Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, 'quickbook*')
10 or strings.like(sender.display_name, "QB-*")
11 or strings.ilike(sender.display_name, 'intuit*')
12 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
13 or strings.ilike(sender.email.domain.domain, '*quickbook*')
14 or (
15 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
16 strings.icontains(.text, "quickbooks")
17 )
18 ) > 2
19 and any(ml.nlu_classifier(body.current_thread.text).intents,
20 .name == "cred_theft"
21 )
22 )
23 )
24 or strings.ilike(body.current_thread.text, "*invoice*")
25 )
26 and (
27 any(ml.logo_detect(file.message_screenshot()).brands,
28 .name == "Quickbooks" and .confidence in ("medium", "high")
29 )
30 // contains the address and copyright
31 or (
32 strings.icontains(body.current_thread.text,
33 '2800 E. Commerce Center Place, Tucson, AZ 85706'
34 )
35 and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
36 )
37 or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
38 or strings.icontains(body.current_thread.text,
39 'QuickBooks and Intuit are trademarks of Intuit Inc.'
40 )
41 or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
42 // phone number and update language
43 or (
44 regex.icontains(body.current_thread.text,
45 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
46 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
47 )
48 and any(ml.nlu_classifier(body.current_thread.text).topics,
49 .name in ("Software and App Updates", "Security and Authentication")
50 )
51
52 // we need to re-check for QB indicators, otherwise we can have "*invoice*"
53 // and this block, which is much more than just QB impersonation
54 and (
55 strings.ilike(sender.display_name, 'quickbook*')
56 or strings.like(sender.display_name, "QB-*")
57 or strings.ilike(sender.display_name, 'intuit*')
58 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
59 or strings.ilike(sender.email.domain.domain, '*quickbook*')
60 or (
61 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
62 strings.icontains(.text, "quickbooks")
63 )
64 ) > 2
65 and any(ml.nlu_classifier(body.current_thread.text).intents,
66 .name == "cred_theft"
67 )
68 )
69 )
70 )
71 )
72 and not (
73 sender.email.domain.root_domain in~ (
74 'intuit.com',
75 'turbotax.com',
76 'intuit.ca',
77 'meliopayments.com',
78 'qemailserver.com',
79 'intuit.co.uk',
80 'quickbooksonline.com',
81 'tsheets.com'
82 )
83 and coalesce(headers.auth_summary.dmarc.pass, false)
84 )
85 and (
86 not profile.by_sender().any_messages_benign
87 and not profile.by_sender().solicited
88 )
89 // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
90 and (
91 length(filter(body.links,
92 .href_url.domain.root_domain in~ (
93 'intuit.com',
94 'turbotax.com',
95 'intuit.ca',
96 'meliopayments.com',
97 'qemailserver.com',
98 'intuit.co.uk',
99 'quickbooksonline.com'
100 )
101 or (
102 .href_url.domain.root_domain == sender.email.domain.root_domain
103 and (.href_url.path is null or .href_url.path == "/")
104 )
105 // handle links to the root website when the sender uses a freemail address to send invoices
106 or (
107 .href_url.domain.sld == sender.email.local_part
108 and (.href_url.path is null or .href_url.path == "/")
109 and sender.email.domain.root_domain in $free_email_providers
110 )
111 )
112 ) != length(body.links)
113 // or no valid links
114 or length(filter(body.links, .href_url.domain.domain is not null)) == 0
115 )
116 // the call to action link does not lead to inuit
117 and not (
118 // filter down to observed call to action display text
119 any(filter(body.links,
120 .display_text in~ (
121 "view and pay",
122 "review and pay",
123 "view details"
124 )
125 ),
126 // benign/legit href_url details for those links
127 (
128 // sendgrid rewritten links
129 .href_url.domain.domain == "links.notification.intuit.com"
130 // CTA link
131 or (
132 .href_url.domain.domain == "connect.intuit.com"
133 and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
134 )
135 // Mimecast links
136 or (
137 .href_url.domain.root_domain == "mimecastprotect.com"
138 and (
139 strings.icontains(.href_url.query_params,
140 'domain=links.notification.intuit.com'
141 )
142 or strings.icontains(.href_url.query_params,
143 'domain=connect.intuit.com'
144 )
145 )
146 )
147 )
148 )
149 )
150 // negate common sender of quickbooks reseller
151 and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
152 // negate highly trusted sender domains unless they fail DMARC authentication
153 and (
154 (
155 sender.email.domain.root_domain in $high_trust_sender_root_domains
156 and not headers.auth_summary.dmarc.pass
157 )
158 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
159 )
160
161attack_types:
162 - "Callback Phishing"
163 - "Credential Phishing"
164tactics_and_techniques:
165 - "Impersonation: Brand"
166 - "Social engineering"
167detection_methods:
168 - "Computer Vision"
169 - "Content analysis"
170 - "Header analysis"
171 - "Sender analysis"
172id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"