Brand impersonation: TurboTax
Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
Sublime rule (View on GitHub)
1name: "Brand impersonation: TurboTax"
2description: |
3 Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
4references:
5 - "https://turbotax.intuit.com/tax-tips/security/taxpayer-beware-email-phishing-scams/L6r4YHSuG"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 strings.ilike(sender.display_name, '*turbotax*')
12 or (
13 strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
14 // negates FP for company called TurboTan
15 and not (
16 sender.display_name == "TurboTan"
17 and sender.email.domain.root_domain == "brevosend.com"
18 and headers.auth_summary.spf.pass
19 )
20 )
21 or strings.ilike(sender.email.domain.domain, '*turbotax*')
22 )
23 and sender.email.domain.root_domain not in (
24 'intuit.com',
25 'turbotax.com',
26 'intuit.ca',
27 'truist.com' // Truist partners with Intuit to provide discounts
28 )
29 and sender.email.email not in $recipient_emails
30
31 // negates survery service used by TurboTax
32 and not (
33 sender.email.domain.root_domain in ('qemailserver.com')
34 and headers.auth_summary.spf.pass
35 and any(body.links,
36 .href_url.domain.root_domain in ("qualtrics.com", "intuit.com")
37 )
38 )
39attack_types:
40 - "Credential Phishing"
41tactics_and_techniques:
42 - "Impersonation: Brand"
43 - "Lookalike domain"
44 - "Social engineering"
45detection_methods:
46 - "Sender analysis"
47id: "90084031-cd65-5184-a7d6-a1e61d32b82b"