Credential phishing: Tax form impersonation with payment request

calendar Feb 13, 2026  ·
Share on: linkedin copy

Detects messages impersonating tax-related communications that contain payment requests and PDF links, excluding legitimate tax service providers. The rule identifies tax terminology combined with payment solicitation language and PDF link references, which is a common pattern in tax season scams.

Sublime rule (View on GitHub)

 1name: "Credential phishing: Tax form impersonation with payment request"
 2description: "Detects messages impersonating tax-related communications that contain payment requests and PDF links, excluding legitimate tax service providers. The rule identifies tax terminology combined with payment solicitation language and PDF link references, which is a common pattern in tax season scams."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any([body.current_thread.text, subject.subject],
 8          regex.icontains(.,
 9                          'schedule.c\b',
10                          'tax.form',
11                          '1099\b',
12                          '\bw-?2\b',
13                          'tax.return',
14                          'tax.preparation'
15          )
16          and (
17            regex.icontains(body.current_thread.text,
18                            "reply.with.your.payment",
19                            "payment.details",
20                            "send.payment.information",
21                            "provide.payment",
22                            "payment.method",
23                            "billing.information",
24                            "processing.fee",
25                            "completion.fee"
26            )
27          )
28          and any(body.links, strings.icontains(.display_text, "PDF"))
29  )
30  and not any(ml.nlu_classifier(body.current_thread.text).topics,
31              .name in ("Events and Webinars", "Newsletters and Digests")
32  )
33  and not sender.email.domain.root_domain in (
34    "intuit.com",
35    "hrblock.com",
36    "turbotax.com",
37    "taxact.com",
38    "freetaxusa.com",
39    "geico.com",
40    "eventshq.com",
41    "square.com"
42  )
43  // negate highly trusted sender domains unless they fail DMARC authentication
44  and (
45    (
46      sender.email.domain.root_domain in $high_trust_sender_root_domains
47      and not headers.auth_summary.dmarc.pass
48    )
49    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
50  )  
51
52attack_types:
53  - "BEC/Fraud"
54  - "Credential Phishing"
55tactics_and_techniques:
56  - "Impersonation: Brand"
57  - "Social engineering"
58  - "PDF"
59detection_methods:
60  - "Content analysis"
61  - "Header analysis"
62  - "Sender analysis"
63  - "URL analysis"
64id: "717695cf-caf0-5673-a8a8-223bb56ec8e1"
to-top