Service Abuse: QuickBooks Notification From New Domain
This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.
Sublime rule (View on GitHub)
1name: "Service Abuse: QuickBooks Notification From New Domain"
2description: "This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Legitimate Intuit sending infratructure
9 and sender.email.email == "quickbooks@notification.intuit.com"
10 and headers.auth_summary.spf.pass
11 and headers.auth_summary.dmarc.pass
12 and strings.ends_with(headers.auth_summary.spf.details.designator,
13 '.intuit.com'
14 )
15
16 // remove payment confirmation messages
17 and not strings.starts_with(subject.subject, 'Payment confirmation:')
18
19 // the message needs to have a reply-to address
20 and length(headers.reply_to) > 0
21
22 // reply-to email address has never received an email from your org
23 and not any(headers.reply_to, .email.email in $recipient_emails)
24
25 // new reply-to
26 and any(filter(headers.reply_to,
27 // negate .com.au which doesn't provide created date for domains
28 .email.domain.tld not in ('com.au')
29 ),
30 network.whois(.email.domain).days_old < 30
31 )
32tags:
33 - "Attack surface reduction"
34attack_types:
35 - "Callback Phishing"
36 - "Credential Phishing"
37 - "BEC/Fraud"
38tactics_and_techniques:
39 - "Evasion"
40 - "Social engineering"
41detection_methods:
42 - "Content analysis"
43 - "Sender analysis"
44 - "Header analysis"
45id: "c4f46473-0f5a-56d6-bb7e-489460bdb20f"