Brand Impersonation: Stripe

Impersonation of Stripe, usually for credential theft.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Stripe"
 2description: |
 3    Impersonation of Stripe, usually for credential theft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    // Display name after replacing unicode confusables is stripe
10    (
11      sender.display_name =~ 'stripe'
12      or (
13          strings.istarts_with(sender.display_name, 'stripe ')
14          and not sender.display_name in~ ('Stripe & Stare', 'Stripe and Stare', 'Stripe Events')
15      )
16      or strings.replace_confusables(sender.display_name) =~ 'stripe'
17      // fake stripe invoice in attached picture
18      or (
19        any(attachments,
20            .file_type in $file_types_images
21            and any(file.explode(.),
22                    strings.ilike(.scan.ocr.raw, "*stripe*")
23                    and any(ml.nlu_classifier(.scan.ocr.raw).intents,
24                            .name in ("callback_scam")
25                            and .confidence in ("medium", "high")
26                  )
27              )
28          )
29      )
30    )
31    or (
32      // the edit distance is 1 or 2
33      strings.ilevenshtein(strings.replace_confusables(sender.display_name),
34                           'stripe'
35      ) <= 2
36      // the length is the same as "stripe"
37      and length(sender.display_name) == 6
38      // and not one of these english words that matches the edit distance
39      and not sender.display_name in~ (
40        "strive",
41        "stride",
42        "strife",
43        "strike",
44        "strobe",
45        "stroke",
46        "streps",
47        "string",
48        "scribe",
49        "straye", // a shoe company?
50        "storie", // storiesbystorie.com
51        "stryke", // a cybersecurity and compliance company
52        "stryve", // a food/snack company stryve.com
53        "shrine", // common word
54        "s.ride", // cab/taxi company
55        "striim", // ai/data company
56        "striim.com", // same as above
57        "skribe" // ai/legal company
58      )
59    )
60  )
61  and sender.email.domain.root_domain not in~ ('stripe.com')
62  and sender.email.email not in $recipient_emails
63  
64  // Stripe adds a custom header
65  // don't match messages with the header
66  and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
67  
68  // negate highly trusted sender domains unless they fail DMARC authentication
69  and (
70    (
71      sender.email.domain.root_domain in $high_trust_sender_root_domains
72      and not headers.auth_summary.dmarc.pass
73    )
74    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
75  )  
76attack_types:
77  - "Credential Phishing"
78tactics_and_techniques:
79  - "Impersonation: Brand"
80  - "Lookalike domain"
81  - "Social engineering"
82detection_methods:
83  - "Header analysis"
84  - "Sender analysis"
85id: "862d4654-4a32-50c1-a441-b3a5106be174"
to-top