Brand impersonation: TurboTax
Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
Sublime rule (View on GitHub)
1name: "Brand impersonation: TurboTax"
2description: |
3 Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
4references:
5 - "https://turbotax.intuit.com/tax-tips/security/taxpayer-beware-email-phishing-scams/L6r4YHSuG"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 strings.ilike(sender.display_name, '*turbotax*')
12 or strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
13 or strings.ilike(sender.email.domain.domain, '*turbotax*')
14 )
15 and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca')
16 and sender.email.email not in $recipient_emails
17attack_types:
18 - "Credential Phishing"
19tactics_and_techniques:
20 - "Impersonation: Brand"
21 - "Lookalike domain"
22 - "Social engineering"
23detection_methods:
24 - "Sender analysis"
25id: "90084031-cd65-5184-a7d6-a1e61d32b82b"