Brand impersonation: Quickbooks

Impersonation of the Quickbooks service from Intuit.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Quickbooks"
  2description: "Impersonation of the Quickbooks service from Intuit."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      strings.ilike(sender.display_name, 'quickbook*')
 10      or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
 11      or strings.ilike(sender.email.domain.domain, '*quickbook*')
 12    )
 13    or strings.ilike(body.current_thread.text, "*invoice*")
 14  )
 15  and (
 16    any(ml.logo_detect(beta.message_screenshot()).brands,
 17        .name == "Quickbooks" and .confidence in ("medium", "high")
 18    )
 19    // contains the address and copyright 
 20    or (
 21      strings.icontains(body.current_thread.text,
 22                        '2800 E. Commerce Center Place, Tucson, AZ 85706'
 23      )
 24      and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
 25    )
 26    or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
 27    or strings.icontains(body.current_thread.text,
 28                         'QuickBooks and Intuit are trademarks of Intuit Inc.'
 29    )
 30    // phone number and update language
 31    or (
 32      regex.icontains(body.current_thread.text,
 33                      '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
 34                      '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
 35      )
 36      and any(beta.ml_topic(body.current_thread.text).topics,
 37              .name == "Software and App Updates"
 38      )
 39
 40      // we need to re-check for QB indicators, otherwise we can have "*invoice*"
 41      // and this block, which is much more than just QB impersonation
 42      and (
 43        strings.ilike(sender.display_name, '*quickbooks*')
 44        or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
 45        or strings.ilike(sender.email.domain.domain, '*quickbooks*')
 46      )
 47    )
 48  )
 49  and sender.email.domain.root_domain not in~ (
 50    'intuit.com',
 51    'turbotax.com',
 52    'intuit.ca',
 53    'meliopayments.com',
 54    'qemailserver.com',
 55    'intuit.co.uk',
 56    'quickbooksonline.com',
 57    'tsheets.com'
 58  )
 59  and (
 60    not profile.by_sender().any_messages_benign
 61    and not profile.by_sender().solicited
 62  )
 63  // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
 64  and (
 65    length(filter(body.links,
 66                  .href_url.domain.root_domain in~ (
 67                    'intuit.com',
 68                    'turbotax.com',
 69                    'intuit.ca',
 70                    'meliopayments.com',
 71                    'qemailserver.com',
 72                    'intuit.co.uk',
 73                    'quickbooksonline.com'
 74                  )
 75                  or (
 76                    .href_url.domain.root_domain == sender.email.domain.root_domain
 77                    and (.href_url.path is null or .href_url.path == "/")
 78                  )
 79                  // handle links to the root website when the sender uses a freemail address to send invoices
 80                  or (
 81                    .href_url.domain.sld == sender.email.local_part
 82                    and (.href_url.path is null or .href_url.path == "/")
 83                    and sender.email.domain.root_domain in $free_email_providers
 84                  )
 85           )
 86    ) != length(body.links)
 87    // or no valid links
 88    or length(filter(body.links, .href_url.domain.domain is not null)) == 0
 89  )
 90  // the call to action link does not lead to inuit
 91  and not (
 92    // filter down to observed call to action display text
 93    any(filter(body.links,
 94               .display_text in~ (
 95                 "view and pay",
 96                 "review and pay",
 97                 "view details"
 98               )
 99        ),
100        // benign/legit href_url details for those links
101        (
102          // sendgrid rewritten links
103          .href_url.domain.domain == "links.notification.intuit.com"
104          // CTA link
105          or (
106            .href_url.domain.domain == "connect.intuit.com"
107            and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
108          )
109          // Mimecast links 
110          or (
111            .href_url.domain.root_domain == "mimecastprotect.com"
112            and (
113              strings.icontains(.href_url.query_params,
114                                'domain=links.notification.intuit.com'
115              )
116              or strings.icontains(.href_url.query_params,
117                                   'domain=connect.intuit.com'
118              )
119            )
120          )
121        )
122    )
123  )
124  // negate common sender of quickbooks reseller
125  and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
126  // negate highly trusted sender domains unless they fail DMARC authentication
127  and (
128    (
129      sender.email.domain.root_domain in $high_trust_sender_root_domains
130      and not headers.auth_summary.dmarc.pass
131    )
132    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
133  )  
134attack_types:
135  - "Callback Phishing"
136  - "Credential Phishing"
137tactics_and_techniques:
138  - "Impersonation: Brand"
139  - "Social engineering"
140detection_methods:
141  - "Computer Vision"
142  - "Content analysis"
143  - "Header analysis"
144  - "Sender analysis"
145id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"
to-top