type.inbound
and (
// Display name after replacing unicode confusables is stripe
(
sender.display_name =~ 'stripe'
or (
strings.istarts_with(sender.display_name, 'stripe ')
and not sender.display_name in~ ('Stripe & Stare', 'Stripe and Stare', 'Stripe Events')
)
or strings.replace_confusables(sender.display_name) =~ 'stripe'
// fake stripe invoice in attached picture
or (
any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*stripe*")
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name in ("callback_scam")
and .confidence in ("medium", "high")
)
)
)
)
)
or (
// the edit distance is 1 or 2
strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'stripe'
) <= 2
// the length is the same as "stripe"
and length(sender.display_name) == 6
// and not one of these english words that matches the edit distance
and not sender.display_name in~ (
"strive",
"stride",
"strife",
"strike",
"strobe",
"stroke",
"streps",
"string",
"scribe",
"straye", // a shoe company?
"storie", // storiesbystorie.com
"stryke", // a cybersecurity and compliance company
"stryve", // a food/snack company stryve.com
"shrine", // common word
"s.ride", // cab/taxi company
"striim", // ai/data company
"striim.com", // same as above
"skribe" // ai/legal company
)
)
)
and sender.email.domain.root_domain not in~ ('stripe.com')
and sender.email.email not in $recipient_emails
// Stripe adds a custom header
// don't match messages with the header
and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.