Brand impersonation: Punchbowl

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Punchbowl"
 2description: "Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // Looking for Punchbowl phrasing in all body threads
 8  and (
 9    strings.icontains(body.current_thread.text, "punchbowl")
10    // Look for alt text in HTML for standardized Punchbowl formatting if string is not avail.
11    or strings.icontains(body.html.raw, 'alt="Punchbowl"')
12  )
13  // Phrasing is typically "You're invited"
14  and (strings.icontains(body.current_thread.text, "you're invited"))
15  // Legitimate sender will be from punchbowl, negating known non-associated domains.
16  and not sender.email.domain.root_domain in ("punchbowl.com", "punchbowl.news")
17  // Capping length to limit FP's
18  and length(body.current_thread.text) < 1500  
19attack_types:
20  - "Credential Phishing"
21tactics_and_techniques:
22  - "Impersonation: Brand"
23  - "Social engineering"
24detection_methods:
25  - "Content analysis"
26  - "Sender analysis"
27id: "58937ba0-6966-559a-bd4f-759ee8b2979e"
to-top