#threatactor — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #threatactor, aggregated by home.social.
-
How many critical services are tied to abominations like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?
Check out #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.
[3/6]
-
How many critical services are tied to abominations like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?
Check out #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.
[3/6]
-
How many critical services are tied to abominations like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?
Check out #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.
[3/6]
-
How many critical services are tied to abominations like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?
Check out #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.
[3/6]
-
How many critical services are tied to #draconian schemes like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?
Check out project #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.
-
CIA - song IRON LOCKS
www.youtube.com/@4427427
#TriadaCIA #CIATriad #Confidentiality #Integrity #Availability #Poufność #Integralność #Dostępność #NIST #Framework #CyberAwareness #SIEM #SOCAnalyst#Python #SQL #Linux #NetworkSecurity #ThreatActor #Phishing #SocialEngineering #SecurityTools #CyberSkills
#Rap90 #CyberSong #CyberVibe #TechMusic #SecurityRap #StudyWithMusic #CyberSecuritySongs
-
Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?
I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.
I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:
I feel like I'm creating more dependency than knowledge.
#AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor
-
Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?
I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.
I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:
I feel like I'm creating more dependency than knowledge.
#AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor
-
Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?
I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.
I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:
I feel like I'm creating more dependency than knowledge.
#AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor
-
Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?
I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.
I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:
I feel like I'm creating more dependency than knowledge.
#AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor
-
Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?
I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.
I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:
I feel like I'm creating more dependency than knowledge.
#AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor
-
Hey Fediverse, especially folks that working in infosec or cybersecurity field.
Several years ago, I remember that Microsoft added a new Threat Actor in their classification list for Britain based APT.
I tried to search again, but I didn't find anything anymore regarding this.
Anyone has any pointer?
#Fediverse
#Infosec
#Cybersecurity
#ThreatActor
#APT
#ThreatIntel -
The Rise and Fall of SiegedSec - Flare
https://flare.io/learn/resources/blog/rise-and-fall-siegedsec
Short summary: https://hackerworkspace.com/article/the-rise-and-fall-of-siegedsec-flare
-
Ok, this is interesting and it's confusing. The domain
hungerrush.comis not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order forhungerrush.comand their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threatsReturn-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com> Delivered-To: [email protected] Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e]) by 4d492a470590 with LMTP id ePC8ETjOp2k40BwA8UTzlA (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>) for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500 X-Original-To: [email protected] Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7 for <[email protected]>; Wed, 4 Mar 2026 01:16:22 -0500 (EST) Authentication-Results: mc01.bofhcorp.com; dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM; spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com"; dmarc=pass (policy=quarantine) header.from=hungerrush.com Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email; s=dkim; t=1772604983; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=; b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A== Arc-Authentication-Results: i=1; mc01.bofhcorp.com; dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM; spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com"; dmarc=pass (policy=quarantine) header.from=hungerrush.com Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983; b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4 +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg== Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com; h=content-type:date:from:mime-version:subject:to:cc:content-type:date: from:subject:to; s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=; b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg== Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C 2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059 Received: from MTU0Mjg0MjA (unknown) by geopod-ismtpd-14 (SG) with HTTP id R8ef3HgJSzKAWjTspVFOVg Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC) Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM) From: [email protected] Mime-Version: 1.0 Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14> Subject: Important Security Concern X-Sg-Eid: u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg== To: [email protected] X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg== X-Last-Tls-Session-Version: TLSv1.3 X-Rspamd-Queue-Id: CA5B83F7C7 X-Spamd-Result: default: False [4.83 / 15.00]; BAD_REP_POLICIES(2.00)[]; IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)]; URI_COUNT_ODD(1.00)[1]; RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from]; MV_CASE(0.50)[]; MID_RHS_NOT_FQDN(0.50)[]; FORGED_SENDER(0.30)[[email protected],[email protected]]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MX_GOOD(-0.01)[]; BAYES_SPAM(0.00)[22.47%]; RCVD_TLS_LAST(0.00)[]; R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1]; RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine]; ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1]; ALIAS_RESOLVED(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email]; R_SPF_ALLOW(0.00)[+ip4:159.183.101.69]; FROM_NO_DN(0.00)[]; ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US]; DKIM_TRACE(0.00)[hungerrush.com:+]; MISSING_XM_UA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]] X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa -
Ok, this is interesting and it's confusing. The domain
