Medium Severity

Stripe invoice abuse

Labels

Description

A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(attachments) == 2
and sender.email.domain.root_domain == "stripe.com"
and headers.auth_summary.dmarc.pass
and any(attachments,
        .file_extension == "pdf"
        and any(file.explode(.),
                4 of (
                  strings.ilike(.scan.ocr.raw, "*Btc Purchase*"),
                  strings.ilike(.scan.ocr.raw, "*suspicious activity*"),
                  strings.ilike(.scan.ocr.raw, "*get in touch with us straight once*"),
                  strings.ilike(.scan.ocr.raw, "*your phone number*"),
                  strings.ilike(.scan.ocr.raw, "*due deducted*"),
                  strings.ilike(.scan.ocr.raw, "*merchant security service center*"),
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.