Medium Severity
Invoicera infrastructure abuse
Description
This rule is tailored to flag infrastructural abuse involving Invoicera, a SaaS-based invoicing and billing platform, which has been identified as a tool in widespread spam and credential phishing campaigns.
References
No references.
Sublime Security
Created Mar 7th, 2024 • Last updated Mar 7th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.email.domain.root_domain == "invoicera.com"
// suspicious recipient pattern
and (
length(recipients.to) == 0
or any(recipients.to, .email.domain.valid == false)
or length(recipients.bcc) > 0
)
// suspicious link
and (
any(body.links,
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
)
or any(body.links,
.href_url.domain.root_domain in $free_subdomain_hosts
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
)
// mismatched reply-to
and (
headers.return_path.email is not null
and headers.return_path.email != sender.email.email
)
Playground
Test against your own EMLs or sample data.