Brand impersonation: TurboTax
Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
Sublime rule (View on GitHub)
1name: "Brand impersonation: TurboTax"
2description: |
3 Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
4references:
5 - "https://turbotax.intuit.com/tax-tips/security/taxpayer-beware-email-phishing-scams/L6r4YHSuG"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 strings.ilike(sender.display_name, '*turbotax*')
12 or strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
13 or strings.ilike(sender.email.domain.domain, '*turbotax*')
14 )
15 and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca')
16 and sender.email.email not in $recipient_emails
17tags:
18 - "Brand impersonation"
19 - "Suspicious sender"