Link: Intuit link abuse with file share context
Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes
Sublime rule (View on GitHub)
1name: "Link: Intuit link abuse with file share context"
2description: "Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes"
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 //look for links to links.notification.intuit.com but the sender is not from quickbooks/intuit
8 and any(body.links, .href_url.domain.domain == "links.notification.intuit.com")
9 and sender.email.domain.root_domain not in ("quickbooks.com", "intuit.com")
10 //check to see if it is classified as cred_theft
11 and any(ml.nlu_classifier(body.current_thread.text).intents,
12 .name in ("cred_theft")
13 and .confidence != "low"
14 )
15 and length(body.current_thread.text) < 1750
16 //check to see if the topic is File Sharing & Cloud Services
17 and any(beta.ml_topic(body.current_thread.text).topics,
18 .name == "File Sharing and Cloud Services"
19 and .confidence != "low"
20 )
21attack_types:
22 - "Credential Phishing"
23tactics_and_techniques:
24 - "Impersonation: Brand"
25 - "Social engineering"
26detection_methods:
27 - "URL analysis"
28 - "Natural Language Understanding"
29 - "Content analysis"
30 - "Header analysis"
31id: "cd15cc34-76b3-5993-bade-053e05b2ad48"