and-xdr.html #SecurityInfrastructure #EndpointProtection #RiskManagement #Security
-
Recognizing and responding to cyber threats: What differentiates NDR, EDR and XDR https://www.csoonline.com/article/4091641/recognizing-and-responding-to-cyber-threats-what-differentiates-ndr-edr-and-xdr.html #SecurityInfrastructure #EndpointProtection #RiskManagement #Security
-
Recognizing and responding to cyber threats: What differentiates NDR, EDR and XDR https://www.csoonline.com/article/4091641/recognizing-and-responding-to-cyber-threats-what-differentiates-ndr-edr-and-xdr.html #SecurityInfrastructure #EndpointProtection #RiskManagement #Security
-
Recognizing and responding to cyber threats: What differentiates NDR, EDR and XDR https://www.csoonline.com/article/4091641/recognizing-and-responding-to-cyber-threats-what-differentiates-ndr-edr-and-xdr.html #SecurityInfrastructure #EndpointProtection #RiskManagement #Security
-
Sneaky2FA phishing tool adds ability to insert legit-looking URLs https://www.csoonline.com/article/4094165/sneaky2fa-phishing-tool-adds-ability-to-insert-legit-looking-urls.html #EndpointProtection #SocialEngineering #BrowserSecurity #Cybercrime #Phishing #Security
-
Hidden API in Comet AI browser raises security red flags for enterprises https://www.csoonline.com/article/4092995/hidden-api-in-comet-ai-browser-raises-security-red-flags-for-enterprises.html #EndpointProtection #BrowserSecurity #Security
-
More work for admins as Google patches latest zero-day Chrome vulnerability https://www.csoonline.com/article/4092287/more-work-for-admins-as-google-patches-latest-zero-day-chrome-vulnerability.html #Zero-DayVulnerabilities #EndpointProtection #BrowserSecurity #Vulnerabilities #Security
-
🚨 New sophisticated threat alert! RONINGLOADER leverages signed drivers to disable Microsoft Defender & bypass EDR, targeting Chinese users with multi-stage malware. Stay informed & protected! 🛡️🔒 #CyberSecurity #Malware #InfoSec #EndpointProtection https://gbhackers.com/roningloader/
#newz -
Russian APT abuses Windows Hyper-V for persistence and malware execution https://www.csoonline.com/article/4085272/russian-apt-abuses-windows-hyper-v-for-persistence-and-malware-execution.html #AdvancedPersistentThreats #EndpointProtection #WindowsSecurity #Cyberattacks #Cybercrime #Security
-
Chinese hackers target Western diplomats using hard-to-patch Windows shortcut flaw https://www.csoonline.com/article/4082701/chinese-hackers-target-western-diplomats-using-hard-to-patch-windows-shortcut-flaw.html #EndpointProtection #Vulnerabilities #WindowsSecurity #Security
-
Critical Microsoft WSUS flaw exploited in wild after insufficient patch https://www.csoonline.com/article/4078952/critical-microsoft-wsus-flaw-exploited-in-wild-after-insufficient-patch.html #EndpointProtection #Vulnerabilities #WindowsSecurity #Security
-
AI browsers can be abused by malicious AI sidebar extensions: Report https://www.csoonline.com/article/4078306/ai-browsers-can-be-abused-by-malicious-ai-sidebar-extensions-report-2.html #EndpointProtection #BrowserSecurity #Cybercrime #Security #Malware
-
Security patch or self-inflicted DDoS? Microsoft update knocks out key enterprise functions https://www.csoonline.com/article/4076016/security-patch-or-self-inflicted-ddos-microsoft-update-knocks-out-key-enterprise-functions-2.html #DataandInformationSecurity #EndpointProtection #WindowsSecurity #Encryption #Security
-
