home.social

#threatactor — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #threatactor, aggregated by home.social.

  1. How many critical services are tied to abominations like and API? , , , , , and even . What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?

    Check out to see who Google silently shares this data with. is a serious against individuals & national .

    [3/6]

  2. How many critical services are tied to abominations like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?

    Check out #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.

    [3/6]

  3. How many critical services are tied to abominations like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?

    Check out #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.

    [3/6]

  4. How many critical services are tied to abominations like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?

    Check out #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.

    [3/6]

  5. How many critical services are tied to #draconian schemes like #reCAPTCHA and #SafetyNet API? #Banking, #Healthcare, #eCommerce, #PublicServices, #PublicTransport, #RideHailing and even #WeatherServices. What are the implications of every citizen having to seek permissions from a trillion-dollar MNC to access any of them?

    Check out project #PRISM to see who Google silently shares this data with. #Google is a serious #state_sponsored #ThreatActor against individuals & national #sovereignty.

  6. Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?

    I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.

    I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:

    I feel like I'm creating more dependency than knowledge.

    #AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor

  7. Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?

    I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.

    I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:

    I feel like I'm creating more dependency than knowledge.

    #AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor

  8. Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?

    I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.

    I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:

    I feel like I'm creating more dependency than knowledge.

    #AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor

  9. Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?

    I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.

    I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:

    I feel like I'm creating more dependency than knowledge.

    #AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor

  10. Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?

    I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.

    I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:

    I feel like I'm creating more dependency than knowledge.

    #AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor

  11. Hey Fediverse, especially folks that working in infosec or cybersecurity field.

    Several years ago, I remember that Microsoft added a new Threat Actor in their classification list for Britain based APT.

    I tried to search again, but I didn't find anything anymore regarding this.

    Anyone has any pointer?

    #Fediverse
    #Infosec
    #Cybersecurity
    #ThreatActor
    #APT
    #ThreatIntel

  12. Ok, this is interesting and it's confusing. The domain hungerrush.com is not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order for hungerrush.com and their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threats

    Return-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>
    Delivered-To: [email protected]
    Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e])
            by 4d492a470590 with LMTP
            id ePC8ETjOp2k40BwA8UTzlA
            (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>)
            for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500
    X-Original-To: [email protected]
    Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69])
            (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
             key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
            (No client certificate requested)
            by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7
            for <[email protected]>; Wed,  4 Mar 2026 01:16:22 -0500 (EST)
    Authentication-Results: mc01.bofhcorp.com;      dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;        spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";    dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email;
            s=dkim; t=1772604983;
            h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
             to:to:cc:mime-version:mime-version:content-type:content-type:
             dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM
            MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL
            BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo
            Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy
            rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A==
    Arc-Authentication-Results: i=1;
            mc01.bofhcorp.com;
            dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;
            spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";
            dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983;
            b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4
            +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p
            w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz
            Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB
            oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg==
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com;
            h=content-type:date:from:mime-version:subject:to:cc:content-type:date:
            from:subject:to;
            s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C
            ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX
            kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo
            jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc
            CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg==
    Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C
            2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059
    Received: from MTU0Mjg0MjA (unknown)
            by geopod-ismtpd-14 (SG) with HTTP
            id R8ef3HgJSzKAWjTspVFOVg
            Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC)
    Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f
    Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM)
    From: [email protected]
    Mime-Version: 1.0
    Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14>
    Subject: Important Security Concern
    X-Sg-Eid:
     u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg==
    To: [email protected]
    X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg==
    X-Last-Tls-Session-Version: TLSv1.3
    X-Rspamd-Queue-Id: CA5B83F7C7
    X-Spamd-Result: default: False [4.83 / 15.00];
            BAD_REP_POLICIES(2.00)[];
            IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)];
            URI_COUNT_ODD(1.00)[1];
            RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from];
            MV_CASE(0.50)[];
            MID_RHS_NOT_FQDN(0.50)[];
            FORGED_SENDER(0.30)[[email protected],[email protected]];
            MIME_GOOD(-0.10)[multipart/alternative,text/plain];
            MX_GOOD(-0.01)[];
            BAYES_SPAM(0.00)[22.47%];
            RCVD_TLS_LAST(0.00)[];
            R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1];
            RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email];
            MIME_TRACE(0.00)[0:+,1:+,2:~];
            ARC_NA(0.00)[];
            RCPT_COUNT_ONE(0.00)[1];
            TO_MATCH_ENVRCPT_ALL(0.00)[];
            DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine];
            ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1];
            ALIAS_RESOLVED(0.00)[];
            TO_DN_NONE(0.00)[];
            RCVD_COUNT_TWO(0.00)[2];
            TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email];
            R_SPF_ALLOW(0.00)[+ip4:159.183.101.69];
            FROM_NO_DN(0.00)[];
            ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US];
            DKIM_TRACE(0.00)[hungerrush.com:+];
            MISSING_XM_UA(0.00)[];
            FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]
    X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa

