Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, 'quickbook*')
10 or strings.like(sender.display_name, "QB-*")
11 or strings.ilike(sender.display_name, 'intuit*')
12 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
13 or strings.ilike(sender.email.domain.domain, '*quickbook*')
14 or (
15 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
16 strings.icontains(.text, "quickbooks")
17 )
18 ) > 2
19 and any(ml.nlu_classifier(body.current_thread.text).intents,
20 .name == "cred_theft"
21 )
22 )
23 )
24 or strings.ilike(body.current_thread.text, "*invoice*")
25 )
26 and (
27 any(ml.logo_detect(file.message_screenshot()).brands,
28 .name == "Quickbooks" and .confidence in ("medium", "high")
29 )
30 // contains the address and copyright
31 or (
32 strings.icontains(body.current_thread.text,
33 '2800 E. Commerce Center Place, Tucson, AZ 85706'
34 )
35 and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
36 )
37 or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
38 or strings.icontains(body.current_thread.text,
39 'QuickBooks and Intuit are trademarks of Intuit Inc.'
40 )
41 or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
42 // phone number and update language
43 or (
44 regex.icontains(body.current_thread.text,
45 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
46 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
47 )
48 and any(ml.nlu_classifier(body.current_thread.text).topics,
49 .name in ("Software and App Updates", "Security and Authentication")
50 )
51
52 // we need to re-check for QB indicators, otherwise we can have "*invoice*"
53 // and this block, which is much more than just QB impersonation
54 and (
55 strings.ilike(sender.display_name, 'quickbook*')
56 or strings.like(sender.display_name, "QB-*")
57 or strings.ilike(sender.display_name, 'intuit*')
58 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
59 or strings.ilike(sender.email.domain.domain, '*quickbook*')
60 or (
61 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
62 strings.icontains(.text, "quickbooks")
63 )
64 ) > 2
65 and any(ml.nlu_classifier(body.current_thread.text).intents,
66 .name == "cred_theft"
67 )
68 )
69 )
70 )
71 )
72 and sender.email.domain.root_domain not in~ (
73 'intuit.com',
74 'turbotax.com',
75 'intuit.ca',
76 'meliopayments.com',
77 'qemailserver.com',
78 'intuit.co.uk',
79 'quickbooksonline.com',
80 'tsheets.com'
81 )
82 and (
83 not profile.by_sender().any_messages_benign
84 and not profile.by_sender().solicited
85 )
86 // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
87 and (
88 length(filter(body.links,
89 .href_url.domain.root_domain in~ (
90 'intuit.com',
91 'turbotax.com',
92 'intuit.ca',
93 'meliopayments.com',
94 'qemailserver.com',
95 'intuit.co.uk',
96 'quickbooksonline.com'
97 )
98 or (
99 .href_url.domain.root_domain == sender.email.domain.root_domain
100 and (.href_url.path is null or .href_url.path == "/")
101 )
102 // handle links to the root website when the sender uses a freemail address to send invoices
103 or (
104 .href_url.domain.sld == sender.email.local_part
105 and (.href_url.path is null or .href_url.path == "/")
106 and sender.email.domain.root_domain in $free_email_providers
107 )
108 )
109 ) != length(body.links)
110 // or no valid links
111 or length(filter(body.links, .href_url.domain.domain is not null)) == 0
112 )
113 // the call to action link does not lead to inuit
114 and not (
115 // filter down to observed call to action display text
116 any(filter(body.links,
117 .display_text in~ (
118 "view and pay",
119 "review and pay",
120 "view details"
121 )
122 ),
123 // benign/legit href_url details for those links
124 (
125 // sendgrid rewritten links
126 .href_url.domain.domain == "links.notification.intuit.com"
127 // CTA link
128 or (
129 .href_url.domain.domain == "connect.intuit.com"
130 and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
131 )
132 // Mimecast links
133 or (
134 .href_url.domain.root_domain == "mimecastprotect.com"
135 and (
136 strings.icontains(.href_url.query_params,
137 'domain=links.notification.intuit.com'
138 )
139 or strings.icontains(.href_url.query_params,
140 'domain=connect.intuit.com'
141 )
142 )
143 )
144 )
145 )
146 )
147 // negate common sender of quickbooks reseller
148 and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
149 // negate highly trusted sender domains unless they fail DMARC authentication
150 and (
151 (
152 sender.email.domain.root_domain in $high_trust_sender_root_domains
153 and not headers.auth_summary.dmarc.pass
154 )
155 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
156 )
157
158attack_types:
159 - "Callback Phishing"
160 - "Credential Phishing"
161tactics_and_techniques:
162 - "Impersonation: Brand"
163 - "Social engineering"
164detection_methods:
165 - "Computer Vision"
166 - "Content analysis"
167 - "Header analysis"
168 - "Sender analysis"
169id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"