• Sublime Core Feed
Medium Severity

Invoicera infrastructure abuse

Labels

Credential Phishing
Spam
Free file host
Free subdomain host
Image as content
Social engineering
Content analysis
Header analysis
Sender analysis

Description

This rule is tailored to flag infrastructural abuse involving Invoicera, a SaaS-based invoicing and billing platform, which has been identified as a tool in widespread spam and credential phishing campaigns.

References

No references.

Sublime Security
Created Mar 7th, 2024 • Last updated Mar 7th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.root_domain == "invoicera.com"
// suspicious recipient pattern
and (
  length(recipients.to) == 0
  or any(recipients.to, .email.domain.valid == false)
  or length(recipients.bcc) > 0
)
// suspicious link
and (
  any(body.links,
      .href_url.domain.root_domain in $free_file_hosts
      or .href_url.domain.domain in $free_file_hosts
  )
  or any(body.links,
         .href_url.domain.root_domain in $free_subdomain_hosts
         and .href_url.domain.subdomain is not null
         and .href_url.domain.subdomain != "www"
  )
)
// mismatched reply-to
and (
  headers.return_path.email is not null
  and headers.return_path.email != sender.email.email
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started