Brand impersonation: Quickbooks

 1name: "Brand impersonation: Quickbooks"
 2description: "Impersonation of the Quickbooks service from Intuit."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      strings.ilike(sender.display_name, '*quickbooks*')
10      or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11      or strings.ilike(sender.email.domain.domain, '*quickbooks*')
12    )
13    or strings.ilike(body.current_thread.text, "*invoice*")
14  )
15  and (
16    any(ml.logo_detect(beta.message_screenshot()).brands,
17        .name == "Quickbooks" and .confidence in ("medium", "high")
18    )
19    // contains the address and copyright 
20    or 
21    (
22      strings.icontains(body.current_thread.text,
23                        '2800 E. Commerce Center Place, Tucson, AZ 85706'
24      )
25      and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
26    )
27    or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
28  )
29  and sender.email.domain.root_domain not in~ (
30    'intuit.com',
31    'turbotax.com',
32    'intuit.ca',
33    'meliopayments.com',
34    'qemailserver.com',
35    'intuit.co.uk',
36    'quickbooksonline.com',
37    'tsheets.com'
38  )
39  and (
40    not profile.by_sender().any_false_positives
41    and not profile.by_sender().solicited
42  )
43  // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
44  and (
45    length(filter(body.links,
46                  .href_url.domain.root_domain in~ (
47                    'intuit.com',
48                    'turbotax.com',
49                    'intuit.ca',
50                    'meliopayments.com',
51                    'qemailserver.com',
52                    'intuit.co.uk',
53                    'quickbooksonline.com'
54                  )
55                  or (
56                    .href_url.domain.domain == sender.email.domain.domain
57                    and (.href_url.path is null or .href_url.path == "/")
58                  )
59                  // handle links to the root website when the sender uses a freemail address to send invoices
60                  or (
61                    .href_url.domain.sld == sender.email.local_part
62                    and (.href_url.path is null or .href_url.path == "/")
63                    and sender.email.domain.root_domain in $free_email_providers
64                  )
65           )
66    ) != length(body.links)
67    // or no valid links
68    or length(filter(body.links, .href_url.domain.domain is not null)) == 0
69  )
70  // negate common sender of quickbooks reseller
71  and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
72  // negate highly trusted sender domains unless they fail DMARC authentication
73  and (
74    (
75      sender.email.domain.root_domain in $high_trust_sender_root_domains
76      and not headers.auth_summary.dmarc.pass
77    )
78    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
79  )  
80attack_types:
81  - "Callback Phishing"
82  - "Credential Phishing"
83tactics_and_techniques:
84  - "Impersonation: Brand"
85  - "Social engineering"
86detection_methods:
87  - "Computer Vision"
88  - "Content analysis"
89  - "Header analysis"
90  - "Sender analysis"
91id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"