Threat Research

Punchbowl Phishing Attack Explained: How Digital Invites Are Used to Steal Credentials

Cofense
Punchbowl Phishing Attack Explained: How Digital Invites Are Used to Steal Credentials

Cofense’s Phishing Defense Center analyzed a malicious digital invitation that impersonated well-known invitation services and redirected recipients to branded phishing pages to harvest credentials. The campaign used newly registered, attacker-controlled domains and disposable infrastructure to exfiltrate submitted credentials, and Cofense recommends verification, reporting, password resets, and enabling MFA. #Cofense #Punchbowl

Keypoints

  • Attackers sent seemingly legitimate digital invitations that prompted recipients to “log in to view” event details, which then redirected to credential-phishing pages using familiar brands (Microsoft, Yahoo, AOL, Google, Dropbox).
  • Branded phishing landing pages collected credentials and returned fake error messages to encourage repeated credential entry, increasing data capture.
  • Exfiltrated credentials were sent to attacker-controlled domains; the actors registered new, disposable domains to evade reputation- and blacklist-based defenses.
  • Observed indicators include a shortened-stage infection URL (t[.]ly link) and a payload host (dry[.]za[.]com) with associated IP addresses documented by Cofense.
  • Stolen credentials may be used for direct account access, credential stuffing, privilege escalation and business email compromise, identity theft, fraud, extortion, or inclusion in web account botnets.
  • Recommended mitigations include verifying invites with hosts, inspecting redirected login pages and address bars, reporting irrelevant invites, immediately resetting compromised passwords, and enabling two-factor/multi-factor authentication.

MITRE Techniques

  • [T1566 ] Phishing – The campaign delivered a malicious invitation containing a link that redirected recipients to branded phishing login pages to harvest credentials (‘the malicious invitation prompts the recipient to log in to view the details of the event… it redirects to a phishing site utilizing familiar brands such as Microsoft, Yahoo, AOL, Google, and Dropbox as login options’)
  • [T1204 ] User Execution – The attack relied on users interacting with an invitation and clicking the RSVP/login link, which initiated the credential-harvesting flow (‘the malicious invitation prompts the recipient to log in to view the details of the event’)
  • [T1583 ] Acquire Infrastructure – Threat actors registered new, attacker-controlled domains to host phishing pages and manage DNS/certificates, allowing disposable infrastructure (‘registering a new domain (Fig. 8) for their phishing sites as they gain complete control over DNS records, certificates, and the hosting provider’)
  • [T1110 ] Brute Force (Credential Stuffing) / Valid Accounts – Stolen credentials were noted as likely to be used for credential stuffing, account takeover, and business email compromise (‘Direct account access and credential stuffing (many people reuse passwords across several accounts).Privilege escalation and business email compromise, particularly with corporate emails’)

Indicators of Compromise

  • [URL ] Observed infection and payload URLs used in the campaign – hxxp://t[.]ly/KwKzQ (infection/redirect), hxxps://dry[.]za[.]com/if1/ (payload/phishing host)
  • [Domain ] Attacker-controlled domains hosting phishing pages – dry[.]za[.]com, t[.]ly (shortened redirect used in the phishing chain)
  • [IP Address ] IPs associated with observed stages and hosting – 104.20.6.133, 104.20.7.133 (stage 1), 172.67.221.157, 104.21.67.111 (stage 2)

Read more: https://cofense.com/blog/punchbowl-phishing-attack-explained-how-digital-invites-are-used-to-steal-credentials