Link: QuickBooks image lure with suspicious link

This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.

Sublime rule (View on GitHub)

 1name: "Link: QuickBooks image lure with suspicious link"
 2description: "This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL. "
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) < 3
 8  and any(attachments,
 9          .file_type in $file_types_images
10          and any(ml.logo_detect(.).brands, .name == "Quickbooks")
11  )
12  and length(body.links) == 1
13  and (
14    // body text is very short
15    (
16      0 <= (length(body.current_thread.text)) < 10
17      or body.current_thread.text is null
18    )
19    or (
20      length(body.current_thread.text) < 1500
21      // or body is most likely all warning banner (text contains the sender and common warning banner language)
22      and (
23        regex.icontains(body.current_thread.text,
24                        'caution|confidentiality notice|warning|disclaimer|permission'
25        )
26      )
27    )
28  )
29  
30  // suspicious link
31  and any(body.links,
32          (
33            .href_url.domain.root_domain not in $tranco_1m
34            or .href_url.domain.domain in $free_file_hosts
35            or .href_url.domain.root_domain in $free_file_hosts
36            or .href_url.domain.root_domain in $free_subdomain_hosts
37            or .href_url.domain.domain in $url_shorteners
38            or .href_url.domain.domain in $social_landing_hosts
39            or 
40  
41            // mass mailer link, masks the actual URL
42            .href_url.domain.root_domain in (
43              "hubspotlinks.com",
44              "mandrillapp.com",
45              "sendgrid.net",
46              "naylorcampaigns.com",
47              "rs6.net"
48            )
49          )
50  
51          // exclude sources of potential FPs
52          and (
53            .href_url.domain.root_domain not in (
54              "svc.ms",
55              "sharepoint.com",
56              "1drv.ms",
57              "microsoft.com",
58              "aka.ms",
59              "msftauthimages.net",
60              "intuit.com",
61              "turbotax.com",
62              "intuit.ca"
63            )
64            or any(body.links, .href_url.domain.domain in $free_file_hosts)
65          )
66          and .href_url.domain.root_domain not in $org_domains
67  )
68  and sender.email.domain.root_domain not in~ (
69    'intuit.com',
70    'turbotax.com',
71    'intuit.ca'
72  )
73  
74  // negate highly trusted sender domains unless they fail DMARC authentication
75  and (
76    (
77      sender.email.domain.root_domain in $high_trust_sender_root_domains
78      and not headers.auth_summary.dmarc.pass
79    )
80    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
81  )  
82
83attack_types:
84  - "Credential Phishing"
85tactics_and_techniques:
86  - "Impersonation: Brand"
87  - "Social engineering"
88detection_methods:
89  - "Computer Vision"
90  - "File analysis"
91  - "Optical Character Recognition"
92  - "URL analysis"
93id: "3826a923-865e-5d87-82e4-0c1f8434efc0"
to-top