  13. Ok, this is interesting and it's confusing. The domain hungerrush.com is not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order for hungerrush.com and their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threats

    Return-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>
    Delivered-To: [email protected]
    Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e])
            by 4d492a470590 with LMTP
            id ePC8ETjOp2k40BwA8UTzlA
            (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>)
            for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500
    X-Original-To: [email protected]
    Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69])
            (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
             key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
            (No client certificate requested)
            by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7
            for <[email protected]>; Wed,  4 Mar 2026 01:16:22 -0500 (EST)
    Authentication-Results: mc01.bofhcorp.com;      dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;        spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";    dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email;
            s=dkim; t=1772604983;
            h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
             to:to:cc:mime-version:mime-version:content-type:content-type:
             dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM
            MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL
            BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo
            Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy
            rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A==
    Arc-Authentication-Results: i=1;
            mc01.bofhcorp.com;
            dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;
            spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";
            dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983;
            b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4
            +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p
            w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz
            Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB
            oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg==
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com;
            h=content-type:date:from:mime-version:subject:to:cc:content-type:date:
            from:subject:to;
            s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C
            ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX
            kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo
            jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc
            CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg==
    Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C
            2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059
    Received: from MTU0Mjg0MjA (unknown)
            by geopod-ismtpd-14 (SG) with HTTP
            id R8ef3HgJSzKAWjTspVFOVg
            Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC)
    Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f
    Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM)
    From: [email protected]
    Mime-Version: 1.0
    Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14>
    Subject: Important Security Concern
    X-Sg-Eid:
     u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg==
    To: [email protected]
    X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg==
    X-Last-Tls-Session-Version: TLSv1.3
    X-Rspamd-Queue-Id: CA5B83F7C7
    X-Spamd-Result: default: False [4.83 / 15.00];
            BAD_REP_POLICIES(2.00)[];
            IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)];
            URI_COUNT_ODD(1.00)[1];
            RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from];
            MV_CASE(0.50)[];
            MID_RHS_NOT_FQDN(0.50)[];
            FORGED_SENDER(0.30)[[email protected],[email protected]];
            MIME_GOOD(-0.10)[multipart/alternative,text/plain];
            MX_GOOD(-0.01)[];
            BAYES_SPAM(0.00)[22.47%];
            RCVD_TLS_LAST(0.00)[];
            R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1];
            RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email];
            MIME_TRACE(0.00)[0:+,1:+,2:~];
            ARC_NA(0.00)[];
            RCPT_COUNT_ONE(0.00)[1];
            TO_MATCH_ENVRCPT_ALL(0.00)[];
            DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine];
            ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1];
            ALIAS_RESOLVED(0.00)[];
            TO_DN_NONE(0.00)[];
            RCVD_COUNT_TWO(0.00)[2];
            TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email];
            R_SPF_ALLOW(0.00)[+ip4:159.183.101.69];
            FROM_NO_DN(0.00)[];
            ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US];
            DKIM_TRACE(0.00)[hungerrush.com:+];
            MISSING_XM_UA(0.00)[];
            FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]
    X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa

