Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, 'quickbook*')
10 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11 or strings.ilike(sender.email.domain.domain, '*quickbook*')
12 )
13 or strings.ilike(body.current_thread.text, "*invoice*")
14 )
15 and (
16 any(ml.logo_detect(file.message_screenshot()).brands,
17 .name == "Quickbooks" and .confidence in ("medium", "high")
18 )
19 // contains the address and copyright
20 or (
21 strings.icontains(body.current_thread.text,
22 '2800 E. Commerce Center Place, Tucson, AZ 85706'
23 )
24 and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
25 )
26 or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
27 or strings.icontains(body.current_thread.text,
28 'QuickBooks and Intuit are trademarks of Intuit Inc.'
29 )
30 or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
31 // phone number and update language
32 or (
33 regex.icontains(body.current_thread.text,
34 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
35 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
36 )
37 and any(ml.nlu_classifier(body.current_thread.text).topics,
38 .name == "Software and App Updates"
39 )
40
41 // we need to re-check for QB indicators, otherwise we can have "*invoice*"
42 // and this block, which is much more than just QB impersonation
43 and (
44 strings.ilike(sender.display_name, '*quickbooks*')
45 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
46 or strings.ilike(sender.email.domain.domain, '*quickbooks*')
47 )
48 )
49 )
50 and sender.email.domain.root_domain not in~ (
51 'intuit.com',
52 'turbotax.com',
53 'intuit.ca',
54 'meliopayments.com',
55 'qemailserver.com',
56 'intuit.co.uk',
57 'quickbooksonline.com',
58 'tsheets.com'
59 )
60 and (
61 not profile.by_sender().any_messages_benign
62 and not profile.by_sender().solicited
63 )
64 // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
65 and (
66 length(filter(body.links,
67 .href_url.domain.root_domain in~ (
68 'intuit.com',
69 'turbotax.com',
70 'intuit.ca',
71 'meliopayments.com',
72 'qemailserver.com',
73 'intuit.co.uk',
74 'quickbooksonline.com'
75 )
76 or (
77 .href_url.domain.root_domain == sender.email.domain.root_domain
78 and (.href_url.path is null or .href_url.path == "/")
79 )
80 // handle links to the root website when the sender uses a freemail address to send invoices
81 or (
82 .href_url.domain.sld == sender.email.local_part
83 and (.href_url.path is null or .href_url.path == "/")
84 and sender.email.domain.root_domain in $free_email_providers
85 )
86 )
87 ) != length(body.links)
88 // or no valid links
89 or length(filter(body.links, .href_url.domain.domain is not null)) == 0
90 )
91 // the call to action link does not lead to inuit
92 and not (
93 // filter down to observed call to action display text
94 any(filter(body.links,
95 .display_text in~ (
96 "view and pay",
97 "review and pay",
98 "view details"
99 )
100 ),
101 // benign/legit href_url details for those links
102 (
103 // sendgrid rewritten links
104 .href_url.domain.domain == "links.notification.intuit.com"
105 // CTA link
106 or (
107 .href_url.domain.domain == "connect.intuit.com"
108 and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
109 )
110 // Mimecast links
111 or (
112 .href_url.domain.root_domain == "mimecastprotect.com"
113 and (
114 strings.icontains(.href_url.query_params,
115 'domain=links.notification.intuit.com'
116 )
117 or strings.icontains(.href_url.query_params,
118 'domain=connect.intuit.com'
119 )
120 )
121 )
122 )
123 )
124 )
125 // negate common sender of quickbooks reseller
126 and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
127 // negate highly trusted sender domains unless they fail DMARC authentication
128 and (
129 (
130 sender.email.domain.root_domain in $high_trust_sender_root_domains
131 and not headers.auth_summary.dmarc.pass
132 )
133 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
134 )
135
136attack_types:
137 - "Callback Phishing"
138 - "Credential Phishing"
139tactics_and_techniques:
140 - "Impersonation: Brand"
141 - "Social engineering"
142detection_methods:
143 - "Computer Vision"
144 - "Content analysis"
145 - "Header analysis"
146 - "Sender analysis"
147id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"