By: Adriane Andaya, Cofense Phishing Defense Center
In today's digital age, receiving online invitations to events has become commonplace. Sending and receiving invites has never been more convenient. However, not all electronic invitations are as trustworthy as they may appear.
Punchbowl and Paperless Post are two of the largest digital invitation platforms, enabling individuals and organizations to create customized invitations, track RSVPs, and send event updates. Unfortunately, these trusted platforms also provide threat actors with an opportunity to exploit brand familiarity, particularly during certain seasons when digital invitations surge.
.PNG?language=en "Figure1 (14)")
Figure 1: Email Body
.PNG?language=en "Figure2 (14)")
Figure 2: Phish Landing Page
The Cofense Phishing Defense Center (PDC) intercepted and analyzed a digital invitation that appears harmless at first glance but was ultimately malicious and posed significant security risks. As shown in Figure 1, the malicious invitation prompts the recipient to log in to view the details of the event. Initially, it looks like a typical digital invite. But after interacting with it, it redirects to a phishing site utilizing familiar brands such as Microsoft, Yahoo, AOL, Google, and Dropbox as login options (Fig. 2).
.PNG?language=en "Figure3 (14)")
.PNG?language=en "Figure6 (5)")
.PNG?language=en "Figure5 (7)")
.PNG?language=en "Figure4 (10)")
.PNG?language=en "Figure7 (4)")
Figure 3-7: Branded Phishing Pages
This may be a clever way of extracting multiple credentials (Fig. 3-7), as typically, even if the correct combinations are entered, the phishing page will return a fake error message, urging the recipient to try and enter a different set of credentials. Once the credentials are submitted, they are exfiltrated to another domain that the threat actor controls.
.PNG?language=en "Figure8 (4)")
Figure 8: Malicious Domain Whois Information
A common tactic used by threat actorsis registering a new domain (Fig. 8) for their phishing sites as they gain complete control over DNS records, certificates, and the hosting provider. This allows them to evade security tools that rely on blacklists and reputation scores, as brand new domains have no history. These domains are quite inexpensive, making them disposable for the threat actors, as continuous reliance on compromised sites would increase the risk of detection.
What can these threat actors do with these stolen credentials? Stolen credentials are commonly sold on the dark web and used for:
- Direct account access and credential stuffing (many people reuse passwords across several accounts).
- Privilege escalation and business email compromise, particularly with corporate emails, which could then cause further damage to organizations.
- Identity theft, fraud, and extortion.
- Inclusion into web account botnets that may be used to conduct other attacks.
To lessen the odds of credentials getting compromised from tactics like these, recipients should:
- Verify the authenticity of the invite. Recipients could reach out to the host using verified contact information if the sender or event is unfamiliar. Assess if this is relevant to you.
- If, after attempting to RSVP to an invite, you are redirected to another page with a login screen, be alert and inspect the page and address bar to check for any anomalies or suspicious indicators.
- If an invitation is irrelevant, it would be best to report the email.
- If you realize that the website you entered your credentials into was malicious, immediately reset your password and monitor any suspicious activities on your account.
- Most importantly, enable two-factor or multi-factor authentication on your accounts to help mitigate the risk of compromise.
As threat actors come up with new tactics to conduct illegal activities, we must also scale our security awareness and knowledge to reduce the chances of being put in an unfavorable situation. We must remain two to three steps ahead if possible. So, the next time an unfamiliar invite lands in your inbox, think before you click, as a short moment of caution could save you from a world of compromise.
As phishing tactics continue to evolve, having expert eyes on emerging threats makes a measurable difference. Cofense’s Phishing Defense Center (PDC) and Managed Phishing Defense Services work together to identify, analyze, and disrupt real-world phishing campaigns like this one, often before they escalate into full compromises. Schedule a demo to see how Cofense can strengthen your phishing defenses and help your team stay ahead of today’s most active threat actors.
Stage 1 - Observed Email Infection URL: | Infection URL IP(s): |
hXXp://t[.]ly/KwKzQ | 104[.]20[.]6[.]133; 104[.]20[.]7[.]133 |
Stage 2 - Observed Payload URL(s): | Payload IP(s): |
hXXps://dry[.]za[.]com/if1/ | 172[.]67[.]221[.]157; 104[.]21[.]67[.]111 |
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.