hungerrush.comis not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order forhungerrush.comand their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threatsReturn-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com> Delivered-To: [email protected] Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e]) by 4d492a470590 with LMTP id ePC8ETjOp2k40BwA8UTzlA (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>) for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500 X-Original-To: [email protected] Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7 for <[email protected]>; Wed, 4 Mar 2026 01:16:22 -0500 (EST) Authentication-Results: mc01.bofhcorp.com; dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM; spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com"; dmarc=pass (policy=quarantine) header.from=hungerrush.com Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email; s=dkim; t=1772604983; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=; b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A== Arc-Authentication-Results: i=1; mc01.bofhcorp.com; dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM; spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com"; dmarc=pass (policy=quarantine) header.from=hungerrush.com Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983; b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4 +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg== Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com; h=content-type:date:from:mime-version:subject:to:cc:content-type:date: from:subject:to; s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=; b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg== Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C 2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059 Received: from MTU0Mjg0MjA (unknown) by geopod-ismtpd-14 (SG) with HTTP id R8ef3HgJSzKAWjTspVFOVg Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC) Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM) From: [email protected] Mime-Version: 1.0 Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14> Subject: Important Security Concern X-Sg-Eid: u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg== To: [email protected] X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg== X-Last-Tls-Session-Version: TLSv1.3 X-Rspamd-Queue-Id: CA5B83F7C7 X-Spamd-Result: default: False [4.83 / 15.00]; BAD_REP_POLICIES(2.00)[]; IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)]; URI_COUNT_ODD(1.00)[1]; RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from]; MV_CASE(0.50)[]; MID_RHS_NOT_FQDN(0.50)[]; FORGED_SENDER(0.30)[[email protected],[email protected]]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MX_GOOD(-0.01)[]; BAYES_SPAM(0.00)[22.47%]; RCVD_TLS_LAST(0.00)[]; R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1]; RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine]; ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1]; ALIAS_RESOLVED(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email]; R_SPF_ALLOW(0.00)[+ip4:159.183.101.69]; FROM_NO_DN(0.00)[]; ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US]; DKIM_TRACE(0.00)[hungerrush.com:+]; MISSING_XM_UA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]] X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa -
Ok, this is interesting and it's confusing. The domain
hungerrush.comis not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order forhungerrush.comand their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threatsReturn-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com> Delivered-To: [email protected] Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e]) by 4d492a470590 with LMTP id ePC8ETjOp2k40BwA8UTzlA (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>) for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500 X-Original-To: [email protected] Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7 for <[email protected]>; Wed, 4 Mar 2026 01:16:22 -0500 (EST) Authentication-Results: mc01.bofhcorp.com; dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM; spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com"; dmarc=pass (policy=quarantine) header.from=hungerrush.com Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email; s=dkim; t=1772604983; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=; b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A== Arc-Authentication-Results: i=1; mc01.bofhcorp.com; dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM; spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com"; dmarc=pass (policy=quarantine) header.from=hungerrush.com Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983; b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4 +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg== Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com; h=content-type:date:from:mime-version:subject:to:cc:content-type:date: from:subject:to; s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=; b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg== Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C 2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059 Received: from MTU0Mjg0MjA (unknown) by geopod-ismtpd-14 (SG) with HTTP id R8ef3HgJSzKAWjTspVFOVg Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC) Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM) From: [email protected] Mime-Version: 1.0 Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14> Subject: Important Security Concern X-Sg-Eid: u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg== To: [email protected] X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg== X-Last-Tls-Session-Version: TLSv1.3 X-Rspamd-Queue-Id: CA5B83F7C7 X-Spamd-Result: default: False [4.83 / 15.00]; BAD_REP_POLICIES(2.00)[]; IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)]; URI_COUNT_ODD(1.00)[1]; RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from]; MV_CASE(0.50)[]; MID_RHS_NOT_FQDN(0.50)[]; FORGED_SENDER(0.30)[[email protected],[email protected]]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MX_GOOD(-0.01)[]; BAYES_SPAM(0.00)[22.47%]; RCVD_TLS_LAST(0.00)[]; R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1]; RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine]; ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1]; ALIAS_RESOLVED(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email]; R_SPF_ALLOW(0.00)[+ip4:159.183.101.69]; FROM_NO_DN(0.00)[]; ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US]; DKIM_TRACE(0.00)[hungerrush.com:+]; MISSING_XM_UA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]] X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa -
Ok, this is interesting and it's confusing. The domain
hungerrush.comis not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order forhungerrush.comand their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threatsReturn-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com> Delivered-To: [email protected] Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e]) by 4d492a470590 with LMTP id ePC8ETjOp2k40BwA8UTzlA (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>) for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500 X-Original-To: [email protected] Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7 for <[email protected]>; Wed, 4 Mar 2026 01:16:22 -0500 (EST) Authentication-Results: mc01.bofhcorp.com; dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM; spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com"; dmarc=pass (policy=quarantine) header.from=hungerrush.com Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email; s=dkim; t=1772604983; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=; b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A== Arc-Authentication-Results: i=1; mc01.bofhcorp.com; dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM; spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com"; dmarc=pass (policy=quarantine) header.from=hungerrush.com Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983; b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4 +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg== Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com; h=content-type:date:from:mime-version:subject:to:cc:content-type:date: