Service Abuse: QuickBooks Notification From New Domain

 1name: "Service Abuse: QuickBooks Notification From New Domain"
 2description: "This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Intuit sending infratructure
 9  and sender.email.email == "quickbooks@notification.intuit.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.ends_with(headers.auth_summary.spf.details.designator,
13                        '.intuit.com'
14  )
15  
16  // remove payment confirmation messages
17  and not strings.starts_with(subject.subject, 'Payment confirmation:')
18  
19  // the message needs to have a reply-to address
20  and length(headers.reply_to) > 0
21  
22  // 
23  // This rule makes use of a beta feature and is subject to change without notice
24  // using the beta feature in custom rules is not suggested until it has been formally released
25  // 
26  
27  // reply-to email address has never been sent an email by the org
28  and not beta.profile.by_reply_to().solicited
29  
30  // do not match if the reply_to address has been observed as a reply_to address
31  // of a message that has been classified as benign
32  and not beta.profile.by_reply_to().any_messages_benign
33  
34  // new reply-to
35  and any(headers.reply_to,
36          network.whois(.email.domain).days_old < 30
37  )  
38tags:
39 - "Attack surface reduction"
40attack_types:
41  - "Callback Phishing"
42  - "Credential Phishing"
43  - "BEC/Fraud"
44tactics_and_techniques:
45  - "Evasion"
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "Sender analysis"
50  - "Header analysis"
51id: "c4f46473-0f5a-56d6-bb7e-489460bdb20f"