Brand impersonation: TurboTax

calendarMar 22, 2023 · Brand impersonation Suspicious sender  ·
Share on: linkedincopy

Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).

Sublime rule (View on GitHub)

 1name: "Brand impersonation: TurboTax"
 2description: |
 3    Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
 4references:
 5  - "https://turbotax.intuit.com/tax-tips/security/taxpayer-beware-email-phishing-scams/L6r4YHSuG"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11      strings.ilike(sender.display_name, '*turbotax*')
12      or strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
13      or strings.ilike(sender.email.domain.domain, '*turbotax*')
14  )
15  and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca')
16  and sender.email.email not in $recipient_emails  
17tags:
18  - "Brand impersonation"
19  - "Suspicious sender"

Related rules

to-top