Link: Intuit link abuse with file share context

 1name: "Link: Intuit link abuse with file share context"
 2description: "Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  //look for links to links.notification.intuit.com but the sender is not from quickbooks/intuit
 8  and any(body.links, .href_url.domain.domain == "links.notification.intuit.com")
 9  and sender.email.domain.root_domain not in ("quickbooks.com", "intuit.com")
10  //check to see if it is classified as cred_theft
11  and any(ml.nlu_classifier(body.current_thread.text).intents,
12          .name in ("cred_theft")
13          and .confidence != "low"
14  )
15  and length(body.current_thread.text) < 1750
16  //check to see if the topic is File Sharing & Cloud Services 
17  and any(beta.ml_topic(body.current_thread.text).topics,
18      .name == "File Sharing and Cloud Services"
19      and .confidence != "low"
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Impersonation: Brand"
25  - "Social engineering"
26detection_methods:
27  - "URL analysis"
28  - "Natural Language Understanding"
29  - "Content analysis"
30  - "Header analysis"
31id: "cd15cc34-76b3-5993-bade-053e05b2ad48"