Brand impersonation: Quickbooks

Impersonation of the Quickbooks service from Intuit.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Quickbooks"
  2description: "Impersonation of the Quickbooks service from Intuit."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      strings.ilike(sender.display_name, 'quickbook*')
 10      or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
 11      or strings.ilike(sender.email.domain.domain, '*quickbook*')
 12    )
 13    or strings.ilike(body.current_thread.text, "*invoice*")
 14  )
 15  and (
 16    any(ml.logo_detect(file.message_screenshot()).brands,
 17        .name == "Quickbooks" and .confidence in ("medium", "high")
 18    )
 19    // contains the address and copyright 
 20    or (
 21      strings.icontains(body.current_thread.text,
 22                        '2800 E. Commerce Center Place, Tucson, AZ 85706'
 23      )
 24      and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
 25    )
 26    or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
 27    or strings.icontains(body.current_thread.text,
 28                         'QuickBooks and Intuit are trademarks of Intuit Inc.'
 29    )
 30    or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
 31    // phone number and update language
 32    or (
 33      regex.icontains(body.current_thread.text,
 34                      '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
 35                      '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
 36      )
 37      and any(ml.nlu_classifier(body.current_thread.text).topics,
 38              .name == "Software and App Updates"
 39      )
 40  
 41      // we need to re-check for QB indicators, otherwise we can have "*invoice*"
 42      // and this block, which is much more than just QB impersonation
 43      and (
 44        strings.ilike(sender.display_name, '*quickbooks*')
 45        or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
 46        or strings.ilike(sender.email.domain.domain, '*quickbooks*')
 47      )
 48    )
 49  )
 50  and sender.email.domain.root_domain not in~ (
 51    'intuit.com',
 52    'turbotax.com',
 53    'intuit.ca',
 54    'meliopayments.com',
 55    'qemailserver.com',
 56    'intuit.co.uk',
 57    'quickbooksonline.com',
 58    'tsheets.com'
 59  )
 60  and (
 61    not profile.by_sender().any_messages_benign
 62    and not profile.by_sender().solicited
 63  )
 64  // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
 65  and (
 66    length(filter(body.links,
 67                  .href_url.domain.root_domain in~ (
 68                    'intuit.com',
 69                    'turbotax.com',
 70                    'intuit.ca',
 71                    'meliopayments.com',
 72                    'qemailserver.com',
 73                    'intuit.co.uk',
 74                    'quickbooksonline.com'
 75                  )
 76                  or (
 77                    .href_url.domain.root_domain == sender.email.domain.root_domain
 78                    and (.href_url.path is null or .href_url.path == "/")
 79                  )
 80                  // handle links to the root website when the sender uses a freemail address to send invoices
 81                  or (
 82                    .href_url.domain.sld == sender.email.local_part
 83                    and (.href_url.path is null or .href_url.path == "/")
 84                    and sender.email.domain.root_domain in $free_email_providers
 85                  )
 86           )
 87    ) != length(body.links)
 88    // or no valid links
 89    or length(filter(body.links, .href_url.domain.domain is not null)) == 0
 90  )
 91  // the call to action link does not lead to inuit
 92  and not (
 93    // filter down to observed call to action display text
 94    any(filter(body.links,
 95               .display_text in~ (
 96                 "view and pay",
 97                 "review and pay",
 98                 "view details"
 99               )
100        ),
101        // benign/legit href_url details for those links
102        (
103          // sendgrid rewritten links
104          .href_url.domain.domain == "links.notification.intuit.com"
105          // CTA link
106          or (
107            .href_url.domain.domain == "connect.intuit.com"
108            and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
109          )
110          // Mimecast links 
111          or (
112            .href_url.domain.root_domain == "mimecastprotect.com"
113            and (
114              strings.icontains(.href_url.query_params,
115                                'domain=links.notification.intuit.com'
116              )
117              or strings.icontains(.href_url.query_params,
118                                   'domain=connect.intuit.com'
119              )
120            )
121          )
122        )
123    )
124  )
125  // negate common sender of quickbooks reseller
126  and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
127  // negate highly trusted sender domains unless they fail DMARC authentication
128  and (
129    (
130      sender.email.domain.root_domain in $high_trust_sender_root_domains
131      and not headers.auth_summary.dmarc.pass
132    )
133    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
134  )  
135
136attack_types:
137  - "Callback Phishing"
138  - "Credential Phishing"
139tactics_and_techniques:
140  - "Impersonation: Brand"
141  - "Social engineering"
142detection_methods:
143  - "Computer Vision"
144  - "Content analysis"
145  - "Header analysis"
146  - "Sender analysis"
147id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"
to-top