Link: QuickBooks image lure with suspicious link
This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.
Sublime rule (View on GitHub)
1name: "Link: QuickBooks image lure with suspicious link"
2description: "This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL. "
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) < 3
8 and any(attachments,
9 .file_type in $file_types_images
10 and any(ml.logo_detect(.).brands, .name == "Quickbooks")
11 )
12 and length(body.links) == 1
13 and (
14 // body text is very short
15 (
16 0 <= (length(body.current_thread.text)) < 10
17 or body.current_thread.text is null
18 )
19 or (
20 length(body.current_thread.text) < 1500
21 // or body is most likely all warning banner (text contains the sender and common warning banner language)
22 and (
23 regex.icontains(body.current_thread.text,
24 'caution|confidentiality notice|warning|disclaimer|permission'
25 )
26 )
27 )
28 )
29
30 // suspicious link
31 and any(body.links,
32 (
33 .href_url.domain.root_domain not in $tranco_1m
34 or .href_url.domain.domain in $free_file_hosts
35 or .href_url.domain.root_domain in $free_file_hosts
36 or .href_url.domain.root_domain in $free_subdomain_hosts
37 or .href_url.domain.domain in $url_shorteners
38 or .href_url.domain.domain in $social_landing_hosts
39 or
40
41 // mass mailer link, masks the actual URL
42 .href_url.domain.root_domain in (
43 "hubspotlinks.com",
44 "mandrillapp.com",
45 "sendgrid.net",
46 "naylorcampaigns.com",
47 "rs6.net"
48 )
49 )
50
51 // exclude sources of potential FPs
52 and (
53 .href_url.domain.root_domain not in (
54 "svc.ms",
55 "sharepoint.com",
56 "1drv.ms",
57 "microsoft.com",
58 "aka.ms",
59 "msftauthimages.net",
60 "intuit.com",
61 "turbotax.com",
62 "intuit.ca"
63 )
64 or any(body.links, .href_url.domain.domain in $free_file_hosts)
65 )
66 and .href_url.domain.root_domain not in $org_domains
67 )
68 and sender.email.domain.root_domain not in~ (
69 'intuit.com',
70 'turbotax.com',
71 'intuit.ca'
72 )
73
74 // negate highly trusted sender domains unless they fail DMARC authentication
75 and (
76 (
77 sender.email.domain.root_domain in $high_trust_sender_root_domains
78 and not headers.auth_summary.dmarc.pass
79 )
80 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
81 )
82
83attack_types:
84 - "Credential Phishing"
85tactics_and_techniques:
86 - "Impersonation: Brand"
87 - "Social engineering"
88detection_methods:
89 - "Computer Vision"
90 - "File analysis"
91 - "Optical Character Recognition"
92 - "URL analysis"
93id: "3826a923-865e-5d87-82e4-0c1f8434efc0"