Link: Intuit link abuse with file share context

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes

Sublime rule (View on GitHub)

 1name: "Link: Intuit link abuse with file share context"
 2description: "Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // look for links to links.notification.intuit.com but the sender is not from quickbooks/intuit
 8  and any(body.links, .href_url.domain.domain == "links.notification.intuit.com")
 9  and sender.email.domain.root_domain not in ("quickbooks.com", "intuit.com")
10  // check to see if it is classified as cred_theft
11  and any(ml.nlu_classifier(body.current_thread.text).intents,
12          .name in ("cred_theft") and .confidence != "low"
13  )
14  and length(body.current_thread.text) < 1750
15  // check to see if the topic is File Sharing & Cloud Services
16  and any(beta.ml_topic(body.current_thread.text).topics,
17          .name == "File Sharing and Cloud Services" and .confidence != "low"
18  )  
19attack_types:
20  - "Credential Phishing"
21tactics_and_techniques:
22  - "Impersonation: Brand"
23  - "Social engineering"
24detection_methods:
25  - "URL analysis"
26  - "Natural Language Understanding"
27  - "Content analysis"
28  - "Header analysis"
29id: "cd15cc34-76b3-5993-bade-053e05b2ad48"
to-top