Service Abuse: QuickBooks Notification with Suspicious Comments

calendar Dec 16, 2024  ยท
Share on: linkedin copy

This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification

Sublime rule (View on GitHub)

 1name: "Service Abuse: QuickBooks Notification with Suspicious Comments"
 2description: "This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Intuit sending infratructure
 9  and sender.email.email == "quickbooks@notification.intuit.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.ends_with(headers.auth_summary.spf.details.designator,
13                         '.intuit.com'
14  )
15  
16  // remove payment confirmation messages
17  and not strings.starts_with(subject.subject, 'Payment confirmation:')
18  
19  and body.html.raw is not null
20  // Comments contains suspicious phrases
21  and (
22    // three different templates where commonly observed, on regex for each template
23    // this could optionally be converted into a "2 of" logic against current_thread if FN are discovered
24    regex.icontains(body.html.raw, '<div class="condensed-email-message-section" style="font-size: 1em; line-height: 1.5em; text-align: center; margin: 2.25em 0;">\s*<span id="condensedEmailMessageSectionContentWebPlayer">.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</span></div>')
25    or regex.icontains(body.html.raw, '<div id="emailContainer" class="emailContainer" style="font-size: 18px; line-height: 1.5; text-align: left; padding-left: 20px; margin-left: 20px;">.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</div>')
26    or regex.icontains(body.html.raw, '<table width=\"700\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" style=\"margin-bottom:10px; font-family:Arial, Helvetica, sans-serif; font-size:12px\">(?:\s*<tbody>)?\s*<tr>\s*<td>\s*.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</td>')
27  )  
28attack_types:
29  - "Callback Phishing"
30  - "Credential Phishing"
31  - "BEC/Fraud"
32tactics_and_techniques:
33  - "Evasion"
34  - "Social engineering"
35detection_methods:
36  - "Content analysis"
37  - "Sender analysis"
38  - "Header analysis"
39id: "a23d0950-9117-5199-bc74-7192217b80ff"
to-top