Brand Impersonation: Stripe
Impersonation of Stripe, usually for credential theft.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Stripe"
2description: |
3 Impersonation of Stripe, usually for credential theft.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 // Display name after replacing unicode confusables is stripe
10 (
11 sender.display_name =~ 'stripe'
12 or (
13 strings.istarts_with(sender.display_name, 'stripe ')
14 and not sender.display_name in~ ('Stripe & Stare')
15 )
16 or strings.replace_confusables(sender.display_name) =~ 'stripe'
17 )
18 or (
19 // the edit distance is 1 or 2
20 strings.ilevenshtein(strings.replace_confusables(sender.display_name),
21 'stripe'
22 ) <= 2
23 // the length is the same as "stripe"
24 and length(sender.display_name) == 6
25 // and not one of these english words that matches the edit distance
26 and not sender.display_name in~ (
27 "strive",
28 "stride",
29 "strife",
30 "strike",
31 "strobe",
32 "streps",
33 "string",
34 "scribe",
35 "straye", // a shoe company?
36 "storie", // storiesbystorie.com
37 "stryve", // a food/snack company stryve.com
38 "shrine", // common word
39 "s.ride" // cab/taxi company
40 )
41 )
42 )
43 and sender.email.domain.root_domain not in~ ('stripe.com')
44 and sender.email.email not in $recipient_emails
45
46 // Stripe adds a custom header
47 // don't match messages with the header
48 and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
49
50 // negate highly trusted sender domains unless they fail DMARC authentication
51 and (
52 (
53 sender.email.domain.root_domain in $high_trust_sender_root_domains
54 and not headers.auth_summary.dmarc.pass
55 )
56 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57 )
58attack_types:
59 - "Credential Phishing"
60tactics_and_techniques:
61 - "Impersonation: Brand"
62 - "Lookalike domain"
63 - "Social engineering"
64detection_methods:
65 - "Header analysis"
66 - "Sender analysis"
67id: "862d4654-4a32-50c1-a441-b3a5106be174"