Brand impersonation: TurboTax

 1name: "Brand impersonation: TurboTax"
 2description: |
 3    Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
 4references:
 5  - "https://turbotax.intuit.com/tax-tips/security/taxpayer-beware-email-phishing-scams/L6r4YHSuG"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, '*turbotax*')
12    or (
13      strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
14      // negates FP for company called TurboTan
15      and not (
16        sender.display_name == "TurboTan"
17        and sender.email.domain.root_domain == "brevosend.com"
18        and headers.auth_summary.spf.pass
19      )
20    )
21    or strings.ilike(sender.email.domain.domain, '*turbotax*')
22  )
23  and sender.email.domain.root_domain not in (
24    'intuit.com',
25    'turbotax.com',
26    'intuit.ca',
27    'truist.com' // Truist partners with Intuit to provide discounts
28  )
29  and sender.email.email not in $recipient_emails
30  
31  // negates survery service used by TurboTax
32  and not (
33    sender.email.domain.root_domain in ('qemailserver.com')
34    and headers.auth_summary.spf.pass
35    and any(body.links,
36            .href_url.domain.root_domain in ("qualtrics.com", "intuit.com")
37    )
38  )  
39attack_types:
40  - "Credential Phishing"
41tactics_and_techniques:
42  - "Impersonation: Brand"
43  - "Lookalike domain"
44  - "Social engineering"
45detection_methods:
46  - "Sender analysis"
47id: "90084031-cd65-5184-a7d6-a1e61d32b82b"