Network security devices endanger orgs with ’90s era flaws https://www.csoonline.com/article/4074945/network-security-devices-endanger-orgs-with-90s-era-flaws.html #DataandInformationSecurity #ApplicationSecurity #EndpointProtection #TechnologyIndustry #NetworkSecurity #Vulnerabilities #DevSecOps #Industry #Security #Markets
-
OT security: Why it pays to look at open source – Source: www.csoonline.com https://ciso2ciso.com/ot-security-why-it-pays-to-look-at-open-source-source-www-csoonline-com/ #rssfeedpostgeneratorecho #EndpointProtection #CyberSecurityNews #IncidentResponse #NetworkSecurity #CSOonline #CSOOnline
-
OT security: Why it pays to look at open source – Source: www.csoonline.com https://ciso2ciso.com/ot-security-why-it-pays-to-look-at-open-source-source-www-csoonline-com/ #rssfeedpostgeneratorecho #EndpointProtection #CyberSecurityNews #IncidentResponse #NetworkSecurity #CSOonline #CSOOnline
-
OT security: Why it pays to look at open source https://www.csoonline.com/article/4055176/ot-security-why-it-pays-to-look-at-open-source.html #EndpointProtection #IncidentResponse #NetworkSecurity
-
10 most powerful cybersecurity companies today – Source: www.csoonline.com https://ciso2ciso.com/10-most-powerful-cybersecurity-companies-today-source-www-csoonline-com/ #IdentityManagementSolutions #IntrusionDetectionSoftware #rssfeedpostgeneratorecho #EndpointProtection #CyberSecurityNews #NetworkSecurity #riskmanagement #accesscontrol #CSOonline #Microsoft #zerotrust #CSOOnline #Security
-
CrowdStrike: A new era of cyberthreats from sophisticated threat actors is here – Source: www.csoonline.com https://ciso2ciso.com/crowdstrike-a-new-era-of-cyberthreats-from-sophisticated-threat-actors-is-here-source-www-csoonline-com/ #ThreatandVulnerabilityManagement #rssfeedpostgeneratorecho #EndpointProtection #CyberSecurityNews #CloudSecurity #CSOonline #CSOOnline
-
CrowdStrike: A new era of cyberthreats from sophisticated threat actors is here https://www.csoonline.com/article/4033014/crowdstrike-a-new-era-of-cyberthreats-from-sophisticated-threat-actors-is-here.html #ThreatandVulnerabilityManagement #EndpointProtection #CloudSecurity
-
8 trends transforming the MDR market today – Source: www.csoonline.com https://ciso2ciso.com/8-trends-transforming-the-mdr-market-today-source-www-csoonline-com/ #IntrusionDetectionSoftware #rssfeedpostgeneratorecho #Mergersandacquisitions #EndpointProtection #CyberSecurityNews #ManagedITservices #IncidentResponse #CSOonline #CSOOnline #Security
-
8 trends transforming the MDR market today – Source: www.csoonline.com https://ciso2ciso.com/8-trends-transforming-the-mdr-market-today-source-www-csoonline-com/ #IntrusionDetectionSoftware #rssfeedpostgeneratorecho #Mergersandacquisitions #EndpointProtection #CyberSecurityNews #ManagedITservices #IncidentResponse #CSOonline #CSOOnline #Security
-
8 trends transforming the MDR market today – Source: www.csoonline.com https://ciso2ciso.com/8-trends-transforming-the-mdr-market-today-source-www-csoonline-com/ #IntrusionDetectionSoftware #rssfeedpostgeneratorecho #Mergersandacquisitions #EndpointProtection #CyberSecurityNews #ManagedITservices #IncidentResponse #CSOonline #CSOOnline #Security
-
8 trends transforming the MDR market today – Source: www.csoonline.com https://ciso2ciso.com/8-trends-transforming-the-mdr-market-today-source-www-csoonline-com/ #IntrusionDetectionSoftware #rssfeedpostgeneratorecho #Mergersandacquisitions #EndpointProtection #CyberSecurityNews #ManagedITservices #IncidentResponse #CSOonline #CSOOnline #Security