from:subject:to; s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=; b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg== Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C 2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059 Received: from MTU0Mjg0MjA (unknown) by geopod-ismtpd-14 (SG) with HTTP id R8ef3HgJSzKAWjTspVFOVg Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC) Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM) From: [email protected] Mime-Version: 1.0 Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14> Subject: Important Security Concern X-Sg-Eid: u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg== To: [email protected] X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg== X-Last-Tls-Session-Version: TLSv1.3 X-Rspamd-Queue-Id: CA5B83F7C7 X-Spamd-Result: default: False [4.83 / 15.00]; BAD_REP_POLICIES(2.00)[]; IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)]; URI_COUNT_ODD(1.00)[1]; RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from]; MV_CASE(0.50)[]; MID_RHS_NOT_FQDN(0.50)[]; FORGED_SENDER(0.30)[[email protected],[email protected]]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MX_GOOD(-0.01)[]; BAYES_SPAM(0.00)[22.47%]; RCVD_TLS_LAST(0.00)[]; R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1]; RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine]; ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1]; ALIAS_RESOLVED(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email]; R_SPF_ALLOW(0.00)[+ip4:159.183.101.69]; FROM_NO_DN(0.00)[]; ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US]; DKIM_TRACE(0.00)[hungerrush.com:+]; MISSING_XM_UA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]] X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa -
@kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
#RogueState #ThreatActor #ChaosActor -
@kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
#RogueState #ThreatActor #ChaosActor -
@kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
#RogueState #ThreatActor #ChaosActor -
@kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
#RogueState #ThreatActor #ChaosActor -
@kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
#RogueState #ThreatActor #ChaosActor -
⚠️ New threat actor on the radar ⚠️ 🥷🏻 AtomSilo Ransomware 🗓️ added on February 24 🥢 Overview AtomSilo was first observed in September 2021, historically attributed to the Chinese state-sponsored cluster known as BRONZE STARLIGHT. #ransomNews #cybersecurity #threatactor
-
This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now
997 words, 5 minutes read time.
If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.
This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.
What this scam actually is
You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.
It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:
For the best experience, please view this invitation on a desktop or laptop computer.
If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.
And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.
Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.
Why this is an absolute nightmare for security teams
Let me give you the numbers that no one is putting in the official advisories:
- As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
- Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
- This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
- Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.
I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.
This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.
How to not get burned
I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.
For everyone
- Real Punchbowl invites will only ever come from an address ending in
@punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately. - Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
- Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.
For SOC Analysts and Security Teams
These are the steps you can go and implement right now before you finish reading this post:
- Add an email detection rule for the exact string
for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate. - Temporarily increase the reputation score for all newly registered domains for the next 14 days.
- Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
- If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.
Closing Thought
The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.
If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
- Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
- CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
- Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
- Punchbowl Official Public Warning
- Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
- Proofpoint Threat Insight: Punchbowl Phishing Campaign
- MITRE ATT&CK T1566.001: Spearphishing Link
- Verizon DBIR 2025: Phishing Effectiveness
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust -
This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now
997 words, 5 minutes read time.
If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.
This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.
What this scam actually is
You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.
It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:
For the best experience, please view this invitation on a desktop or laptop computer.
If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.
And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.
Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.
Why this is an absolute nightmare for security teams
Let me give you the numbers that no one is putting in the official advisories:
- As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
- Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
- This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
- Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.
I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.
This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.
How to not get burned
I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.
For everyone
- Real Punchbowl invites will only ever come from an address ending in
@punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately. - Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
- Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.
For SOC Analysts and Security Teams
These are the steps you can go and implement right now before you finish reading this post:
- Add an email detection rule for the exact string
for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate. - Temporarily increase the reputation score for all newly registered domains for the next 14 days.
- Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
- If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.
Closing Thought
The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.
If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
- Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
- CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
- Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
- Punchbowl Official Public Warning
- Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
- Proofpoint Threat Insight: Punchbowl Phishing Campaign
- MITRE ATT&CK T1566.001: Spearphishing Link
- Verizon DBIR 2025: Phishing Effectiveness
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust -
This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now
997 words, 5 minutes read time.
