Medium Severity

Xero invoice abuse

Labels

BEC/Fraud

Credential Phishing

Impersonation: Brand

Impersonation: Employee

Social engineering

Natural Language Understanding

Content analysis

Sender analysis

Description

Detects suspicious Xero invoice communications containing urgent payment requests where the sender's display name contains either confusable characters or impersonates internal services like HR or IT support.

References

No references.

Sublime Security

Created Jul 24th, 2025 • Last updated Dec 17th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.domain.root_domain == "xero.com"
and (
  // contains legitimate xero invoice links
  any(body.links,
      .href_url.domain.domain == "in.xero.com"
      or (
        .href_url.domain.root_domain == "mimecastprotect.com"
        and .href_url.query_params == "domain=in.xero.com"
      )
  )
  // or financial communications with invoice content and urgency
  and (
    any(beta.ml_topic(body.current_thread.text).topics,
        .name == "Financial Communications" and .confidence != "low"
    )
    and any(ml.nlu_classifier(body.current_thread.text).tags,
            .name == "invoice" and .confidence in ("medium", "high")
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "urgency"
    )
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "request"
    )
  )
)
and (
  // display name contains confusables (brand impersonation)
  sender.display_name != strings.replace_confusables(sender.display_name)
  // or HR/recruitment/employment/internal service impersonation
  or regex.icontains(sender.display_name,
                     '\bhr\b|human resources|staffing|recruiting|recruitment|employment|payroll|it support|help ?desk|admin|administrator'
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.