← Back to Explore
sublimemediumRule
Stripe invoice abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Detection Query
type.inbound
and sender.email.domain.root_domain == "stripe.com"
and headers.auth_summary.dmarc.pass
and (
(
length(attachments) == 2
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
4 of (
strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
strings.ilike(.scan.ocr.raw,
"*get in touch with us straight once*"
),
strings.ilike(.scan.ocr.raw, "*your phone number*"),
strings.ilike(.scan.ocr.raw, "*due deducted*"),
strings.ilike(.scan.ocr.raw,
"*merchant security service center*"
)
)
)
)
)
or (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence == "high"
)
and 2 of (
strings.icontains(body.current_thread.text, "processing your payment"),
strings.icontains(body.current_thread.text, "payment has been received"),
strings.icontains(body.current_thread.text, "order status update"),
strings.icontains(body.current_thread.text, "ship your items"),
strings.icontains(body.current_thread.text, "reach out:"),
strings.icontains(body.current_thread.text, "pay this invoice"),
strings.icontains(body.current_thread.text, "dear"),
strings.icontains(body.current_thread.text, "need to cancel"),
strings.icontains(body.current_thread.text, "Яеոеԝаⅼ"),
strings.icontains(body.current_thread.text, "order confirmation"),
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Stripe invoice abuse"
description: |
A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service.
Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.domain.root_domain == "stripe.com"
and headers.auth_summary.dmarc.pass
and (
(
length(attachments) == 2
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
4 of (
strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
strings.ilike(.scan.ocr.raw,
"*get in touch with us straight once*"
),
strings.ilike(.scan.ocr.raw, "*your phone number*"),
strings.ilike(.scan.ocr.raw, "*due deducted*"),
strings.ilike(.scan.ocr.raw,
"*merchant security service center*"
)
)
)
)
)
or (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence == "high"
)
and 2 of (
strings.icontains(body.current_thread.text, "processing your payment"),
strings.icontains(body.current_thread.text, "payment has been received"),
strings.icontains(body.current_thread.text, "order status update"),
strings.icontains(body.current_thread.text, "ship your items"),
strings.icontains(body.current_thread.text, "reach out:"),
strings.icontains(body.current_thread.text, "pay this invoice"),
strings.icontains(body.current_thread.text, "dear"),
strings.icontains(body.current_thread.text, "need to cancel"),
strings.icontains(body.current_thread.text, "Яеոеԝаⅼ"),
strings.icontains(body.current_thread.text, "order confirmation"),
)
)
)
attack_types:
- "BEC/Fraud"
- "Callback Phishing"
tactics_and_techniques:
- "PDF"
detection_methods:
- "File analysis"
- "Header analysis"
id: "90162d16-0311-579f-b256-b501ca29bb35"