EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: QuickBooks image lure with suspicious link

This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
and length(attachments) < 3
and any(attachments,
        .file_type in $file_types_images
        and any(ml.logo_detect(.).brands, .name == "Quickbooks")
)
and length(body.links) == 1
and (
  // body text is very short
  (
    0 <= (length(body.current_thread.text)) < 10
    or body.current_thread.text is null
  )
  or (
    length(body.current_thread.text) < 1500
    // or body is most likely all warning banner (text contains the sender and common warning banner language)
    and (
      regex.icontains(body.current_thread.text,
                      'caution|confidentiality notice|warning|disclaimer|permission'
      )
    )
  )
)

// suspicious link
and any(body.links,
        (
          .href_url.domain.root_domain not in $tranco_1m
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $url_shorteners
          or .href_url.domain.domain in $social_landing_hosts
          or 

          // mass mailer link, masks the actual URL
          .href_url.domain.root_domain in (
            "hubspotlinks.com",
            "mandrillapp.com",
            "sendgrid.net",
            "naylorcampaigns.com",
            "rs6.net"
          )
        )

        // exclude sources of potential FPs
        and (
          .href_url.domain.root_domain not in (
            "svc.ms",
            "sharepoint.com",
            "1drv.ms",
            "microsoft.com",
            "aka.ms",
            "msftauthimages.net",
            "intuit.com",
            "turbotax.com",
            "intuit.ca"
          )
          or any(body.links, .href_url.domain.domain in $free_file_hosts)
        )
        and .href_url.domain.root_domain not in $org_domains
)
and sender.email.domain.root_domain not in~ (
  'intuit.com',
  'turbotax.com',
  'intuit.ca'
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Link: QuickBooks image lure with suspicious link"
description: "This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL. "
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(attachments) < 3
  and any(attachments,
          .file_type in $file_types_images
          and any(ml.logo_detect(.).brands, .name == "Quickbooks")
  )
  and length(body.links) == 1
  and (
    // body text is very short
    (
      0 <= (length(body.current_thread.text)) < 10
      or body.current_thread.text is null
    )
    or (
      length(body.current_thread.text) < 1500
      // or body is most likely all warning banner (text contains the sender and common warning banner language)
      and (
        regex.icontains(body.current_thread.text,
                        'caution|confidentiality notice|warning|disclaimer|permission'
        )
      )
    )
  )
  
  // suspicious link
  and any(body.links,
          (
            .href_url.domain.root_domain not in $tranco_1m
            or .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
            or .href_url.domain.domain in $url_shorteners
            or .href_url.domain.domain in $social_landing_hosts
            or 
  
            // mass mailer link, masks the actual URL
            .href_url.domain.root_domain in (
              "hubspotlinks.com",
              "mandrillapp.com",
              "sendgrid.net",
              "naylorcampaigns.com",
              "rs6.net"
            )
          )
  
          // exclude sources of potential FPs
          and (
            .href_url.domain.root_domain not in (
              "svc.ms",
              "sharepoint.com",
              "1drv.ms",
              "microsoft.com",
              "aka.ms",
              "msftauthimages.net",
              "intuit.com",
              "turbotax.com",
              "intuit.ca"
            )
            or any(body.links, .href_url.domain.domain in $free_file_hosts)
          )
          and .href_url.domain.root_domain not in $org_domains
  )
  and sender.email.domain.root_domain not in~ (
    'intuit.com',
    'turbotax.com',
    'intuit.ca'
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "File analysis"
  - "Optical Character Recognition"
  - "URL analysis"
id: "3826a923-865e-5d87-82e4-0c1f8434efc0"