Brand impersonation: Quickbooks

Impersonation of the Quickbooks service from Intuit.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Quickbooks"
  2description: "Impersonation of the Quickbooks service from Intuit."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      strings.ilike(sender.display_name, '*quickbooks*')
 10      or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
 11      or strings.ilike(sender.email.domain.domain, '*quickbooks*')
 12    )
 13    or strings.ilike(body.current_thread.text, "*invoice*")
 14  )
 15  and (
 16    any(ml.logo_detect(beta.message_screenshot()).brands,
 17        .name == "Quickbooks" and .confidence in ("medium", "high")
 18    )
 19    // contains the address and copyright 
 20    or (
 21      strings.icontains(body.current_thread.text,
 22                        '2800 E. Commerce Center Place, Tucson, AZ 85706'
 23      )
 24      and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
 25    )
 26    or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
 27    or strings.icontains(body.current_thread.text,
 28                         'QuickBooks and Intuit are trademarks of Intuit Inc.'
 29    )
 30    // phone number and update language
 31    or (
 32      regex.icontains(body.current_thread.text,
 33                      '\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b'
 34      )
 35      and any(beta.ml_topic(body.current_thread.text).topics,
 36              .name == "Software and App Updates"
 37      )
 38
 39      // we need to re-check for QB indicators, otherwise we can have "*invoice*"
 40      // and this block, which is much more than just QB impersonation
 41      and (
 42        strings.ilike(sender.display_name, '*quickbooks*')
 43        or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
 44        or strings.ilike(sender.email.domain.domain, '*quickbooks*')
 45      )
 46    )
 47  )
 48  and sender.email.domain.root_domain not in~ (
 49    'intuit.com',
 50    'turbotax.com',
 51    'intuit.ca',
 52    'meliopayments.com',
 53    'qemailserver.com',
 54    'intuit.co.uk',
 55    'quickbooksonline.com',
 56    'tsheets.com'
 57  )
 58  and (
 59    not profile.by_sender().any_false_positives
 60    and not profile.by_sender().solicited
 61  )
 62  // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
 63  and (
 64    length(filter(body.links,
 65                  .href_url.domain.root_domain in~ (
 66                    'intuit.com',
 67                    'turbotax.com',
 68                    'intuit.ca',
 69                    'meliopayments.com',
 70                    'qemailserver.com',
 71                    'intuit.co.uk',
 72                    'quickbooksonline.com'
 73                  )
 74                  or (
 75                    .href_url.domain.root_domain == sender.email.domain.root_domain
 76                    and (.href_url.path is null or .href_url.path == "/")
 77                  )
 78                  // handle links to the root website when the sender uses a freemail address to send invoices
 79                  or (
 80                    .href_url.domain.sld == sender.email.local_part
 81                    and (.href_url.path is null or .href_url.path == "/")
 82                    and sender.email.domain.root_domain in $free_email_providers
 83                  )
 84           )
 85    ) != length(body.links)
 86    // or no valid links
 87    or length(filter(body.links, .href_url.domain.domain is not null)) == 0
 88  )
 89  // the call to action link does not lead to inuit
 90  and not (
 91    // filter down to observed call to action display text
 92    any(filter(body.links,
 93               .display_text in~ (
 94                 "view and pay",
 95                 "review and pay",
 96                 "view details"
 97               )
 98        ),
 99        // benign/legit href_url details for those links
100        (
101          // sendgrid rewritten links
102          .href_url.domain.domain == "links.notification.intuit.com"
103          // CTA link
104          or (
105            .href_url.domain.domain == "connect.intuit.com"
106            and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
107          )
108          // Mimecast links 
109          or (
110            .href_url.domain.root_domain == "mimecastprotect.com"
111            and (
112              strings.icontains(.href_url.query_params,
113                                'domain=links.notification.intuit.com'
114              )
115              or strings.icontains(.href_url.query_params,
116                                   'domain=connect.intuit.com'
117              )
118            )
119          )
120        )
121    )
122  )
123  // negate common sender of quickbooks reseller
124  and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
125  // negate highly trusted sender domains unless they fail DMARC authentication
126  and (
127    (
128      sender.email.domain.root_domain in $high_trust_sender_root_domains
129      and not headers.auth_summary.dmarc.pass
130    )
131    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
132  )  
133attack_types:
134  - "Callback Phishing"
135  - "Credential Phishing"
136tactics_and_techniques:
137  - "Impersonation: Brand"
138  - "Social engineering"
139detection_methods:
140  - "Computer Vision"
141  - "Content analysis"
142  - "Header analysis"
143  - "Sender analysis"
144id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"
to-top