Brand impersonation: TurboTax

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).

Sublime rule (View on GitHub)

 1name: "Brand impersonation: TurboTax"
 2description: |
 3    Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
 4references:
 5  - "https://turbotax.intuit.com/tax-tips/security/taxpayer-beware-email-phishing-scams/L6r4YHSuG"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, '*turbotax*')
12    or strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
13    or strings.ilike(sender.email.domain.domain, '*turbotax*')
14  )
15  and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca')
16  and sender.email.email not in $recipient_emails  
17attack_types:
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Impersonation: Brand"
21  - "Lookalike domain"
22  - "Social engineering"
23detection_methods:
24  - "Sender analysis"
25id: "90084031-cd65-5184-a7d6-a1e61d32b82b"
to-top