EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Stripe invoice abuse

A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

MITRE ATT&CK

T1566.002T1534T1656T1566.003T1598

Detection Query

type.inbound
and length(attachments) == 2
and sender.email.domain.root_domain == "stripe.com"
and headers.auth_summary.dmarc.pass
and any(attachments,
        .file_extension == "pdf"
        and any(file.explode(.),
                4 of (
                  strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
                  strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
                  strings.ilike(.scan.ocr.raw,
                                "*get in touch with us straight once*"
                  ),
                  strings.ilike(.scan.ocr.raw, "*your phone number*"),
                  strings.ilike(.scan.ocr.raw, "*due deducted*"),
                  strings.ilike(.scan.ocr.raw,
                                "*merchant security service center*"
                  ),
                )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Stripe invoice abuse"
description: |
  A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service.
  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(attachments) == 2
  and sender.email.domain.root_domain == "stripe.com"
  and headers.auth_summary.dmarc.pass
  and any(attachments,
          .file_extension == "pdf"
          and any(file.explode(.),
                  4 of (
                    strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
                    strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
                    strings.ilike(.scan.ocr.raw,
                                  "*get in touch with us straight once*"
                    ),
                    strings.ilike(.scan.ocr.raw, "*your phone number*"),
                    strings.ilike(.scan.ocr.raw, "*due deducted*"),
                    strings.ilike(.scan.ocr.raw,
                                  "*merchant security service center*"
                    ),
                  )
          )
  )
attack_types:
  - "BEC/Fraud"
  - "Callback Phishing"
tactics_and_techniques:
  - "PDF"
detection_methods:
  - "File analysis"
  - "Header analysis"
id: "90162d16-0311-579f-b256-b501ca29bb35"