Service abuse: QuickBooks notification with suspicious comments

This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification

Sublime rule (View on GitHub)

 1name: "Service abuse: QuickBooks notification with suspicious comments"
 2description: "This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Intuit sending infratructure
 9  and sender.email.email == "quickbooks@notification.intuit.com"
10  
11  // remove payment confirmation messages
12  and not strings.starts_with(subject.subject, 'Payment confirmation:')
13  
14  and body.html.raw is not null
15  // Comments contains suspicious phrases
16  and (
17    // several different templates where commonly observed, run regex for each template
18    any([
19          html.xpath(body.html,
20                     '//span[@id="condensedEmailMessageSectionContentWebPlayer"]'
21          ).nodes,
22          html.xpath(body.html, '//div[@id="emailContainer"]').nodes,
23          html.xpath(body.html, '//table[@width="700"][1]//tr/td').nodes,
24          html.xpath(body.html, '//tr[@class="email-header"]').nodes,
25          html.xpath(body.html, '//tr[@class="email-center"]').nodes,
26          html.xpath(body.html, '//div[@class="mlr22"]').nodes,
27          html.xpath(body.html, '//td[@class="itemDesc"]//div').nodes,
28          html.xpath(body.html, '//td[@class="shippingContent"]//div').nodes
29        ],
30        any(.,
31            regex.icontains(.inner_text,
32                            // subscription, renewals, verificaitons, etc
33                            '(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)', 
34                            // callback wording
35                            'recognize this seller?|For more info.{0,25}Call|To cancel.{0,25}Call|did not authorize',
36            )
37        )
38    )
39  )   
40attack_types:
41  - "Callback Phishing"
42  - "Credential Phishing"
43  - "BEC/Fraud"
44tactics_and_techniques:
45  - "Evasion"
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "Sender analysis"
50  - "Header analysis"
51id: "a23d0950-9117-5199-bc74-7192217b80ff"
to-top