#initialaccess — Public Fediverse posts

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

"This is the second part of our two-blog series, where we explore various #initialaccess vectors into #Kubernetes environments, analyze the associated attack angles, and clarify the relevant risks. "

#wiz #security

https://www.wiz.io/blog/kubernetes-data-plane

Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️‍♀️

https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks

#GreyNoise #Ransomware #InitialAccess #IAB #Recon

A user of DarkForums is selling an initial access to a Finnish video gaming company.

Access Type: SMB
OS: Windows
Revenue: 27.5 Million $
Price: 1,1k (XMR)

#Finland #InitialAccess #InitialAccessBroker #DarkForums

R to @enisa_eu: Once the needed resources are ready, #exploitation of #EntryPoints begins to gain a first foothold within the target.

Third phase of #SocialEngineering: #InitialAccess. Learn how to face it!🛑

🔗https://europa.eu/!rKMC9w #FuelForCyber #CyberSecMonth

🐦🔗: https://nitter.cz/enisa_eu/status/1714568171489771693#m

[2023-10-18 09:04 UTC]

#SIMswapping is still a very real thing. Now, it's being used to bypass defense and detection methods within #Azure to gain full #administrative access for #Windows #VirtualMachines. This is pretty advanced, but it's still a big danger. #UNC3944 https://www.scmagazine.com/news/cloud-security/threat-actor-bypasses-detection-protections-in-microsoft-azure-serial-console?external_id=HBwZ-n4B490LDY0Z-dKj&external_id_source=mrkto&mkt_tok=MTg4LVVOWi02NjAAAAGLzUgAlV_uPRm28W067Sf5RayoZQN17Xrk53YEG17z3Gl_7qKsu2bjdUUW2CRUpserJQgXmMB46ieb_G5KrSlLHQGWs_K0TtXaXsrlmIPgkg

#Hacking #ThreatIntelligence #InitialAccess #LateralMovement #Persistence #Cloud #CloudAttackSurface

Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f

The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats

The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)

An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/

Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats

Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats

Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0

#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber

The latest Technique Set added to Tidal’s free Community Edition summarizes the TTPs observed in recent #SocGholish campaigns according to public threat reporting https://app.tidalcyber.com/share/4b901fc2-d021-4eff-bd53-0c9fa0259ecf

SocGholish is a highly active, JavaScript-based loader #malware used to deliver a wide variety of impactful threats (summarized in the original visual attached here). Many #ransomware families, the #CobaltStrike post-exploit framework, other remote access trojans (#RAT) and loaders, and tools for #ActiveDirectory enumeration, #detection evasion, and #credential theft have been linked to recent SocGholish campaigns

SocGholish appears on multiple security and #CTI vendors' top priority threat lists. Active since 2017, SentinelLabs researchers observed a 330%+ increase in SocGholish malware-staging servers between the first and second halves of 2022, and Sucuri researchers detected more than 25,000 websites newly compromised by the malware's operators through July 2022 alone. Initial infections predominantly come via file downloads from sites hosting fake web browser updates, although operators use some non-traditional email delivery techniques to drive compromised content towards potential victims. Like many of today's top #initialaccess threats, SocGholish victimology involves a wide range of industries

Consider layering the new set with other recent Community Edition content from @tidalcyber's Adversary Intelligence team, including our recent #Gootloader set (https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2) or the set of techniques most recently associated with the ever-evolving #QakBot #trojan (https://app.tidalcyber.com/share/aef0f0c6-5212-4abf-9a24-3c81f518c59f), into one view to compare & contrast initial access techniques (https://app.tidalcyber.com/share/adb9581e-3318-4bc7-8d23-145891bf1ca4). Then take it a step further by layering mappings from your own defensive stack with the list of capabilities available in the Product Registry (https://app.tidalcyber.com/vendors). And stay tuned for our soon-to-be published overview matrix on the broad initial access/malware delivery ecosystem in today’s threat landscape, featuring more threats like the ones seen here

#threatinformeddefense #SharedWithTidal

#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?

Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2

Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars

Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout

Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors

#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam

How attackers evade endpoint defenses and install and execute "rigged" remote management software without having admin privileges

https://www.helpnetsecurity.com/2023/01/26/attackers-remote-management-software/

#Cybersecurity #InitialAccess #Cybercrime