
The message looks harmless — a wedding invitation, a shared card, a document someone wants you to see. It’s wedding season after all. Better yet, it arrives from a name you recognize: a colleague, a client, a friend. That is the whole trick. The social-invite phish is engineered to look like the least threatening thing in your inbox, and it is precisely that disguise that carries it past the layered defenses a corporate security team spends its budget on. We have tracked this technique in enterprise browsers continuously for more than two years — from early 2024 through last week — and while the consumer press treats it as a personal-inbox nuisance, what we see is a credential-and-OTP harvester wearing a costume built to flank the enterprise stack.

The kit skins itself as a real service — Paperless Post, Punchbowl, Greenvelope, Adobe Document Cloud, Evite — and the wrapper rotates constantly while the machinery underneath stays identical. Click “view invitation” and it asks you to pick your email provider (Outlook, Office 365, Yahoo, AOL, Gmail), then presents a login box. Enter your password and it returns “Incorrect Password” on purpose, farming a clean second attempt. Then it asks for the one-time code “sent to your phone,” sometimes on a five-minute countdown to rush you.

Social invite phishing kill chain
We documented the full mechanics — the multi-provider harvester, the fake-error reprompt, the CAPTCHA concealment — in our recent brief on trusted-infrastructure abuse. This post is about the part that reporting keeps missing: why a scam this simple is a corporate problem.
Most credential phishing gets caught because something in the delivery or the destination looks wrong. The invite lure is built so that nothing does. Layer by layer, the enterprise stack is neutralized:
| Control | Why it fails here |
|---|---|
| SPF / DKIM / DMARC | The mail is genuinely sent from a real, compromised mailbox on a legitimately authenticated domain. Authentication passes because the sender is authentic — it just isn’t the person you think. |
| Secure email gateway / sender reputation | The sender is a known, trusted contact — often a colleague, vendor, or customer already in your address book. Reputation is spotless. |
| URL reputation / blocklists | The landing pages sit on freshly registered, disposable-TLD domains fronted by Cloudflare. No history to score, and the real origin stays hidden behind Cloudflare’s edge. |
| Sandbox / URL detonation | Some variants gate the page behind a genuine Cloudflare “Verify you are human” managed challenge. Automated crawlers and email-security sandboxes cannot solve it, so they never render the phish. |
| Multi-factor authentication | The kit captures the one-time code alongside the password. The OTP step is not an afterthought — it is the feature that walks the stolen login straight past MFA. |
There is one more evasion that has nothing to do with technology: the channel. These lures arrive over SMS and personal webmail as readily as corporate email, and they target consumer providers (Yahoo, AOL, Gmail) right alongside Office 365. So the message frequently reaches the employee on a personal phone or a BYOD device — outside the monitored perimeter entirely, where the gateway and the endpoint agent have no visibility at all. The employee is mentally “at work” on a channel the security team cannot see.
Nobody is after your RSVP. The email account is the product, because an inbox is the master reset key to everything else and a trusted relay for the next attack. Once an employee’s mailbox is taken:
This is not a flash campaign. In PIXM’s browser telemetry the invitation family has run without interruption since early 2024, cycling through a near-endless supply of throwaway domains — .de, .es, .nl, .vu, .sbs, .cfd, .one, .top — with the hosting increasingly tucked behind trusted infrastructure providers. The brand on the front changes; the harvester behind it does not. The infrastructure is commodity — consistent with a shared, rented invite-phishing kit rather than a single named threat group — and we make no actor attribution here. External trackers reporting on the same wave have catalogued dozens of dedicated phishing domains active since late 2025, and the U.S. FTC issued a consumer alert in May 2026. The honest read: volume is still modest next to legitimate invite traffic, and the real risk is that it is underestimated, not that it is flooding your gateway.

The same kit’s fake “Incorrect Password” error, designed to capture a second, clean password entry.
If you are interested in seeing how PIXM can help prevent attacks like these for your organization, book a demo here: pixmsecurity.com/request-demo/