EXPLORE
← Back to Explore
sublimemediumRule

Stripe invoice abuse

A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Detection Query

type.inbound
and sender.email.domain.root_domain == "stripe.com"
and headers.auth_summary.dmarc.pass
and (
  (
    length(attachments) == 2
    and any(attachments,
            .file_extension == "pdf"
            and any(file.explode(.),
                    4 of (
                      strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
                      strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
                      strings.ilike(.scan.ocr.raw,
                                    "*get in touch with us straight once*"
                      ),
                      strings.ilike(.scan.ocr.raw, "*your phone number*"),
                      strings.ilike(.scan.ocr.raw, "*due deducted*"),
                      strings.ilike(.scan.ocr.raw,
                                    "*merchant security service center*"
                      )
                    )
            )
    )
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "callback_scam" and .confidence == "high"
    )
    and 2 of (
      strings.icontains(body.current_thread.text, "processing your payment"),
      strings.icontains(body.current_thread.text, "payment has been received"),
      strings.icontains(body.current_thread.text, "order status update"),
      strings.icontains(body.current_thread.text, "ship your items"),
      strings.icontains(body.current_thread.text, "reach out:"),
      strings.icontains(body.current_thread.text, "pay this invoice"),
      strings.icontains(body.current_thread.text, "dear"),
      strings.icontains(body.current_thread.text, "need to cancel"),
      strings.icontains(body.current_thread.text, "Яеոеԝаⅼ"),
      strings.icontains(body.current_thread.text, "order confirmation"),
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Stripe invoice abuse"
description: |
  A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service.
  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.domain.root_domain == "stripe.com"
  and headers.auth_summary.dmarc.pass
  and (
    (
      length(attachments) == 2
      and any(attachments,
              .file_extension == "pdf"
              and any(file.explode(.),
                      4 of (
                        strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
                        strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
                        strings.ilike(.scan.ocr.raw,
                                      "*get in touch with us straight once*"
                        ),
                        strings.ilike(.scan.ocr.raw, "*your phone number*"),
                        strings.ilike(.scan.ocr.raw, "*due deducted*"),
                        strings.ilike(.scan.ocr.raw,
                                      "*merchant security service center*"
                        )
                      )
              )
      )
    )
    or (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "callback_scam" and .confidence == "high"
      )
      and 2 of (
        strings.icontains(body.current_thread.text, "processing your payment"),
        strings.icontains(body.current_thread.text, "payment has been received"),
        strings.icontains(body.current_thread.text, "order status update"),
        strings.icontains(body.current_thread.text, "ship your items"),
        strings.icontains(body.current_thread.text, "reach out:"),
        strings.icontains(body.current_thread.text, "pay this invoice"),
        strings.icontains(body.current_thread.text, "dear"),
        strings.icontains(body.current_thread.text, "need to cancel"),
        strings.icontains(body.current_thread.text, "Яеոеԝаⅼ"),
        strings.icontains(body.current_thread.text, "order confirmation"),
      )
    )
  )
attack_types:
  - "BEC/Fraud"
  - "Callback Phishing"
tactics_and_techniques:
  - "PDF"
detection_methods:
  - "File analysis"
  - "Header analysis"
id: "90162d16-0311-579f-b256-b501ca29bb35"