Brand Impersonation: Stripe
Impersonation of Stripe, usually for credential theft.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Stripe"
2description: |
3 Impersonation of Stripe, usually for credential theft.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 // Display name after replacing unicode confusables is stripe
10 (
11 sender.display_name =~ 'stripe'
12 or (
13 strings.istarts_with(sender.display_name, 'stripe ')
14 and not sender.display_name in~ ('Stripe & Stare', 'Stripe and Stare', 'Stripe Events')
15 )
16 or strings.replace_confusables(sender.display_name) =~ 'stripe'
17 // fake stripe invoice in attached picture
18 or (
19 any(attachments,
20 .file_type in $file_types_images
21 and any(file.explode(.),
22 strings.ilike(.scan.ocr.raw, "*stripe*")
23 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
24 .name in ("callback_scam")
25 and .confidence in ("medium", "high")
26 )
27 )
28 )
29 )
30 )
31 or (
32 // the edit distance is 1 or 2
33 strings.ilevenshtein(strings.replace_confusables(sender.display_name),
34 'stripe'
35 ) <= 2
36 // the length is the same as "stripe"
37 and length(sender.display_name) == 6
38 // and not one of these english words that matches the edit distance
39 and not sender.display_name in~ (
40 "strive",
41 "stride",
42 "strife",
43 "strike",
44 "strobe",
45 "stroke",
46 "streps",
47 "string",
48 "scribe",
49 "straye", // a shoe company?
50 "storie", // storiesbystorie.com
51 "stryke", // a cybersecurity and compliance company
52 "stryve", // a food/snack company stryve.com
53 "shrine", // common word
54 "s.ride", // cab/taxi company
55 "striim", // ai/data company
56 "striim.com", // same as above
57 "skribe" // ai/legal company
58 )
59 )
60 )
61 and sender.email.domain.root_domain not in~ ('stripe.com')
62 and sender.email.email not in $recipient_emails
63
64 // Stripe adds a custom header
65 // don't match messages with the header
66 and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
67
68 // negate highly trusted sender domains unless they fail DMARC authentication
69 and (
70 (
71 sender.email.domain.root_domain in $high_trust_sender_root_domains
72 and not headers.auth_summary.dmarc.pass
73 )
74 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
75 )
76attack_types:
77 - "Credential Phishing"
78tactics_and_techniques:
79 - "Impersonation: Brand"
80 - "Lookalike domain"
81 - "Social engineering"
82detection_methods:
83 - "Header analysis"
84 - "Sender analysis"
85id: "862d4654-4a32-50c1-a441-b3a5106be174"