Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, '*quickbooks*')
10 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11 or strings.ilike(sender.email.domain.domain, '*quickbooks*')
12 )
13 or strings.ilike(body.current_thread.text, "*invoice*")
14 )
15 and (
16 any(ml.logo_detect(beta.message_screenshot()).brands,
17 .name == "Quickbooks" and .confidence in ("medium", "high")
18 )
19 // contains the address and copyright
20 or
21 (
22 strings.icontains(body.current_thread.text,
23 '2800 E. Commerce Center Place, Tucson, AZ 85706'
24 )
25 and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
26 )
27 or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
28 or strings.icontains(body.current_thread.text, 'QuickBooks and Intuit are trademarks of Intuit Inc.')
29 )
30 and sender.email.domain.root_domain not in~ (
31 'intuit.com',
32 'turbotax.com',
33 'intuit.ca',
34 'meliopayments.com',
35 'qemailserver.com',
36 'intuit.co.uk',
37 'quickbooksonline.com',
38 'tsheets.com'
39 )
40 and (
41 not profile.by_sender().any_false_positives
42 and not profile.by_sender().solicited
43 )
44 // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
45 and (
46 length(filter(body.links,
47 .href_url.domain.root_domain in~ (
48 'intuit.com',
49 'turbotax.com',
50 'intuit.ca',
51 'meliopayments.com',
52 'qemailserver.com',
53 'intuit.co.uk',
54 'quickbooksonline.com'
55 )
56 or (
57 .href_url.domain.root_domain == sender.email.domain.root_domain
58 and (.href_url.path is null or .href_url.path == "/")
59 )
60 // handle links to the root website when the sender uses a freemail address to send invoices
61 or (
62 .href_url.domain.sld == sender.email.local_part
63 and (.href_url.path is null or .href_url.path == "/")
64 and sender.email.domain.root_domain in $free_email_providers
65 )
66 )
67 ) != length(body.links)
68 // or no valid links
69 or length(filter(body.links, .href_url.domain.domain is not null)) == 0
70 )
71 // the call to action link does not lead to inuit
72 and not (
73 // filter down to observed call to action display text
74 any(filter(body.links,
75 .display_text in~ (
76 "view and pay",
77 "review and pay",
78 "view details"
79 )
80 ),
81 // benign/legit href_url details for those links
82 (
83 // sendgrid rewritten links
84 .href_url.domain.domain == "links.notification.intuit.com"
85 // CTA link
86 or (
87 .href_url.domain.domain == "connect.intuit.com"
88 and strings.icontains(.href_url.query_params,
89 'cta=viewinvoicenow'
90 )
91 )
92 // Mimecast links
93 or (
94 .href_url.domain.root_domain == "mimecastprotect.com"
95 and (
96 strings.icontains(.href_url.query_params,
97 'domain=links.notification.intuit.com'
98 )
99 or strings.icontains(.href_url.query_params,
100 'domain=connect.intuit.com'
101 )
102 )
103 )
104 )
105 )
106 )
107 // negate common sender of quickbooks reseller
108 and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
109 // negate highly trusted sender domains unless they fail DMARC authentication
110 and (
111 (
112 sender.email.domain.root_domain in $high_trust_sender_root_domains
113 and not headers.auth_summary.dmarc.pass
114 )
115 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
116 )
117attack_types:
118 - "Callback Phishing"
119 - "Credential Phishing"
120tactics_and_techniques:
121 - "Impersonation: Brand"
122 - "Social engineering"
123detection_methods:
124 - "Computer Vision"
125 - "Content analysis"
126 - "Header analysis"
127 - "Sender analysis"
128id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"