Medium Severity

Brand impersonation: Punchbowl

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Sender analysis

Description

Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain.

References

No references.

Sublime Security
Created Oct 17th, 2025 • Last updated Apr 27th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// Looking for Punchbowl phrasing in all body threads
and (
  strings.icontains(body.current_thread.text, "punchbowl")
  // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
  or strings.icontains(body.html.raw, 'alt="Punchbowl"')
  // image sourced from punchbowl
  or any(html.xpath(body.html, '//img/@src').nodes,
         strings.parse_url(.raw).domain.domain == "static.punchbowl.com"
         and strings.icontains(strings.parse_url(.raw).path, '/invitation')
  )
)

// Phrasing is typically "You're invited"
and (
  strings.icontains(body.current_thread.text, "you're invited")
  or any([
           html.xpath(body.html,
                      '//a//img[contains(@src, "btn_open_invitation")]'
           ).nodes,
           html.xpath(body.html,
                      '//a//img[contains(@src, "btn_open_save_the_date")]'
           ).nodes,
         ],
         any(.,
             regex.icontains(.inner_text,
                             '(?:open|save).{0,10}(?:invitation|the date)'
             )
         )
  )
)
// Legitimate sender will be from punchbowl, negating known non-associated domains.
and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
// Capping length to limit FP's
and length(body.current_thread.text) < 1500
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started