  14. Ok, this is interesting and it's confusing. The domain hungerrush.com is not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order for hungerrush.com and their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threats

    Return-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>
    Delivered-To: [email protected]
    Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e])
            by 4d492a470590 with LMTP
            id ePC8ETjOp2k40BwA8UTzlA
            (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>)
            for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500
    X-Original-To: [email protected]
    Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69])
            (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
             key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
            (No client certificate requested)
            by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7
            for <[email protected]>; Wed,  4 Mar 2026 01:16:22 -0500 (EST)
    Authentication-Results: mc01.bofhcorp.com;      dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;        spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";    dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email;
            s=dkim; t=1772604983;
            h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
             to:to:cc:mime-version:mime-version:content-type:content-type:
             dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM
            MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL
            BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo
            Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy
            rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A==
    Arc-Authentication-Results: i=1;
            mc01.bofhcorp.com;
            dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;
            spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";
            dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983;
            b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4
            +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p
            w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz
            Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB
            oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg==
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com;
            h=content-type:date:from:mime-version:subject:to:cc:content-type:date:
            from:subject:to;
            s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C
            ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX
            kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo
            jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc
            CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg==
    Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C
            2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059
    Received: from MTU0Mjg0MjA (unknown)
            by geopod-ismtpd-14 (SG) with HTTP
            id R8ef3HgJSzKAWjTspVFOVg
            Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC)
    Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f
    Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM)
    From: [email protected]
    Mime-Version: 1.0
    Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14>
    Subject: Important Security Concern
    X-Sg-Eid:
     u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg==
    To: [email protected]
    X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg==
    X-Last-Tls-Session-Version: TLSv1.3
    X-Rspamd-Queue-Id: CA5B83F7C7
    X-Spamd-Result: default: False [4.83 / 15.00];
            BAD_REP_POLICIES(2.00)[];
            IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)];
            URI_COUNT_ODD(1.00)[1];
            RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from];
            MV_CASE(0.50)[];
            MID_RHS_NOT_FQDN(0.50)[];
            FORGED_SENDER(0.30)[[email protected],[email protected]];
            MIME_GOOD(-0.10)[multipart/alternative,text/plain];
            MX_GOOD(-0.01)[];
            BAYES_SPAM(0.00)[22.47%];
            RCVD_TLS_LAST(0.00)[];
            R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1];
            RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email];
            MIME_TRACE(0.00)[0:+,1:+,2:~];
            ARC_NA(0.00)[];
            RCPT_COUNT_ONE(0.00)[1];
            TO_MATCH_ENVRCPT_ALL(0.00)[];
            DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine];
            ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1];
            ALIAS_RESOLVED(0.00)[];
            TO_DN_NONE(0.00)[];
            RCVD_COUNT_TWO(0.00)[2];
            TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email];
            R_SPF_ALLOW(0.00)[+ip4:159.183.101.69];
            FROM_NO_DN(0.00)[];
            ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US];
            DKIM_TRACE(0.00)[hungerrush.com:+];
            MISSING_XM_UA(0.00)[];
            FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]
    X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa

  15. Ok, this is interesting and it's confusing. The domain hungerrush.com is not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order for hungerrush.com and their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threats

