High Severity
Brand Impersonation: Stripe
Description
Impersonation of Stripe, usually for credential theft.
References
No references.
Sublime Security
Created Sep 30th, 2024 • Last updated Jun 2nd, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
// Display name after replacing unicode confusables is stripe
(
sender.display_name =~ 'stripe'
or (
strings.istarts_with(sender.display_name, 'stripe ')
and not sender.display_name in~ ('Stripe & Stare', 'Stripe and Stare', 'Stripe Events')
)
or strings.replace_confusables(sender.display_name) =~ 'stripe'
)
or (
// the edit distance is 1 or 2
strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'stripe'
) <= 2
// the length is the same as "stripe"
and length(sender.display_name) == 6
// and not one of these english words that matches the edit distance
and not sender.display_name in~ (
"strive",
"stride",
"strife",
"strike",
"strobe",
"stroke",
"streps",
"string",
"scribe",
"straye", // a shoe company?
"storie", // storiesbystorie.com
"stryke", // a cybersecurity and compliance company
"stryve", // a food/snack company stryve.com
"shrine", // common word
"s.ride", // cab/taxi company
"striim", // ai/data company
"striim.com" // same as above
)
)
)
and sender.email.domain.root_domain not in~ ('stripe.com')
and sender.email.email not in $recipient_emails
// Stripe adds a custom header
// don't match messages with the header
and not any(headers.hops, any(.fields, .name == "X-Stripe-EID"))
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.