Brand Impersonation: QuickBooks Notification From Intuit Themed Company Name

calendar Dec 16, 2024  ยท
Share on: linkedin copy

This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: QuickBooks Notification From Intuit Themed Company Name"
 2description: "This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Intuit sending infratructure
 9  and sender.email.email == "quickbooks@notification.intuit.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.ends_with(headers.auth_summary.spf.details.designator,
13                        '.intuit.com'
14  )
15  and (
16    // subject also contains the company name
17    strings.icontains(subject.subject, "Quickbooks")
18    or strings.icontains(subject.subject, "Intuit")
19    // the reply-to contains Inuit Themes
20    or any(headers.reply_to,
21           (
22             strings.icontains(.email.email, 'intuit')
23             or strings.icontains(.email.domain.domain, 'quickbooks')
24           )
25           and not (.email.domain.root_domain in ('intuit.com', 'quickbooks.com'))
26    )
27    // the "company" part of the message
28    or regex.icontains(body.html.raw,
29                       '<p class="companyName info-line" style="margin: 0; line-height: 1.5em; font-weight: 600;">.*(?:Intuit|Quickbooks).*</p></div>'
30    )
31  )  
32attack_types:
33  - "Callback Phishing"
34  - "Credential Phishing"
35  - "BEC/Fraud"
36tactics_and_techniques:
37  - "Evasion"
38  - "Social engineering"
39detection_methods:
40  - "Content analysis"
41  - "Sender analysis"
42  - "Header analysis"
43id: "42058fc4-d700-5bc3-9ee9-91641d9343c2"
to-top