Impersonated Evite and Punchbowl invitations used for credential phishing and malware distribution

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Google Workspace, Microsoft 365

ATTACK TYPE: Malware/Ransomware, Credential Phishing

Invitation-based attacks tend to peak around the holidays, but this year we are already seeing an influx of malicious digital invitations hitting inboxes. The two most frequently impersonated brands in these attacks (at the moment) are Evite and Punchbowl. In these attacks, the target is sent an invitation message with an RSVP link.

While these attacks all appear to use similar message templates, what drew our interest was how much variance we’ve seen across attacks. Payloads currently vary between credential phishing and malware distribution, but even within those attack types, we see payload variation. Let’s take a look at a few of these attacks and their differences.

The messages

The messages follow similar templates that involve both brand and invitation impersonation. The level of sophistication varies per attack, with some delivering very convincing impersonations. Here are two examples:

While attack quality varies, these two examples show a high level of impersonation. In both cases we see invitation verbiage and imagery, brand logos, footers that have been copied from real messages, and invitation-based CTAs. We can also see that both of these messages were sent to undisclosed recipient lists and BCCs – suspicious indicators in otherwise well-crafted messages.

Clicking any of the buttons in the messages launches the attack.

Google credential phishing attack

The Punchbowl message above is a Google-specific credential phishing attack. Clicking the Open invitation button first takes the target to a free, Cloudflare-hosted page (in this case, on pages[.]dev) which quickly redirects to a fake Cloudflare Turnstile page:

After the target confirms that they’re not a bot, they’re taken to the credential theft page:

Generic credential phishing attack

Another credential phishing variant we observed involved a fake login page that accepted credentials for a variety of providers. In this example, the payload was hosted on storage.googleapis[.]com. In this variant, clicking on the button in the email takes the target to a fake multi-auth login page with Evite brand impersonation:

Clicking on any of those options takes the target to a fake login window that phishes credentials:

Regardless of the credentials entered, this page will initially return an “incorrect password” error:

If the target re-enters their credentials, they’re taken to a “confirmation” countdown. There is no credential validation by the page:

Followed by a verification code sent to their email:

Just like the password, this verification code is not validated. Entering any code and clicking Verify takes the target to a real invitation to a fake party:

RMM malware attacks

In the instances where these attacks were used to deliver malware, we observed payload variation similar to the credential phishing attacks. In all observed cases, the payloads were remote monitoring and management (RMM) tools that had been maliciously repurposed.

The most frequent payloads were SimpleHelp/JWrapper, PDQ, or Atera Agent (observed in previous attacks). While malicious RMMs are not novel payloads, we found the amount of variety across similar attacks to be interesting.

In most cases, clicking the invitation link in the message would auto-download malware with no further instructions. The payload always had a invitation-based name to trick the target into running it. For example:

• departytoast30[.]exe
• RSVP[.]msi or RVSP[.]msi
• newpartyinvite[.]msi
• partycard[.]exe
• evite040[.]exe
• rsvpinf[.]exe and more

In some cases, a confirmation page launched with the download, directing the target to “view” the “invitation” in their Download folder:

Notes on variation

The level of variation across these messages and payloads points to multiple attackers using the same lures, a single group of attackers varying and evolving their attack to test security perimeters, or both.

• Brands: While Evite and Punchbowl are the most prevalent impersonations currently, the template allows for easy swapping with other brands.
• Attack types: The attack payload can easily be adjusted to any link-based payload, such as a PDF with a QR code that leads to a callback phishing attack.
• Variations per attack type: We’ve observed multiple variants of each type, which we can expect to only increase in variety over time.
• Domains: Aside from the domains references in the above examples, we also saw abuse of workers[.]dev, r2[.]dev, restoreds[.]de, and more.

Detection signals for credential phishing (Evite variant)

Sublime's AI-powered detection engine prevented these attacks. Some of the top signals for a credential phishing variant of this attack were:

• Brand impersonation: Email mimics Evite's format and content but doesn't use Evite's infrastructure.
• Suspicious domain: All action links point to a randomly generated subdomain on Cloudflare Pages (pages[.]dev) instead of evite[.]com
• Mass mailing pattern: The message was sent to undisclosed-recipients and a BCC.

Here is the Autonomous Security Analyst (ASA) verdict for that attack:

Detection signals for malware delivery (Punchbowl variant)

Sublime's AI-powered detection engine prevented these attacks. Some of the top signals for a malware variant of this attack were:

• Brand impersonation: Email mimics Punchbowl’s format and content but doesn't use Punchbowl's infrastructure.
• Malware indicators: Multiple links point to the same .msi executable file (frequently used to deliver malware). None of the link display text matches the destination URL.
• Suspicious domain: Most links point to a randomly generated, temporary subdomain on Cloudflare R2 (r2[.]dev) instead of punchbowl[.]com
• Lookalike domain: Message includes link to punchbow1[.]com, an imitation of punchbowl[.]com.
• Mass mailing pattern: The message was sent to undisclosed-recipients and a BCC.

Here is the Autonomous Security Analyst (ASA) verdict for that attack:

Don’t invite attackers into your inbox

Credential phishing and RMM attacks give bad actors a lot of ways to do bad things, so it’s important that attacks don’t make it into inboxes. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on seemingly minor discrepancies.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

• Fake Meta Ads Manager in App Store and TestFlight used to phish Meta ad accounts
• Callback phishing with online appointment abuse and distribution lists
• Multi-RMM attack: Splashtop Streamer and Atera payloads delivered via Discord CDN link