Service abuse: QuickBooks notification with suspicious comments

calendar Jan 12, 2026  ยท
Share on: linkedin copy

This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification

Sublime rule (View on GitHub)

 1name: "Service abuse: QuickBooks notification with suspicious comments"
 2description: "This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Intuit sending infratructure
 9  and sender.email.email == "quickbooks@notification.intuit.com"
10  
11  // remove payment confirmation messages
12  and not strings.starts_with(subject.subject, 'Payment confirmation:')
13  and body.html.raw is not null
14  // Comments contains suspicious phrases
15  and (
16    // several different templates where commonly observed, run regex for each template
17    any([
18          html.xpath(body.html,
19                     '//span[@id="condensedEmailMessageSectionContentWebPlayer"]'
20          ).nodes,
21          html.xpath(body.html, '//div[@id="emailContainer"]').nodes,
22          html.xpath(body.html, '//table[@width="700"][1]//tr/td').nodes,
23          html.xpath(body.html, '//tr[@class="email-header"]').nodes,
24          html.xpath(body.html, '//tr[@class="email-center"]').nodes,
25          html.xpath(body.html, '//div[@class="mlr22"]').nodes,
26          html.xpath(body.html, '//td[@class="itemDesc"]//div').nodes,
27          html.xpath(body.html, '//td[@class="shippingContent"]//div').nodes,
28          html.xpath(body.html,
29                     '//table[@class="shippingAndCustomLayout width100"]'
30          ).nodes
31        ],
32        any(.,
33            regex.icontains(.inner_text,
34                            // subscription, renewals, verificaitons, etc
35                            '(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change|bill\s+to\s+subscriber)',
36                            // callback wording
37                            'recognize this seller?|For more info.{0,25}Call|To cancel.{0,25}Call|did not authorize',
38            )
39        )
40    )
41  )  
42attack_types:
43  - "Callback Phishing"
44  - "Credential Phishing"
45  - "BEC/Fraud"
46tactics_and_techniques:
47  - "Evasion"
48  - "Social engineering"
49detection_methods:
50  - "Content analysis"
51  - "Sender analysis"
52  - "Header analysis"
53id: "a23d0950-9117-5199-bc74-7192217b80ff"
to-top