Stripe Invoice Abuse

calendar Aug 21, 2023  ·
Share on: linkedin copy

A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

 1name: "Stripe Invoice Abuse"
 2description: |
 3  A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service.
 4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
 5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and length(attachments) == 2
11  and sender.email.domain.root_domain == "stripe.com"
12  and any(headers.hops, .authentication_results.dmarc == "pass")
13  and any(attachments,
14          .file_extension == "pdf"
15          and any(file.explode(.),
16                  4 of (
17                    strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
18                    strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
19                    strings.ilike(.scan.ocr.raw, "*get in touch with us straight once*"),
20                    strings.ilike(.scan.ocr.raw, "*your phone number*"),
21                    strings.ilike(.scan.ocr.raw, "*due deducted*"),
22                    strings.ilike(.scan.ocr.raw, "*merchant security service center*"),
23                  )
24          )
25  )  
26attack_types:
27  - "BEC/Fraud"
28  - "Callback Phishing"
29tactics_and_techniques:
30  - "PDF"
31detection_methods:
32  - "File analysis"
33  - "Header analysis"
34id: "90162d16-0311-579f-b256-b501ca29bb35"
to-top