Brand Impersonation: Stripe

Impersonation of Stripe, usually for credential theft.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Stripe"
 2description: |
 3    Impersonation of Stripe, usually for credential theft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    // Display name after replacing unicode confusables is stripe
10    (
11      sender.display_name =~ 'stripe'
12      or strings.istarts_with(sender.display_name, 'stripe ')
13      or strings.replace_confusables(sender.display_name) =~ 'stripe'
14    )
15    or (
16      // the edit distance is 1 or 2
17      strings.ilevenshtein(strings.replace_confusables(sender.display_name),
18                           'stripe'
19      ) <= 2
20      // the length is the same as "stripe"
21      and length(sender.display_name) == 6
22      // and not one of these english words that matches the edit distance
23      and not sender.display_name in~ (
24        "strive",
25        "stride",
26        "strife",
27        "strike",
28        "strobe",
29        "streps",
30        "string",
31        "scribe",
32        "straye" // a shoe company?
33      )
34    )
35  )
36  and sender.email.domain.root_domain not in~ ('stripe.com')
37  and sender.email.email not in $recipient_emails
38  
39  // Stripe adds a custom header
40  // don't match messages with the header
41  and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
42  
43  // negate highly trusted sender domains unless they fail DMARC authentication
44  and (
45    (
46      sender.email.domain.root_domain in $high_trust_sender_root_domains
47      and not headers.auth_summary.dmarc.pass
48    )
49    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
50  )  
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Impersonation: Brand"
55  - "Lookalike domain"
56  - "Social engineering"
57detection_methods:
58  - "Header analysis"
59  - "Sender analysis"
60id: "862d4654-4a32-50c1-a441-b3a5106be174"
to-top