Credential phishing: Tax form impersonation with payment request

calendar Sep 10, 2025  ·
Share on: linkedin copy

Detects messages impersonating tax-related communications that contain payment requests and PDF links, excluding legitimate tax service providers. The rule identifies tax terminology combined with payment solicitation language and PDF link references, which is a common pattern in tax season scams.

Sublime rule (View on GitHub)

 1name: "Credential phishing: Tax form impersonation with payment request"
 2description: "Detects messages impersonating tax-related communications that contain payment requests and PDF links, excluding legitimate tax service providers. The rule identifies tax terminology combined with payment solicitation language and PDF link references, which is a common pattern in tax season scams."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any([body.current_thread.text, subject.subject],
 8          regex.icontains(.,
 9                          'schedule.c\b',
10                          'tax.form',
11                          '1099\b',
12                          '\bw-?2\b',
13                          'tax.return',
14                          'tax.preparation'
15          )
16          and (
17            regex.icontains(body.current_thread.text,
18                            "reply.with.your.payment",
19                            "payment.details",
20                            "send.payment.information",
21                            "provide.payment",
22                            "payment.method",
23                            "billing.information",
24                            "processing.fee",
25                            "completion.fee"
26            )
27          )
28          and any(body.links, strings.icontains(.display_text, "PDF"))
29  )
30  and not any(ml.nlu_classifier(body.current_thread.text).topics,
31              .name in ("Events and Webinars", "Newsletters and Digests")
32  )
33  and not sender.email.domain.root_domain in (
34    "intuit.com",
35    "hrblock.com",
36    "turbotax.com",
37    "taxact.com",
38    "freetaxusa.com",
39    "geico.com",
40    "email1.geico.com",
41    "exs.eventshq.com",
42    "square.com"
43  )
44  // negate highly trusted sender domains unless they fail DMARC authentication
45  and (
46    (
47      sender.email.domain.root_domain in $high_trust_sender_root_domains
48      and not headers.auth_summary.dmarc.pass
49    )
50    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
51  )  
52
53attack_types:
54  - "BEC/Fraud"
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Impersonation: Brand"
58  - "Social engineering"
59  - "PDF"
60detection_methods:
61  - "Content analysis"
62  - "Header analysis"
63  - "Sender analysis"
64  - "URL analysis"
65id: "717695cf-caf0-5673-a8a8-223bb56ec8e1"
to-top