Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, 'quickbook*')
10 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11 or strings.ilike(sender.email.domain.domain, '*quickbook*')
12 )
13 or strings.ilike(body.current_thread.text, "*invoice*")
14 )
15 and (
16 any(ml.logo_detect(beta.message_screenshot()).brands,
17 .name == "Quickbooks" and .confidence in ("medium", "high")
18 )
19 // contains the address and copyright
20 or (
21 strings.icontains(body.current_thread.text,
22 '2800 E. Commerce Center Place, Tucson, AZ 85706'
23 )
24 and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
25 )
26 or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
27 or strings.icontains(body.current_thread.text,
28 'QuickBooks and Intuit are trademarks of Intuit Inc.'
29 )
30 // phone number and update language
31 or (
32 regex.icontains(body.current_thread.text,
33 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
34 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
35 )
36 and any(beta.ml_topic(body.current_thread.text).topics,
37 .name == "Software and App Updates"
38 )
39
40 // we need to re-check for QB indicators, otherwise we can have "*invoice*"
41 // and this block, which is much more than just QB impersonation
42 and (
43 strings.ilike(sender.display_name, '*quickbooks*')
44 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
45 or strings.ilike(sender.email.domain.domain, '*quickbooks*')
46 )
47 )
48 )
49 and sender.email.domain.root_domain not in~ (
50 'intuit.com',
51 'turbotax.com',
52 'intuit.ca',
53 'meliopayments.com',
54 'qemailserver.com',
55 'intuit.co.uk',
56 'quickbooksonline.com',
57 'tsheets.com'
58 )
59 and (
60 not profile.by_sender().any_messages_benign
61 and not profile.by_sender().solicited
62 )
63 // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
64 and (
65 length(filter(body.links,
66 .href_url.domain.root_domain in~ (
67 'intuit.com',
68 'turbotax.com',
69 'intuit.ca',
70 'meliopayments.com',
71 'qemailserver.com',
72 'intuit.co.uk',
73 'quickbooksonline.com'
74 )
75 or (
76 .href_url.domain.root_domain == sender.email.domain.root_domain
77 and (.href_url.path is null or .href_url.path == "/")
78 )
79 // handle links to the root website when the sender uses a freemail address to send invoices
80 or (
81 .href_url.domain.sld == sender.email.local_part
82 and (.href_url.path is null or .href_url.path == "/")
83 and sender.email.domain.root_domain in $free_email_providers
84 )
85 )
86 ) != length(body.links)
87 // or no valid links
88 or length(filter(body.links, .href_url.domain.domain is not null)) == 0
89 )
90 // the call to action link does not lead to inuit
91 and not (
92 // filter down to observed call to action display text
93 any(filter(body.links,
94 .display_text in~ (
95 "view and pay",
96 "review and pay",
97 "view details"
98 )
99 ),
100 // benign/legit href_url details for those links
101 (
102 // sendgrid rewritten links
103 .href_url.domain.domain == "links.notification.intuit.com"
104 // CTA link
105 or (
106 .href_url.domain.domain == "connect.intuit.com"
107 and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
108 )
109 // Mimecast links
110 or (
111 .href_url.domain.root_domain == "mimecastprotect.com"
112 and (
113 strings.icontains(.href_url.query_params,
114 'domain=links.notification.intuit.com'
115 )
116 or strings.icontains(.href_url.query_params,
117 'domain=connect.intuit.com'
118 )
119 )
120 )
121 )
122 )
123 )
124 // negate common sender of quickbooks reseller
125 and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
126 // negate highly trusted sender domains unless they fail DMARC authentication
127 and (
128 (
129 sender.email.domain.root_domain in $high_trust_sender_root_domains
130 and not headers.auth_summary.dmarc.pass
131 )
132 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
133 )
134attack_types:
135 - "Callback Phishing"
136 - "Credential Phishing"
137tactics_and_techniques:
138 - "Impersonation: Brand"
139 - "Social engineering"
140detection_methods:
141 - "Computer Vision"
142 - "Content analysis"
143 - "Header analysis"
144 - "Sender analysis"
145id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"