Invoicera infrastructure abuse

calendar Mar 7, 2024  ·
Share on: linkedin copy

This rule is tailored to flag infrastructural abuse involving Invoicera, a SaaS-based invoicing and billing platform, which has been identified as a tool in widespread spam and credential phishing campaigns.

Sublime rule (View on GitHub)

 1name: "Invoicera infrastructure abuse"
 2description: "This rule is tailored to flag infrastructural abuse involving Invoicera, a SaaS-based invoicing and billing platform, which has been identified as a tool in widespread spam and credential phishing campaigns."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "invoicera.com"
 8  // suspicious recipient pattern
 9  and (
10    length(recipients.to) == 0
11    or any(recipients.to, .email.domain.valid == false)
12    or length(recipients.bcc) > 0
13  )
14  // suspicious link
15  and (
16    any(body.links,
17        .href_url.domain.root_domain in $free_file_hosts
18        or .href_url.domain.domain in $free_file_hosts
19    )
20    or any(body.links,
21           .href_url.domain.root_domain in $free_subdomain_hosts
22           and .href_url.domain.subdomain is not null
23           and .href_url.domain.subdomain != "www"
24    )
25  )
26  // mismatched reply-to
27  and (
28    headers.return_path.email is not null
29    and headers.return_path.email != sender.email.email
30  )  
31
32attack_types:
33  - "Credential Phishing"
34  - "Spam"
35tactics_and_techniques:
36  - "Free file host"
37  - "Free subdomain host"
38  - "Image as content"
39  - "Social engineering"
40detection_methods:
41  - "Content analysis"
42  - "Header analysis"
43  - "Sender analysis"
44id: "1e56f310-750b-5c26-84eb-63e78f20a6bd"
to-top