Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Quickbooks"
2description: "Impersonation of the Quickbooks service from Intuit."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 strings.ilike(sender.display_name, '*quickbooks*')
10 or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
11 or strings.ilike(sender.email.domain.domain, '*quickbooks*')
12 )
13 or strings.ilike(body.current_thread.text, "*invoice*")
14 )
15 and any(ml.logo_detect(beta.message_screenshot()).brands,
16 .name == "Quickbooks" and .confidence in ("medium", "high")
17 )
18 and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca', 'meliopayments.com')
19 and (
20 not profile.by_sender().any_false_positives
21 and not profile.by_sender().solicited
22 )
23
24 // negate highly trusted sender domains unless they fail DMARC authentication
25 and
26 (
27 (
28 sender.email.domain.root_domain in $high_trust_sender_root_domains
29 and (
30 any(distinct(headers.hops, .authentication_results.dmarc is not null),
31 strings.ilike(.authentication_results.dmarc, "*fail")
32 )
33 )
34 )
35 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
36 )
37attack_types:
38 - "Callback Phishing"
39 - "Credential Phishing"
40tactics_and_techniques:
41 - "Impersonation: Brand"
42 - "Social engineering"
43detection_methods:
44 - "Computer Vision"
45 - "Content analysis"
46 - "Header analysis"
47 - "Sender analysis"
48id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"