EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: Punchbowl

Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
// Looking for Punchbowl phrasing in all body threads
and (
  strings.icontains(body.current_thread.text, "punchbowl")
  // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
  or strings.icontains(body.html.raw, 'alt="Punchbowl"')
)
// Phrasing is typically "You're invited"
and (
  strings.icontains(body.current_thread.text, "you're invited")
  or any([
           html.xpath(body.html,
                      '//a//img[contains(@src, "btn_open_invitation")]'
           ).nodes,
           html.xpath(body.html,
                      '//a//img[contains(@src, "btn_open_save_the_date")]'
           ).nodes,
         ],
         any(.,
             regex.icontains(.inner_text,
                             '(?:open|save).{0,10}(?:invitation|the date)'
             )
         )
  )
)
// Legitimate sender will be from punchbowl, negating known non-associated domains.
and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
// Capping length to limit FP's
and length(body.current_thread.text) < 1500

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Punchbowl"
description: "Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // Looking for Punchbowl phrasing in all body threads
  and (
    strings.icontains(body.current_thread.text, "punchbowl")
    // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
    or strings.icontains(body.html.raw, 'alt="Punchbowl"')
  )
  // Phrasing is typically "You're invited"
  and (
    strings.icontains(body.current_thread.text, "you're invited")
    or any([
             html.xpath(body.html,
                        '//a//img[contains(@src, "btn_open_invitation")]'
             ).nodes,
             html.xpath(body.html,
                        '//a//img[contains(@src, "btn_open_save_the_date")]'
             ).nodes,
           ],
           any(.,
               regex.icontains(.inner_text,
                               '(?:open|save).{0,10}(?:invitation|the date)'
               )
           )
    )
  )
  // Legitimate sender will be from punchbowl, negating known non-associated domains.
  and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
  // Capping length to limit FP's
  and length(body.current_thread.text) < 1500
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "58937ba0-6966-559a-bd4f-759ee8b2979e"