Brand impersonation: Punchbowl

calendar Oct 17, 2025  ยท
Share on: linkedin copy

Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Punchbowl"
 2description: "Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // Looking for Punchbowl phrasing in all body threads
 8  and (
 9  strings.icontains(body.current_thread.text, "punchbowl")
10  // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
11  or strings.icontains(body.html.raw, 'alt="Punchbowl"')
12  )
13  // Phrasing is typically "You're invited"
14  and (strings.icontains(body.current_thread.text, "you're invited"))
15  // Legitimate sender will be from punchbowl, negating known non-associated domains.
16  and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
17  // Capping length to limit FP's
18  and length(body.current_thread.text) < 1500  
19
20attack_types:
21  - "Credential Phishing"
22tactics_and_techniques:
23  - "Impersonation: Brand"
24  - "Social engineering"
25detection_methods:
26  - "Content analysis"
27  - "Sender analysis"
28id: "58937ba0-6966-559a-bd4f-759ee8b2979e"
to-top