Brand Impersonation: Stripe Notification

calendar Aug 27, 2024  ·
Share on: linkedin copy

Campaigns have been observed sending templated Stripe notification emails with the call-to-action button link replaced, clicking through to a malicious credential phishing page.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Stripe Notification"
 2description: "Campaigns have been observed sending templated Stripe notification emails with the call-to-action button link replaced, clicking through to a malicious credential phishing page."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(sender.display_name, 'stripe*')
 9    or strings.ilevenshtein(sender.display_name, 'stripe') <= 1
10    or strings.ilike(sender.email.domain.domain, '*stripe*')
11  )
12  and (
13    any(body.links,
14        (
15          .display_text in~ ("view in dashboard")
16          or (
17            network.whois(.href_url.domain).days_old < 30
18            and regex.icontains(.display_text, 'view|click|dashboard|portal')
19          )
20        )
21        and .href_url.domain.root_domain != "stripe.com"
22    )
23    // if it's a well done fake payment notification, the only 2 links that aren't from Stripe
24    // are the customer's email address and the CTA button (view in dashboard, click for more info, etc.)
25    or (
26      length(filter(body.links,
27                    .href_url.domain.root_domain != 'stripe.com'
28                    and .display_text is not null
29             )
30      ) == 2
31      and length(body.links) > 2
32    )
33  )
34  and not (
35    sender.email.domain.root_domain == "stripe.com"
36    and any(headers.hops, .authentication_results.dmarc == "pass")
37  )
38  // negate highly trusted sender domains unless they fail DMARC authentication
39  and (
40    (
41      sender.email.domain.root_domain in $high_trust_sender_root_domains
42      and not headers.auth_summary.dmarc.pass
43    )
44    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45  )
46  and (
47    (
48      profile.by_sender().prevalence in ("new", "outlier")
49      and not profile.by_sender().solicited
50    )
51    or (
52      profile.by_sender().any_messages_malicious_or_spam
53      and not profile.by_sender().any_false_positives
54    )
55  )
56  and not profile.by_sender().any_false_positives  
57
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Evasion"
62  - "Impersonation: Brand"
63  - "Social engineering"
64detection_methods:
65  - "Content analysis"
66  - "Header analysis"
67  - "URL analysis"
68  - "Whois"
69id: "3ffd2b03-ed17-575a-a9ef-ead2ee6fe660"
to-top