By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post
Party invitations are supposed to bring good news. But a campaign making the rounds right now uses the warm, familiar look of a digital party invite to do something considerably less festive: steal your login credentials. Yikes!
The email arrives looking like a genuine Punchbowl invitation. Punchbowl is a widely used digital invitation platform, and that familiarity is exactly the point.
The subject line in one example reads something like “Let’s Party Together And Have Funs, You’re Invited To My Party!”—a small grammatical stumble that most people blow right past because the branding looks legitimate.
The sender appears to be someone you might know. The logo is real. The envelope graphic is cheerful and pink.
Phishing email received by Rutherford. Courtesy photo
What happens next is where things go sideways.
Clicking the invitation redirects you to a phishing site that presents familiar brand logos—Microsoft, Yahoo, AOL, Google, and Dropbox—as login options. Pick whichever account you normally use, enter your credentials, and the page returns an error. Try again with a different account. That fake error is deliberate; the page is designed to harvest multiple sets of credentials in a single session before the victim realizes anything is wrong. Once entered, those credentials are shipped off to a server the attacker controls.
The hacked Gmail angle makes this particular version especially dangerous. When a phishing email arrives from an account that belongs to someone in your contacts, your guard drops. The email passed through a real account with real history. It may even reference a real person’s name. Standard spam filters have no obvious reason to flag it.
Threat actors running campaigns like this typically register brand-new domains for their phishing pages, giving them full control over DNS records, certificates, and hosting. New domains have no reputation history, so blocklists and security tools that rely on reputation scores often miss them entirely. And since fresh domains are inexpensive, attackers treat them as disposable—cycling through new ones to avoid detection.
So what can they do with what they collect? Stolen credentials are commonly sold on the dark web and used for direct account access, credential stuffing attacks that exploit password reuse across multiple accounts, privilege escalation and business email compromise, identity theft, fraud, and even incorporation into botnets used to launch additional attacks.
This is exactly where two-factor authentication (2FA) becomes non-negotiable. Even if an attacker successfully captures your username and password, 2FA requires a second verification step that they almost certainly cannot replicate in real time: a code sent to your phone, a prompt in an authenticator app, or a hardware key. The stolen credentials become far less useful without that second factor…unless you reused the password on other sites without 2FA (never reuse a password!!). Enable it on every account that offers it, use unique passwords, and prioritize your email, banking, and any account tied to your workplace.
If you receive an invitation from an unfamiliar sender, verify it through other means before clicking anything. If clicking an RSVP link redirects you to a login page you weren’t expecting, stop and inspect the URL for anything suspicious. If you entered credentials on a page you later suspect was malicious, reset your password immediately and watch for unusual activity on your accounts.
The next party invite in your inbox may be completely genuine. It may also be a credential harvesting operation wearing a pink envelope. Take the extra second to look before you click, and don’t fall for that phish!
Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.