Brand Impersonation: QuickBooks Notification From Intuit Themed Company Name

calendar Mar 3, 2025  ยท
Share on: linkedin copy

This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: QuickBooks Notification From Intuit Themed Company Name"
 2description: "This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Intuit sending infratructure
 9  and sender.email.email == "quickbooks@notification.intuit.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.ends_with(headers.auth_summary.spf.details.designator,
13                        '.intuit.com'
14  )
15  and (
16    // the reply-to contains Inuit Themes
17    any(headers.reply_to,
18           (
19             strings.icontains(.email.email, 'intuit')
20             or strings.icontains(.email.domain.domain, 'quickbooks')
21           )
22           and not (.email.domain.root_domain in ('intuit.com', 'quickbooks.com'))
23    )
24    // the "company" part of the message
25    or regex.icontains(body.html.raw,
26                       '<(?:div|p) class="company(?:Name|Details)[^\"]*\"[^\>]*\>[^\<]*(?:Intuit|Quickbooks).*</(?:p|div)>'
27    )
28  )  
29attack_types:
30  - "Callback Phishing"
31  - "Credential Phishing"
32  - "BEC/Fraud"
33tactics_and_techniques:
34  - "Evasion"
35  - "Social engineering"
36detection_methods:
37  - "Content analysis"
38  - "Sender analysis"
39  - "Header analysis"
40id: "42058fc4-d700-5bc3-9ee9-91641d9343c2"
to-top