Brand impersonation: Quickbooks

 1name: "Brand impersonation: Quickbooks"
 2description: "Impersonation of the Quickbooks service from Intuit."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      strings.ilike(sender.display_name, '*quickbooks*')
10      or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11      or strings.ilike(sender.email.domain.domain, '*quickbooks*')
12    )
13    or strings.ilike(body.current_thread.text, "*invoice*")
14  )
15  and any(ml.logo_detect(beta.message_screenshot()).brands,
16          .name == "Quickbooks" and .confidence in ("medium", "high")
17  )
18  and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca', 'meliopayments.com')
19  and (
20      not profile.by_sender().any_false_positives 
21      and not profile.by_sender().solicited
22  )
23
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and
26  (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and (
30        any(distinct(headers.hops, .authentication_results.dmarc is not null),
31            strings.ilike(.authentication_results.dmarc, "*fail")
32        )
33      )
34    )
35    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36  )  
37attack_types:
38  - "Callback Phishing"
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Impersonation: Brand"
42  - "Social engineering"
43detection_methods:
44  - "Computer Vision"
45  - "Content analysis"
46  - "Header analysis"
47  - "Sender analysis"
48id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"