Brand impersonation: QuickBooks dispute notification

calendar Jun 10, 2026  ·
Share on: linkedin copy

Detects messages impersonating QuickBooks or Intuit that reference dispute notifications or resolutions, but originate from unauthorized domains that fail DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: QuickBooks dispute notification"
 2description: "Detects messages impersonating QuickBooks or Intuit that reference dispute notifications or resolutions, but originate from unauthorized domains that fail DMARC authentication."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any([subject.base, sender.display_name],
 8          strings.icontains(., 'Quickbooks', 'Intuit')
 9  )
10  and any([subject.base, sender.display_name, body.current_thread.text],
11          regex.icontains(., 'Dispute\s+(?:Notification|Resolution)')
12  )
13  and not (
14    sender.email.domain.root_domain in~ (
15      'intuit.com',
16      'turbotax.com',
17      'intuit.ca',
18      'meliopayments.com',
19      'qemailserver.com',
20      'intuit.co.uk',
21      'quickbooksonline.com',
22      'tsheets.com'
23    )
24    and coalesce(headers.auth_summary.dmarc.pass, false)
25  )  
26attack_types:
27  - "BEC/Fraud"
28tactics_and_techniques:
29  - "Impersonation: Brand"
30detection_methods:
31  - "Content analysis"
32  - "Sender analysis"
33  - "Header analysis"
34id: "9416b5b7-3850-505c-a283-45a2bc483f81"
to-top