Link: QuickBooks image lure with suspicious link

calendar May 2, 2024  ยท
Share on: linkedin copy

This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.

Sublime rule (View on GitHub)

 1name: "Link: QuickBooks image lure with suspicious link"
 2description: "This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL. "
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) < 3
 8  and any(attachments,
 9          .file_type in $file_types_images
10          and any(ml.logo_detect(.).brands, .name == "Quickbooks")
11  )
12  and length(body.links) == 1
13  and (
14    // body text is very short
15    (
16      0 <= (length(body.current_thread.text)) < 10
17      or body.current_thread.text is null
18    )
19    or (
20      length(body.current_thread.text) < 1500
21      // or body is most likely all warning banner (text contains the sender and common warning banner language)
22      and (
23        regex.icontains(body.current_thread.text,
24                        'caution|confidentiality notice|warning|disclaimer|permission'
25        )
26      )
27    )
28  )
29  
30  // suspicious link
31  and any(body.links,
32          (
33            .href_url.domain.root_domain not in $tranco_1m
34            or .href_url.domain.domain in $free_file_hosts
35            or .href_url.domain.root_domain in $free_file_hosts
36            or .href_url.domain.root_domain in $free_subdomain_hosts
37            or .href_url.domain.domain in $url_shorteners
38            or 
39  
40            // mass mailer link, masks the actual URL
41            .href_url.domain.root_domain in (
42              "hubspotlinks.com",
43              "mandrillapp.com",
44              "sendgrid.net",
45              "naylorcampaigns.com",
46              "rs6.net"
47            )
48          )
49  
50          // exclude sources of potential FPs
51          and (
52            .href_url.domain.root_domain not in (
53              "svc.ms",
54              "sharepoint.com",
55              "1drv.ms",
56              "microsoft.com",
57              "aka.ms",
58              "msftauthimages.net",
59              "intuit.com",
60              "turbotax.com",
61              "intuit.ca"
62            )
63            or any(body.links, .href_url.domain.domain in $free_file_hosts)
64          )
65          and .href_url.domain.root_domain not in $org_domains
66  )
67  and sender.email.domain.root_domain not in~ (
68    'intuit.com',
69    'turbotax.com',
70    'intuit.ca'
71  )
72  
73  // negate highly trusted sender domains unless they fail DMARC authentication
74  and (
75    (
76      sender.email.domain.root_domain in $high_trust_sender_root_domains
77      and not headers.auth_summary.dmarc.pass
78    )
79    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
80  )  
81
82attack_types:
83  - "Credential Phishing"
84tactics_and_techniques:
85  - "Impersonation: Brand"
86  - "Social engineering"
87detection_methods:
88  - "Computer Vision"
89  - "File analysis"
90  - "Optical Character Recognition"
91  - "URL analysis"
92id: "3826a923-865e-5d87-82e4-0c1f8434efc0"
to-top