EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Xero invoice abuse

Detects suspicious Xero invoice communications containing urgent payment requests where the sender's display name contains either confusable characters or impersonates internal services like HR or IT support.

MITRE ATT&CK

T1566.002T1534T1656T1566T1566.001T1598T1598.003
initial-access

Detection Query

type.inbound
and sender.email.domain.root_domain == "xero.com"
and (
  // contains legitimate xero invoice links
  any(body.links,
      .href_url.domain.domain == "in.xero.com"
      or (
        .href_url.domain.root_domain == "mimecastprotect.com"
        and .href_url.query_params == "domain=in.xero.com"
      )
  )
  // or financial communications with invoice content and urgency
  and (
    any(beta.ml_topic(body.current_thread.text).topics,
        .name == "Financial Communications" and .confidence != "low"
    )
    and any(ml.nlu_classifier(body.current_thread.text).tags,
            .name == "invoice" and .confidence in ("medium", "high")
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "urgency"
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "request"
    )
  )
)
and (
  // display name contains confusables (brand impersonation)
  sender.display_name != strings.replace_confusables(sender.display_name)
  // or HR/recruitment/employment/internal service impersonation
  or regex.icontains(sender.display_name,
                     '\bhr\b|human resources|staffing|recruiting|recruitment|employment|payroll|it support|help ?desk|admin|administrator'
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Xero invoice abuse"
description: "Detects suspicious Xero invoice communications containing urgent payment requests where the sender's display name contains either confusable characters or impersonates internal services like HR or IT support."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.domain.root_domain == "xero.com"
  and (
    // contains legitimate xero invoice links
    any(body.links,
        .href_url.domain.domain == "in.xero.com"
        or (
          .href_url.domain.root_domain == "mimecastprotect.com"
          and .href_url.query_params == "domain=in.xero.com"
        )
    )
    // or financial communications with invoice content and urgency
    and (
      any(beta.ml_topic(body.current_thread.text).topics,
          .name == "Financial Communications" and .confidence != "low"
      )
      and any(ml.nlu_classifier(body.current_thread.text).tags,
              .name == "invoice" and .confidence in ("medium", "high")
      )
      and any(ml.nlu_classifier(body.current_thread.text).entities,
              .name == "urgency"
      )
      and any(ml.nlu_classifier(body.current_thread.text).entities,
              .name == "request"
      )
    )
  )
  and (
    // display name contains confusables (brand impersonation)
    sender.display_name != strings.replace_confusables(sender.display_name)
    // or HR/recruitment/employment/internal service impersonation
    or regex.icontains(sender.display_name,
                       '\bhr\b|human resources|staffing|recruiting|recruitment|employment|payroll|it support|help ?desk|admin|administrator'
    )
  )

attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Impersonation: Employee"
  - "Social engineering"
detection_methods:
  - "Natural Language Understanding"
  - "Content analysis"
  - "Sender analysis"
id: "6538c600-06a5-5a2e-ab76-8dd7f77b2fa3"