Brand impersonation: Quickbooks

calendar May 29, 2024  ยท
Share on: linkedin copy

Impersonation of the Quickbooks service from Intuit.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Quickbooks"
 2description: "Impersonation of the Quickbooks service from Intuit."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      strings.ilike(sender.display_name, '*quickbooks*')
10      or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11      or strings.ilike(sender.email.domain.domain, '*quickbooks*')
12    )
13    or strings.ilike(body.current_thread.text, "*invoice*")
14  )
15  and any(ml.logo_detect(beta.message_screenshot()).brands,
16          .name == "Quickbooks" and .confidence in ("medium", "high")
17  )
18  and sender.email.domain.root_domain not in~ (
19    'intuit.com',
20    'turbotax.com',
21    'intuit.ca',
22    'meliopayments.com',
23    'qemailserver.com',
24    'intuit.co.uk',
25    'quickbooksonline.com',
26    'tsheets.com'
27  )
28  and (
29    not profile.by_sender().any_false_positives
30    and not profile.by_sender().solicited
31  )
32  // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
33  and (
34    length(filter(body.links,
35                  .href_url.domain.root_domain in~ (
36                    'intuit.com',
37                    'turbotax.com',
38                    'intuit.ca',
39                    'meliopayments.com',
40                    'qemailserver.com',
41                    'intuit.co.uk',
42                    'quickbooksonline.com'
43                  )
44                  or (
45                    .href_url.domain.domain == sender.email.domain.domain
46                    and (.href_url.path is null or .href_url.path == "/")
47                  )
48           )
49    ) != length(body.links)
50    // or no valid links
51    or length(filter(body.links, .href_url.domain.domain is not null)) == 0
52  )
53  
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61  )  
62attack_types:
63  - "Callback Phishing"
64  - "Credential Phishing"
65tactics_and_techniques:
66  - "Impersonation: Brand"
67  - "Social engineering"
68detection_methods:
69  - "Computer Vision"
70  - "Content analysis"
71  - "Header analysis"
72  - "Sender analysis"
73id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"
to-top