Service abuse: QuickBooks notification with suspicious comments
This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification
Sublime rule (View on GitHub)
1name: "Service abuse: QuickBooks notification with suspicious comments"
2description: "This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Legitimate Intuit sending infratructure
9 and sender.email.email == "quickbooks@notification.intuit.com"
10
11 // remove payment confirmation messages
12 and not strings.starts_with(subject.subject, 'Payment confirmation:')
13
14 and body.html.raw is not null
15 // Comments contains suspicious phrases
16 and (
17 // several different templates where commonly observed, run regex for each template
18 any([
19 html.xpath(body.html,
20 '//span[@id="condensedEmailMessageSectionContentWebPlayer"]'
21 ).nodes,
22 html.xpath(body.html, '//div[@id="emailContainer"]').nodes,
23 html.xpath(body.html, '//table[@width="700"][1]//tr/td').nodes,
24 html.xpath(body.html, '//tr[@class="email-header"]').nodes,
25 html.xpath(body.html, '//tr[@class="email-center"]').nodes,
26 html.xpath(body.html, '//div[@class="mlr22"]').nodes,
27 html.xpath(body.html, '//td[@class="itemDesc"]//div').nodes,
28 html.xpath(body.html, '//td[@class="shippingContent"]//div').nodes
29 ],
30 any(.,
31 regex.icontains(.inner_text,
32 // subscription, renewals, verificaitons, etc
33 '(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)',
34 // callback wording
35 'recognize this seller?|For more info.{0,25}Call|To cancel.{0,25}Call|did not authorize',
36 )
37 )
38 )
39 )
40attack_types:
41 - "Callback Phishing"
42 - "Credential Phishing"
43 - "BEC/Fraud"
44tactics_and_techniques:
45 - "Evasion"
46 - "Social engineering"
47detection_methods:
48 - "Content analysis"
49 - "Sender analysis"
50 - "Header analysis"
51id: "a23d0950-9117-5199-bc74-7192217b80ff"