    Return-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>
    Delivered-To: [email protected]
    Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e])
            by 4d492a470590 with LMTP
            id ePC8ETjOp2k40BwA8UTzlA
            (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>)
            for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500
    X-Original-To: [email protected]
    Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69])
            (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
             key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
            (No client certificate requested)
            by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7
            for <[email protected]>; Wed,  4 Mar 2026 01:16:22 -0500 (EST)
    Authentication-Results: mc01.bofhcorp.com;      dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;        spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";    dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email;
            s=dkim; t=1772604983;
            h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
             to:to:cc:mime-version:mime-version:content-type:content-type:
             dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM
            MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL
            BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo
            Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy
            rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A==
    Arc-Authentication-Results: i=1;
            mc01.bofhcorp.com;
            dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;
            spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";
            dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983;
            b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4
            +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p
            w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz
            Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB
            oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg==
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com;
            h=content-type:date:from:mime-version:subject:to:cc:content-type:date:
            from:subject:to;
            s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C
            ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX
            kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo
            jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc
            CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg==
    Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C
            2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059
    Received: from MTU0Mjg0MjA (unknown)
            by geopod-ismtpd-14 (SG) with HTTP
            id R8ef3HgJSzKAWjTspVFOVg
            Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC)
    Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f
    Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM)
    From: [email protected]
    Mime-Version: 1.0
    Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14>
    Subject: Important Security Concern
    X-Sg-Eid:
     u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg==
    To: [email protected]
    X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg==
    X-Last-Tls-Session-Version: TLSv1.3
    X-Rspamd-Queue-Id: CA5B83F7C7
    X-Spamd-Result: default: False [4.83 / 15.00];
            BAD_REP_POLICIES(2.00)[];
            IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)];
            URI_COUNT_ODD(1.00)[1];
            RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from];
            MV_CASE(0.50)[];
            MID_RHS_NOT_FQDN(0.50)[];
            FORGED_SENDER(0.30)[[email protected],[email protected]];
            MIME_GOOD(-0.10)[multipart/alternative,text/plain];
            MX_GOOD(-0.01)[];
            BAYES_SPAM(0.00)[22.47%];
            RCVD_TLS_LAST(0.00)[];
            R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1];
            RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email];
            MIME_TRACE(0.00)[0:+,1:+,2:~];
            ARC_NA(0.00)[];
            RCPT_COUNT_ONE(0.00)[1];
            TO_MATCH_ENVRCPT_ALL(0.00)[];
            DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine];
            ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1];
            ALIAS_RESOLVED(0.00)[];
            TO_DN_NONE(0.00)[];
            RCVD_COUNT_TWO(0.00)[2];
            TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email];
            R_SPF_ALLOW(0.00)[+ip4:159.183.101.69];
            FROM_NO_DN(0.00)[];
            ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US];
            DKIM_TRACE(0.00)[hungerrush.com:+];
            MISSING_XM_UA(0.00)[];
            FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]
    X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa

  16. @kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
    #RogueState #ThreatActor #ChaosActor

    mas.to/@fsinn/1158513745478847

  17. @kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
    #RogueState #ThreatActor #ChaosActor

    mas.to/@fsinn/1158513745478847

  18. @kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
    #RogueState #ThreatActor #ChaosActor

    mas.to/@fsinn/1158513745478847

  19. @kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.

    mas.to/@fsinn/1158513745478847

  20. @kims The rest of the world already knows the U.S. can't be trusted. It’s the majority of Americans (not anyone engaged enough to be on the fediverse, of course) who are only just now starting to learn that the world views the U.S. this way.
    #RogueState #ThreatActor #ChaosActor

    mas.to/@fsinn/1158513745478847

  21. ⚠️ New threat actor on the radar ⚠️ 🥷🏻 AtomSilo Ransomware 🗓️ added on February 24 🥢 Overview AtomSilo was first observed in September 2021, historically attributed to the Chinese state-sponsored cluster known as BRONZE STARLIGHT. #ransomNews #cybersecurity #threatactor

  22. This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

    997 words, 5 minutes read time.

    If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

    This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

    What this scam actually is

    You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

    It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

    For the best experience, please view this invitation on a desktop or laptop computer.

