Brand Impersonation: Stripe

calendar Jun 2, 2025  ยท
Share on: linkedin copy

Impersonation of Stripe, usually for credential theft.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Stripe"
 2description: |
 3    Impersonation of Stripe, usually for credential theft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    // Display name after replacing unicode confusables is stripe
10    (
11      sender.display_name =~ 'stripe'
12      or (
13          strings.istarts_with(sender.display_name, 'stripe ')
14          and not sender.display_name in~ ('Stripe & Stare', 'Stripe and Stare', 'Stripe Events')
15      )
16      or strings.replace_confusables(sender.display_name) =~ 'stripe'
17    )
18    or (
19      // the edit distance is 1 or 2
20      strings.ilevenshtein(strings.replace_confusables(sender.display_name),
21                           'stripe'
22      ) <= 2
23      // the length is the same as "stripe"
24      and length(sender.display_name) == 6
25      // and not one of these english words that matches the edit distance
26      and not sender.display_name in~ (
27        "strive",
28        "stride",
29        "strife",
30        "strike",
31        "strobe",
32        "stroke",
33        "streps",
34        "string",
35        "scribe",
36        "straye", // a shoe company?
37        "storie", // storiesbystorie.com
38        "stryke", // a cybersecurity and compliance company
39        "stryve", // a food/snack company stryve.com
40        "shrine", // common word
41        "s.ride", // cab/taxi company
42        "striim", // ai/data company
43        "striim.com" // same as above
44      )
45    )
46  )
47  and sender.email.domain.root_domain not in~ ('stripe.com')
48  and sender.email.email not in $recipient_emails
49  
50  // Stripe adds a custom header
51  // don't match messages with the header
52  and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
53  
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61  )  
62attack_types:
63  - "Credential Phishing"
64tactics_and_techniques:
65  - "Impersonation: Brand"
66  - "Lookalike domain"
67  - "Social engineering"
68detection_methods:
69  - "Header analysis"
70  - "Sender analysis"
71id: "862d4654-4a32-50c1-a441-b3a5106be174"
to-top