Brand Impersonation: Stripe

Impersonation of Stripe, usually for credential theft.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Stripe"
 2description: |
 3    Impersonation of Stripe, usually for credential theft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    // Display name after replacing unicode confusables is stripe
10    (
11      sender.display_name =~ 'stripe'
12      or (
13        strings.istarts_with(sender.display_name, 'stripe ')
14        and not sender.display_name in~ (
15          'Stripe & Stare',
16          'Stripe and Stare',
17          'Stripe Events'
18        )
19      )
20      or strings.replace_confusables(sender.display_name) =~ 'stripe'
21      // fake stripe invoice in attached picture
22      or (
23        any(attachments,
24            .file_type in $file_types_images
25            and any(file.explode(.),
26                    strings.ilike(.scan.ocr.raw, "*stripe*")
27                    and any(ml.nlu_classifier(.scan.ocr.raw).intents,
28                            .name in ("callback_scam")
29                            and .confidence in ("medium", "high")
30                    )
31            )
32        )
33      )
34    )
35    or (
36      // the edit distance is 1 or 2
37      strings.ilevenshtein(strings.replace_confusables(sender.display_name),
38                           'stripe'
39      ) <= 2
40      // the length is the same as "stripe"
41      and length(sender.display_name) == 6
42      // and not one of these english words that matches the edit distance
43      and not sender.display_name in~ (
44        "strive",
45        "stride",
46        "strife",
47        "strike",
48        "strobe",
49        "stroke",
50        "streps",
51        "string",
52        "scribe",
53        "straye", // a shoe company?
54        "storie", // storiesbystorie.com
55        "stryke", // a cybersecurity and compliance company
56        "stryve", // a food/snack company stryve.com
57        "shrine", // common word
58        "s.ride", // cab/taxi company
59        "striim", // ai/data company
60        "striim.com", // same as above
61        "skribe" // ai/legal company
62      )
63    )
64  )
65  and not (
66    sender.email.domain.root_domain in~ (
67      'stripe.com',
68      'stripetour.com',
69      'stripepress.com'
70    )
71    and coalesce(headers.auth_summary.dmarc.pass, false)
72  )
73  and sender.email.email not in $recipient_emails
74  
75  // Stripe adds a custom header
76  // don't match messages with the header
77  and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
78  
79  // negate highly trusted sender domains unless they fail DMARC authentication
80  and (
81    (
82      sender.email.domain.root_domain in $high_trust_sender_root_domains
83      and not headers.auth_summary.dmarc.pass
84    )
85    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
86  )  
87
88attack_types:
89  - "Credential Phishing"
90tactics_and_techniques:
91  - "Impersonation: Brand"
92  - "Lookalike domain"
93  - "Social engineering"
94detection_methods:
95  - "Header analysis"
96  - "Sender analysis"
97id: "862d4654-4a32-50c1-a441-b3a5106be174"
to-top