Brand impersonation: Quickbooks

calendar Sep 29, 2025  ·
Share on: linkedin copy

Impersonation of the Quickbooks service from Intuit.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Quickbooks"
  2description: "Impersonation of the Quickbooks service from Intuit."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      strings.ilike(sender.display_name, 'quickbook*')
 10      or strings.ilike(sender.display_name, 'intuit*')
 11      or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
 12      or strings.ilike(sender.email.domain.domain, '*quickbook*')
 13    )
 14    or strings.ilike(body.current_thread.text, "*invoice*")
 15  )
 16  and (
 17    any(ml.logo_detect(file.message_screenshot()).brands,
 18        .name == "Quickbooks" and .confidence in ("medium", "high")
 19    )
 20    // contains the address and copyright 
 21    or (
 22      strings.icontains(body.current_thread.text,
 23                        '2800 E. Commerce Center Place, Tucson, AZ 85706'
 24      )
 25      and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
 26    )
 27    or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
 28    or strings.icontains(body.current_thread.text,
 29                         'QuickBooks and Intuit are trademarks of Intuit Inc.'
 30    )
 31    or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
 32    // phone number and update language
 33    or (
 34      regex.icontains(body.current_thread.text,
 35                      '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
 36                      '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
 37      )
 38      and any(ml.nlu_classifier(body.current_thread.text).topics,
 39              .name == "Software and App Updates"
 40      )
 41  
 42      // we need to re-check for QB indicators, otherwise we can have "*invoice*"
 43      // and this block, which is much more than just QB impersonation
 44      and (
 45        strings.ilike(sender.display_name, '*quickbooks*')
 46        or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
 47        or strings.ilike(sender.email.domain.domain, '*quickbooks*')
 48      )
 49    )
 50  )
 51  and sender.email.domain.root_domain not in~ (
 52    'intuit.com',
 53    'turbotax.com',
 54    'intuit.ca',
 55    'meliopayments.com',
 56    'qemailserver.com',
 57    'intuit.co.uk',
 58    'quickbooksonline.com',
 59    'tsheets.com'
 60  )
 61  and (
 62    not profile.by_sender().any_messages_benign
 63    and not profile.by_sender().solicited
 64  )
 65  // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
 66  and (
 67    length(filter(body.links,
 68                  .href_url.domain.root_domain in~ (
 69                    'intuit.com',
 70                    'turbotax.com',
 71                    'intuit.ca',
 72                    'meliopayments.com',
 73                    'qemailserver.com',
 74                    'intuit.co.uk',
 75                    'quickbooksonline.com'
 76                  )
 77                  or (
 78                    .href_url.domain.root_domain == sender.email.domain.root_domain
 79                    and (.href_url.path is null or .href_url.path == "/")
 80                  )
 81                  // handle links to the root website when the sender uses a freemail address to send invoices
 82                  or (
 83                    .href_url.domain.sld == sender.email.local_part
 84                    and (.href_url.path is null or .href_url.path == "/")
 85                    and sender.email.domain.root_domain in $free_email_providers
 86                  )
 87           )
 88    ) != length(body.links)
 89    // or no valid links
 90    or length(filter(body.links, .href_url.domain.domain is not null)) == 0
 91  )
 92  // the call to action link does not lead to inuit
 93  and not (
 94    // filter down to observed call to action display text
 95    any(filter(body.links,
 96               .display_text in~ (
 97                 "view and pay",
 98                 "review and pay",
 99                 "view details"
100               )
101        ),
102        // benign/legit href_url details for those links
103        (
104          // sendgrid rewritten links
105          .href_url.domain.domain == "links.notification.intuit.com"
106          // CTA link
107          or (
108            .href_url.domain.domain == "connect.intuit.com"
109            and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
110          )
111          // Mimecast links 
112          or (
113            .href_url.domain.root_domain == "mimecastprotect.com"
114            and (
115              strings.icontains(.href_url.query_params,
116                                'domain=links.notification.intuit.com'
117              )
118              or strings.icontains(.href_url.query_params,
119                                   'domain=connect.intuit.com'
120              )
121            )
122          )
123        )
124    )
125  )
126  // negate common sender of quickbooks reseller
127  and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
128  // negate highly trusted sender domains unless they fail DMARC authentication
129  and (
130    (
131      sender.email.domain.root_domain in $high_trust_sender_root_domains
132      and not headers.auth_summary.dmarc.pass
133    )
134    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
135  )  
136
137attack_types:
138  - "Callback Phishing"
139  - "Credential Phishing"
140tactics_and_techniques:
141  - "Impersonation: Brand"
142  - "Social engineering"
143detection_methods:
144  - "Computer Vision"
145  - "Content analysis"
146  - "Header analysis"
147  - "Sender analysis"
148id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"
to-top