Stripe Invoice Abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Stripe Invoice Abuse"
2description: |
3 A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and length(attachments) == 2
11 and sender.email.domain.root_domain == "stripe.com"
12 and any(headers.hops, .authentication_results.dmarc == "pass")
13 and any(attachments,
14 .file_extension == "pdf"
15 and any(file.explode(.),
16 4 of (
17 strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
18 strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
19 strings.ilike(.scan.ocr.raw, "*get in touch with us straight once*"),
20 strings.ilike(.scan.ocr.raw, "*your phone number*"),
21 strings.ilike(.scan.ocr.raw, "*due deducted*"),
22 strings.ilike(.scan.ocr.raw, "*merchant security service center*"),
23 )
24 )
25 )
26attack_types:
27 - "BEC/Fraud"
28 - "Callback Phishing"
29tactics_and_techniques:
30 - "PDF"
31detection_methods:
32 - "File analysis"
33 - "Header analysis"
34id: "90162d16-0311-579f-b256-b501ca29bb35"