Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, '*quickbooks*')
10 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11 or strings.ilike(sender.email.domain.domain, '*quickbooks*')
12 )
13 or strings.ilike(body.current_thread.text, "*invoice*")
14 )
15 and (
16 any(ml.logo_detect(beta.message_screenshot()).brands,
17 .name == "Quickbooks" and .confidence in ("medium", "high")
18 )
19 // contains the address and copyright
20 or (
21 strings.icontains(body.current_thread.text,
22 '2800 E. Commerce Center Place, Tucson, AZ 85706'
23 )
24 and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
25 )
26 or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
27 or strings.icontains(body.current_thread.text,
28 'QuickBooks and Intuit are trademarks of Intuit Inc.'
29 )
30 // phone number and update language
31 or (
32 regex.icontains(body.current_thread.text,
33 '\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b'
34 )
35 and any(beta.ml_topic(body.current_thread.text).topics,
36 .name == "Software and App Updates"
37 )
38
39 // we need to re-check for QB indicators, otherwise we can have "*invoice*"
40 // and this block, which is much more than just QB impersonation
41 and (
42 strings.ilike(sender.display_name, '*quickbooks*')
43 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
44 or strings.ilike(sender.email.domain.domain, '*quickbooks*')
45 )
46 )
47 )
48 and sender.email.domain.root_domain not in~ (
49 'intuit.com',
50 'turbotax.com',
51 'intuit.ca',
52 'meliopayments.com',
53 'qemailserver.com',
54 'intuit.co.uk',
55 'quickbooksonline.com',
56 'tsheets.com'
57 )
58 and (
59 not profile.by_sender().any_false_positives
60 and not profile.by_sender().solicited
61 )
62 // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
63 and (
64 length(filter(body.links,
65 .href_url.domain.root_domain in~ (
66 'intuit.com',
67 'turbotax.com',
68 'intuit.ca',
69 'meliopayments.com',
70 'qemailserver.com',
71 'intuit.co.uk',
72 'quickbooksonline.com'
73 )
74 or (
75 .href_url.domain.root_domain == sender.email.domain.root_domain
76 and (.href_url.path is null or .href_url.path == "/")
77 )
78 // handle links to the root website when the sender uses a freemail address to send invoices
79 or (
80 .href_url.domain.sld == sender.email.local_part
81 and (.href_url.path is null or .href_url.path == "/")
82 and sender.email.domain.root_domain in $free_email_providers
83 )
84 )
85 ) != length(body.links)
86 // or no valid links
87 or length(filter(body.links, .href_url.domain.domain is not null)) == 0
88 )
89 // the call to action link does not lead to inuit
90 and not (
91 // filter down to observed call to action display text
92 any(filter(body.links,
93 .display_text in~ (
94 "view and pay",
95 "review and pay",
96 "view details"
97 )
98 ),
99 // benign/legit href_url details for those links
100 (
101 // sendgrid rewritten links
102 .href_url.domain.domain == "links.notification.intuit.com"
103 // CTA link
104 or (
105 .href_url.domain.domain == "connect.intuit.com"
106 and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
107 )
108 // Mimecast links
109 or (
110 .href_url.domain.root_domain == "mimecastprotect.com"
111 and (
112 strings.icontains(.href_url.query_params,
113 'domain=links.notification.intuit.com'
114 )
115 or strings.icontains(.href_url.query_params,
116 'domain=connect.intuit.com'
117 )
118 )
119 )
120 )
121 )
122 )
123 // negate common sender of quickbooks reseller
124 and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
125 // negate highly trusted sender domains unless they fail DMARC authentication
126 and (
127 (
128 sender.email.domain.root_domain in $high_trust_sender_root_domains
129 and not headers.auth_summary.dmarc.pass
130 )
131 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
132 )
133attack_types:
134 - "Callback Phishing"
135 - "Credential Phishing"
136tactics_and_techniques:
137 - "Impersonation: Brand"
138 - "Social engineering"
139detection_methods:
140 - "Computer Vision"
141 - "Content analysis"
142 - "Header analysis"
143 - "Sender analysis"
144id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"