    If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

    And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

    Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

    Why this is an absolute nightmare for security teams

    Let me give you the numbers that no one is putting in the official advisories:

    • As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
    • Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
    • This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
    • Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

    I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

    This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

    How to not get burned

    I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

    For everyone

    • Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
    • Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
    • Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

    For SOC Analysts and Security Teams

    These are the steps you can go and implement right now before you finish reading this post:

    1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
    2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
    3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
    4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

    Closing Thought

    The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

    If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

    Call to Action

    If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

    D. Bryan King

    Sources

    Disclaimer:

    The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

    Related Posts

    Rate this:

    #attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust
  23. This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

    997 words, 5 minutes read time.

    If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

    This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

    What this scam actually is

    You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

    It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

    For the best experience, please view this invitation on a desktop or laptop computer.

    If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

    And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

    Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

    Why this is an absolute nightmare for security teams

    Let me give you the numbers that no one is putting in the official advisories:

    • As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
    • Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
    • This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
    • Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

    I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

    This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

    How to not get burned

    I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

    For everyone

    • Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
    • Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
    • Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

    For SOC Analysts and Security Teams

    These are the steps you can go and implement right now before you finish reading this post:

    1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
    2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
    3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
    4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

    Closing Thought

    The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

    If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

    Call to Action

    If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

    D. Bryan King

    Sources

    Disclaimer:

    The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

    Related Posts

    Rate this:

    #attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust
  24. This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

    997 words, 5 minutes read time.

    If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

    This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

    What this scam actually is

    You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

    It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

    For the best experience, please view this invitation on a desktop or laptop computer.

    If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

    And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

    Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

    Why this is an absolute nightmare for security teams

    Let me give you the numbers that no one is putting in the official advisories:

    • As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
    • Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
    • This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
    • Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

    I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

    This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

    How to not get burned

    I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

    For everyone

    • Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
    • Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
    • Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

    For SOC Analysts and Security Teams

    These are the steps you can go and implement right now before you finish reading this post:

    1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
    2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
    3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
    4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

    Closing Thought

    The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

    If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

    Call to Action

    If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

    D. Bryan King

    Sources

    Disclaimer:

    The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

    Related Posts

    Rate this:

    #attackVector #boardroomRisk #breachPrevention #CISAAlert #CISO #credentialTheft #cyberResilience #cyberattack #cybercrime #cybersecurityAwareness #defenseInDepth #desktopOnlyPhishing #detectionRule #DKIM #DMARC #emailFilterBypass #emailGateway #emailHygiene #emailSecurity #emailSecurityGateway #endpointProtection #incidentResponse #indicatorsOfCompromise #initialAccess #IoCs #lateralMovement #linkSafety #logAnalysis #maliciousLink #malware #MITREATTCK #mobileEmailRisk #phishingCampaign #phishingDetection #phishingScam #phishingSimulation #phishingStatistics #PunchbowlPhishing #ransomwarePrecursor #RemcosRAT #sandboxEvasion #securityAlert #SecurityAwarenessTraining #securityBestPractices #securityLeadership #securityMonitoring #securityOperationsCenter #securityStack #SOCAnalyst #socialEngineering #spearPhishing #SPF #suspiciousEmail #T1566001 #threatActor #threatHunting #threatIntelligence #userTraining #zeroTrust
  25. Nissan Motor Co. confirms a data breach affecting 21,000 customers in Japan following a security incident at third-party vendor Red Hat. No financial data was stolen.

    Read More: security.land/nissan-japan-dat

    #SecurityLand #Cybersecurity #DataBreach #RedHat #Nissan #Japan #CrimsonCollective #ThreatActor

  26. Nissan Motor Co. confirms a data breach affecting 21,000 customers in Japan following a security incident at third-party vendor Red Hat. No financial data was stolen.

    Read More: security.land/nissan-japan-dat

    #SecurityLand #Cybersecurity #DataBreach #RedHat #Nissan #Japan #CrimsonCollective #ThreatActor