Stripe invoice abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Stripe invoice abuse"
2description: |
3 A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and length(attachments) == 2
11 and sender.email.domain.root_domain == "stripe.com"
12 and headers.auth_summary.dmarc.pass
13 and any(attachments,
14 .file_extension == "pdf"
15 and any(file.explode(.),
16 4 of (
17 strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
18 strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
19 strings.ilike(.scan.ocr.raw,
20 "*get in touch with us straight once*"
21 ),
22 strings.ilike(.scan.ocr.raw, "*your phone number*"),
23 strings.ilike(.scan.ocr.raw, "*due deducted*"),
24 strings.ilike(.scan.ocr.raw,
25 "*merchant security service center*"
26 ),
27 )
28 )
29 )
30attack_types:
31 - "BEC/Fraud"
32 - "Callback Phishing"
33tactics_and_techniques:
34 - "PDF"
35detection_methods:
36 - "File analysis"
37 - "Header analysis"
38id: "90162d16-0311-579f-b256-b501ca29bb35"