Punchbowl Phishing Attack Explained: How Digital Invites Are Used to Steal Credentials
Threat actors are leveraging fake digital invitations mimicking trusted brands like Paperless Post to redirect victims to credential harvesting sites. These phishing pages impersonate major login portals and utilize fake error messages to extract multiple sets of credentials, employing newly registered domains and URL shorteners to evade detection.
Authors: Adriane Andaya, Cofense Phishing Defense Center
Source:
Cofense
- domaindry[.]za[.]comMalicious newly registered domain hosting the credential harvesting page
- emailjennifer.krauser@juno.comSender email address observed in the malicious Paperless Post invitation lure
- urlhxxp://t[.]ly/KwKzQStage 1 - Observed Email Infection URL (URL Shortener)
- urlhxxps://dry[.]za[.]com/if1/Stage 2 - Observed Payload URL / Phishing Landing Page
Key Takeaways
- Threat actors are using fake digital invitations mimicking brands like Paperless Post and Punchbowl to lure victims.
- The phishing landing pages impersonate major services (Dropbox, Google, Microsoft, Yahoo, AOL) to harvest credentials.
- Attackers utilize fake error messages (e.g., 'Incorrect code') to trick victims into submitting multiple sets of credentials.
- Newly registered domains (NRDs) and URL shorteners are heavily used to evade reputation-based security controls.
Affected Systems
- Corporate Email
- Personal Email
- Web Accounts
Attack Chain
The attack begins with a phishing email disguised as a digital invitation from Paperless Post. Clicking the link directs the victim through a URL shortener (t.ly) to a newly registered domain hosting a phishing page. The landing page mimics Dropbox and prompts the user to log in using various email providers (Google, Office 365, Yahoo, AOL). Upon entering credentials, the site displays a fake error message to harvest additional passwords before exfiltrating the data to an attacker-controlled server.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: None — This is a purely web-based credential harvesting attack. Unless the EDR includes network traffic inspection or browser extensions, it will not have visibility into the user submitting credentials to a web form. Network Visibility: High — Network and web proxy logs will capture the initial click to the URL shortener and the subsequent redirection to the newly registered domain. Detection Difficulty: Moderate — While the specific IOCs are easy to block, detecting the broader campaign relies on identifying URL shorteners and newly registered domains in email bodies, which can generate false positives if not tuned correctly.
Required Log Sources
- Email Gateway Logs
- Web Proxy Logs
- DNS Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Users are receiving emails containing URL shorteners (e.g., t.ly) combined with keywords related to invitations or events. | Email Gateway Logs | Initial Access | Medium |
| Endpoints are making web requests to newly registered domains (less than 30 days old) immediately following a click on a URL shortener link. | Web Proxy Logs, DNS Logs | Execution | Low |
Control Gaps
- Email filtering relying solely on domain reputation
- Lack of MFA enforcement on external accounts
Key Behavioral Indicators
- Use of t.ly shortener in email body
- Redirection to newly registered domains
- Fake error messages on login portals
False Positive Assessment
- Low for the specific IOCs provided, as they are directly tied to malicious infrastructure. Hunting broadly for URL shorteners will have a higher false positive rate.
Recommendations
Immediate Mitigation
- Block the identified IPs, domains, and URLs at the firewall and web proxy.
- Search email logs for the sender address jennifer.krauser@juno.com and purge matching emails from user inboxes.
Infrastructure Hardening
- Implement strict email filtering rules for newly registered domains (NRDs).
- Block or heavily scrutinize URL shorteners in inbound external emails.
User Protection
- Enforce Multi-Factor Authentication (MFA) across all corporate accounts to mitigate the impact of stolen credentials.
- Force password resets for any users identified as having interacted with the malicious URLs.
Security Awareness
- Train employees to verify unexpected digital invitations by contacting the sender through a known, trusted channel.
- Educate users on identifying fake login portals and the tactic of fake error messages used to steal multiple passwords.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1583.001 - Acquire Infrastructure: Domains
- T1056.002 - Input Capture: GUI Input Capture
Additional IOCs
- Ips:
104[.]20[.]6[.]133- Stage 1 Infection URL IP104[.]20[.]7[.]133- Stage 1 Infection URL IP172[.]67[.]221[.]157- Stage 2 Payload IP104[.]21[.]67[.]111- Stage 2 Payload IP
- Domains:
t[.]ly- URL shortener service abused for Stage 1 redirection