If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.
This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.
What this scam actually is
You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.
It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:
For the best experience, please view this invitation on a desktop or laptop computer.
If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.
And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.
Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.
Why this is an absolute nightmare for security teams
Let me give you the numbers that no one is putting in the official advisories:
- As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
- Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
- This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
- Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.
I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.
This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.
How to not get burned
I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.
For everyone
- Real Punchbowl invites will only ever come from an address ending in
@punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately. - Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
- Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.
For SOC Analysts and Security Teams
These are the steps you can go and implement right now before you finish reading this post:
- Add an email detection rule for the exact string
for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate. - Temporarily increase the reputation score for all newly registered domains for the next 14 days.
- Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
- If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.
Closing Thought
The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.
If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
- Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
- CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
- Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
- Punchbowl Official Public Warning
- Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
- Proofpoint Threat Insight: Punchbowl Phishing Campaign
- MITRE ATT&CK T1566.001: Spearphishing Link
- Verizon DBIR 2025: Phishing Effectiveness
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust -
Check out my latest article, “Digital Defense Against the Dark Arts”
https://wfryer.substack.com/p/digital-defense-against-the-darkJoin me now in the "Zoom Room of Requirement" :-)
#MediaLit #MediaLiteracy #disinfo #HarryPotter #selfdefense #Russia #badactor #threatactor #edtechSR
-
How China’s “Walled Garden” is Redefining the Cyber Threat Landscape https://www.allforgardening.com/1585322/how-chinas-walled-garden-is-redefining-the-cyber-threat-landscape/ #apt #china #ChineseSpeakingThreatActors #garden #ThreatActor #webinar
-
He called himself an ‘untouchable hacker god’. But who was behind the biggest crime Finland has ever known? https://www.theguardian.com/technology/2026/jan/17/vastaamo-hack-finland-therapy-notes
#cybersecurity #datatheft #medical #psychiatrist #threatactor -
He called himself an ‘untouchable hacker god’. But who was behind the biggest crime Finland has ever known? https://www.theguardian.com/technology/2026/jan/17/vastaamo-hack-finland-therapy-notes
#cybersecurity #datatheft #medical #psychiatrist #threatactor -
He called himself an ‘untouchable hacker god’. But who was behind the biggest crime Finland has ever known? https://www.theguardian.com/technology/2026/jan/17/vastaamo-hack-finland-therapy-notes
#cybersecurity #datatheft #medical #psychiatrist #threatactor -
He called himself an ‘untouchable hacker god’. But who was behind the biggest crime Finland has ever known? https://www.theguardian.com/technology/2026/jan/17/vastaamo-hack-finland-therapy-notes
#cybersecurity #datatheft #medical #psychiatrist #threatactor -
He called himself an ‘untouchable hacker god’. But who was behind the biggest crime Finland has ever known? https://www.theguardian.com/technology/2026/jan/17/vastaamo-hack-finland-therapy-notes
#cybersecurity #datatheft #medical #psychiatrist #threatactor -
Nissan Motor Co. confirms a data breach affecting 21,000 customers in Japan following a security incident at third-party vendor Red Hat. No financial data was stolen.
Read More: https://www.security.land/nissan-japan-data-breach-affects-21-000-fukuoka-customers/
#SecurityLand #Cybersecurity #DataBreach #RedHat #Nissan #Japan #CrimsonCollective #ThreatActor
-
Nissan Motor Co. confirms a data breach affecting 21,000 customers in Japan following a security incident at third-party vendor Red Hat. No financial data was stolen.
