Brand Impersonation: Stripe
Impersonation of Stripe, usually for credential theft.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Stripe"
2description: |
3 Impersonation of Stripe, usually for credential theft.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 // Display name after replacing unicode confusables is stripe
10 (
11 sender.display_name =~ 'stripe'
12 or strings.istarts_with(sender.display_name, 'stripe ')
13 or strings.replace_confusables(sender.display_name) =~ 'stripe'
14 )
15 or (
16 // the edit distance is 1 or 2
17 strings.ilevenshtein(strings.replace_confusables(sender.display_name),
18 'stripe'
19 ) <= 2
20 // the length is the same as "stripe"
21 and length(sender.display_name) == 6
22 // and not one of these english words that matches the edit distance
23 and not sender.display_name in~ (
24 "strive",
25 "stride",
26 "strife",
27 "strike",
28 "strobe",
29 "streps",
30 "string",
31 "scribe",
32 "straye" // a shoe company?
33 )
34 )
35 )
36 and sender.email.domain.root_domain not in~ ('stripe.com')
37 and sender.email.email not in $recipient_emails
38
39 // Stripe adds a custom header
40 // don't match messages with the header
41 and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
42
43 // negate highly trusted sender domains unless they fail DMARC authentication
44 and (
45 (
46 sender.email.domain.root_domain in $high_trust_sender_root_domains
47 and not headers.auth_summary.dmarc.pass
48 )
49 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
50 )
51attack_types:
52 - "Credential Phishing"
53tactics_and_techniques:
54 - "Impersonation: Brand"
55 - "Lookalike domain"
56 - "Social engineering"
57detection_methods:
58 - "Header analysis"
59 - "Sender analysis"
60id: "862d4654-4a32-50c1-a441-b3a5106be174"