Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, '*quickbooks*')
10 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11 or strings.ilike(sender.email.domain.domain, '*quickbooks*')
12 )
13 or strings.ilike(body.current_thread.text, "*invoice*")
14 )
15 and any(ml.logo_detect(beta.message_screenshot()).brands,
16 .name == "Quickbooks" and .confidence in ("medium", "high")
17 )
18 and sender.email.domain.root_domain not in~ (
19 'intuit.com',
20 'turbotax.com',
21 'intuit.ca',
22 'meliopayments.com',
23 'qemailserver.com',
24 'intuit.co.uk',
25 'quickbooksonline.com',
26 'tsheets.com'
27 )
28 and (
29 not profile.by_sender().any_false_positives
30 and not profile.by_sender().solicited
31 )
32 // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
33 and (
34 length(filter(body.links,
35 .href_url.domain.root_domain in~ (
36 'intuit.com',
37 'turbotax.com',
38 'intuit.ca',
39 'meliopayments.com',
40 'qemailserver.com',
41 'intuit.co.uk',
42 'quickbooksonline.com'
43 )
44 or (
45 .href_url.domain.domain == sender.email.domain.domain
46 and (.href_url.path is null or .href_url.path == "/")
47 )
48 )
49 ) != length(body.links)
50 // or no valid links
51 or length(filter(body.links, .href_url.domain.domain is not null)) == 0
52 )
53
54 // negate highly trusted sender domains unless they fail DMARC authentication
55 and (
56 (
57 sender.email.domain.root_domain in $high_trust_sender_root_domains
58 and not headers.auth_summary.dmarc.pass
59 )
60 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61 )
62attack_types:
63 - "Callback Phishing"
64 - "Credential Phishing"
65tactics_and_techniques:
66 - "Impersonation: Brand"
67 - "Social engineering"
68detection_methods:
69 - "Computer Vision"
70 - "Content analysis"
71 - "Header analysis"
72 - "Sender analysis"
73id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"