Read More: https://www.security.land/nissan-japan-data-breach-affects-21-000-fukuoka-customers/
#SecurityLand #Cybersecurity #DataBreach #RedHat #Nissan #Japan #CrimsonCollective #ThreatActor
-
Who Is Dark Storm? The Threat Actor European Security Teams Can’t Ignore https://thecyberexpress.com/dark-storm-threat-actor-profile/ #CybleCyberThreatIntelligencePlatform #CyberThreatIntelligencePlatform #governmentagenciesinEurope #proRussianhacktivistgroup #hacktivistalliances #cyberadversaries #TheCyberExpress #FirewallDaily #ThreatActors #DDoSattacks #ThreatActor #CyberNews
-
Who Is Dark Storm? The Threat Actor European Security Teams Can’t Ignore https://thecyberexpress.com/dark-storm-threat-actor-profile/ #CybleCyberThreatIntelligencePlatform #CyberThreatIntelligencePlatform #governmentagenciesinEurope #proRussianhacktivistgroup #hacktivistalliances #cyberadversaries #TheCyberExpress #FirewallDaily #ThreatActors #DDoSattacks #ThreatActor #CyberNews
-
Who Is Dark Storm? The Threat Actor European Security Teams Can’t Ignore https://thecyberexpress.com/dark-storm-threat-actor-profile/ #CybleCyberThreatIntelligencePlatform #CyberThreatIntelligencePlatform #governmentagenciesinEurope #proRussianhacktivistgroup #hacktivistalliances #cyberadversaries #TheCyberExpress #FirewallDaily #ThreatActors #DDoSattacks #ThreatActor #CyberNews
-
Who Is Dark Storm? The Threat Actor European Security Teams Can’t Ignore https://thecyberexpress.com/dark-storm-threat-actor-profile/ #CybleCyberThreatIntelligencePlatform #CyberThreatIntelligencePlatform #governmentagenciesinEurope #proRussianhacktivistgroup #hacktivistalliances #cyberadversaries #TheCyberExpress #FirewallDaily #ThreatActors #DDoSattacks #ThreatActor #CyberNews
-
Albanese Physical Therapy Data Breach Exposes Patient Records https://dailydarkweb.net/albanese-physical-therapy-data-breach-exposes-patient-records/ #AlbanesePhysicalTherapy #CyberSecurity #DataBreaches #Pennsylvania #UnitedStates #threatactor #databreach #Healthcare #datasale #PHI #PII
-
Figment POS Data Breach Results in Stolen Source Code https://dailydarkweb.net/figment-pos-data-breach-results-in-stolen-source-code/ #sourcecodeleak #CyberSecurity #DataBreaches #PointofSale #threatactor #databreach #FigmentPOS #CloudPOS #Jordan #POS
-
Figment POS Data Breach Results in Stolen Source Code https://dailydarkweb.net/figment-pos-data-breach-results-in-stolen-source-code/ #sourcecodeleak #CyberSecurity #DataBreaches #PointofSale #threatactor #databreach #FigmentPOS #CloudPOS #Jordan #POS
-
Figment POS Data Breach Results in Stolen Source Code https://dailydarkweb.net/figment-pos-data-breach-results-in-stolen-source-code/ #sourcecodeleak #CyberSecurity #DataBreaches #PointofSale #threatactor #databreach #FigmentPOS #CloudPOS #Jordan #POS
-
Figment POS Data Breach Results in Stolen Source Code https://dailydarkweb.net/figment-pos-data-breach-results-in-stolen-source-code/ #sourcecodeleak #CyberSecurity #DataBreaches #PointofSale #threatactor #databreach #FigmentPOS #CloudPOS #Jordan #POS
-
ShinyHunters Site Message Changes After Arrest Reports https://dailydarkweb.net/shinyhunters-site-message-changes-after-arrest-reports/ #websitedefacement #scatteredspider #lawenforcement #CyberSecurity #CyberAttacks #ShinyHunters #threatactor #infosec #SLSH
-
ShinyHunters Site Message Changes After Arrest Reports https://dailydarkweb.net/shinyhunters-site-message-changes-after-arrest-reports/ #websitedefacement #scatteredspider #lawenforcement #CyberSecurity #CyberAttacks #ShinyHunters #threatactor #infosec #SLSH
-
ShinyHunters Site Message Changes After Arrest Reports https://dailydarkweb.net/shinyhunters-site-message-changes-after-arrest-reports/ #websitedefacement #scatteredspider #lawenforcement #CyberSecurity #CyberAttacks #ShinyHunters #threatactor #infosec #SLSH
-
ShinyHunters Site Message Changes After Arrest Reports https://dailydarkweb.net/shinyhunters-site-message-changes-after-arrest-reports/ #websitedefacement #scatteredspider #lawenforcement #CyberSecurity #CyberAttacks #ShinyHunters #threatactor #infosec #SLSH
-
Threat Actor Website ‘shinyhunte.rs’ Defaced in Apparent Feud https://dailydarkweb.net/threat-actor-website-shinyhunte-rs-defaced-in-apparent-feud/ #websitedefacement #scatteredspider #hackerconflict #CyberSecurity #CyberAttacks #ShinyHunters #threatactor #infosec
-
Threat Actor Website ‘shinyhunte.rs’ Defaced in Apparent Feud https://dailydarkweb.net/threat-actor-website-shinyhunte-rs-defaced-in-apparent-feud/ #websitedefacement #scatteredspider #hackerconflict #CyberSecurity #CyberAttacks #ShinyHunters #threatactor #infosec