Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, 'quickboo*')
10 or strings.like(sender.display_name, "QB-*")
11 or strings.ilike(sender.display_name, 'intuit*')
12 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
13 or strings.ilike(sender.email.domain.domain, '*quickbook*')
14 or (
15 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
16 strings.icontains(.text, "quickbooks")
17 )
18 ) > 2
19 and any(ml.nlu_classifier(body.current_thread.text).intents,
20 .name == "cred_theft"
21 )
22 )
23 )
24 or strings.ilike(body.current_thread.text, "*invoice*")
25 )
26 and (
27 any(ml.logo_detect(file.message_screenshot()).brands,
28 .name == "Quickbooks" and .confidence in ("medium", "high")
29 )
30 // contains the address and copyright
31 or (
32 (
33 strings.icontains(body.current_thread.text,
34 '2800 E. Commerce Center Place, Tucson, AZ 85706'
35 )
36 or strings.icontains(body.current_thread.text,
37 '2700 Coast Ave, Mountain View, CA 94043'
38 )
39 )
40 and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
41 )
42 or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
43 or strings.icontains(body.current_thread.text,
44 'QuickBooks and Intuit are trademarks of Intuit Inc.'
45 )
46 or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
47 or strings.icontains(body.current_thread.text,
48 "Secured by QuickBooks Payments"
49 )
50 or strings.icontains(body.current_thread.text, "QuickBooks Support Center")
51 // phone number and update language
52 or (
53 regex.icontains(body.current_thread.text,
54 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
55 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
56 )
57 and any(ml.nlu_classifier(body.current_thread.text).topics,
58 .name in ("Software and App Updates", "Security and Authentication")
59 )
60
61 // we need to re-check for QB indicators, otherwise we can have "*invoice*"
62 // and this block, which is much more than just QB impersonation
63 and (
64 strings.ilike(sender.display_name, 'quickbook*')
65 or strings.like(sender.display_name, "QB-*")
66 or strings.ilike(sender.display_name, 'intuit*')
67 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
68 or strings.ilike(sender.email.domain.domain, '*quickbook*')
69 or (
70 length(filter(ml.nlu_classifier(body.current_thread.text).entities,
71 strings.icontains(.text, "quickbooks")
72 )
73 ) > 2
74 and any(ml.nlu_classifier(body.current_thread.text).intents,
75 .name == "cred_theft"
76 )
77 )
78 )
79 )
80 or any(body.links,
81 regex.icontains(.display_url.url, '(?:quickbooks|intuit)')
82 and .mismatched
83 and not .href_url.domain.root_domain in (
84 "mimecast.com",
85 "mimecastprotect.com"
86 )
87 )
88 )
89 and not (
90 sender.email.domain.root_domain in~ (
91 'intuit.com',
92 'turbotax.com',
93 'intuit.ca',
94 'meliopayments.com',
95 'qemailserver.com',
96 'intuit.co.uk',
97 'quickbooksonline.com',
98 'tsheets.com'
99 )
100 and coalesce(headers.auth_summary.dmarc.pass, false)
101 )
102 and (
103 not profile.by_sender().any_messages_benign
104 and not profile.by_sender().solicited
105 )
106 // links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
107 and (
108 length(filter(body.links,
109 .href_url.domain.root_domain in~ (
110 'intuit.com',
111 'turbotax.com',
112 'intuit.ca',
113 'meliopayments.com',
114 'qemailserver.com',
115 'intuit.co.uk',
116 'quickbooksonline.com'
117 )
118 or (
119 .href_url.domain.root_domain == sender.email.domain.root_domain
120 and (.href_url.path is null or .href_url.path == "/")
121 )
122 // handle links to the root website when the sender uses a freemail address to send invoices
123 or (
124 .href_url.domain.sld == sender.email.local_part
125 and (.href_url.path is null or .href_url.path == "/")
126 and sender.email.domain.root_domain in $free_email_providers
127 )
128 )
129 ) != length(body.links)
130 // or no valid links
131 or length(filter(body.links, .href_url.domain.domain is not null)) == 0
132 )
133 // the call to action link does not lead to inuit
134 and not (
135 // filter down to observed call to action display text
136 any(filter(body.links,
137 .display_text in~ (
138 "view and pay",
139 "review and pay",
140 "view details"
141 )
142 ),
143 // benign/legit href_url details for those links
144 (
145 // sendgrid rewritten links
146 .href_url.domain.domain == "links.notification.intuit.com"
147 // CTA link
148 or (
149 .href_url.domain.domain == "connect.intuit.com"
150 and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
151 )
152 // Mimecast links
153 or (
154 .href_url.domain.root_domain == "mimecastprotect.com"
155 and (
156 strings.icontains(.href_url.query_params,
157 'domain=links.notification.intuit.com'
158 )
159 or strings.icontains(.href_url.query_params,
160 'domain=connect.intuit.com'
161 )
162 )
163 )
164 )
165 )
166 )
167 // negate common sender of quickbooks reseller
168 and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
169 // negate highly trusted sender domains unless they fail DMARC authentication
170 and not (
171 sender.email.domain.root_domain in $high_trust_sender_root_domains
172 and coalesce(headers.auth_summary.dmarc.pass, false)
173 )
174
175attack_types:
176 - "Callback Phishing"
177 - "Credential Phishing"
178tactics_and_techniques:
179 - "Impersonation: Brand"
180 - "Social engineering"
181detection_methods:
182 - "Computer Vision"
183 - "Content analysis"
184 - "Header analysis"
185 - "Sender analysis"
186id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"