EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: QuickBooks notification from Intuit themed company name

This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.

MITRE ATT&CK

T1566.003T1598T1566T1566.001T1566.002T1534T1656T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound

// Legitimate Intuit sending infratructure
and sender.email.email == "quickbooks@notification.intuit.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and strings.ends_with(headers.auth_summary.spf.details.designator,
                      '.intuit.com'
)
and (
  // the reply-to contains Inuit Themes
  any(headers.reply_to,
      (
        strings.icontains(.email.email, 'intuit')
        or strings.icontains(.email.domain.domain, 'quickbooks')
      )
      and not (.email.domain.root_domain in ('intuit.com', 'quickbooks.com'))
  )
  // the "company" part of the message
  or regex.icontains(body.html.raw,
                     '<(?:div|p) class="company(?:Name|Details)[^\"]*\"[^\>]*\>[^\<]*(?:Intuit|Quickbooks).*</(?:p|div)>'
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: QuickBooks notification from Intuit themed company name"
description: "This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks."
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // Legitimate Intuit sending infratructure
  and sender.email.email == "quickbooks@notification.intuit.com"
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
  and strings.ends_with(headers.auth_summary.spf.details.designator,
                        '.intuit.com'
  )
  and (
    // the reply-to contains Inuit Themes
    any(headers.reply_to,
        (
          strings.icontains(.email.email, 'intuit')
          or strings.icontains(.email.domain.domain, 'quickbooks')
        )
        and not (.email.domain.root_domain in ('intuit.com', 'quickbooks.com'))
    )
    // the "company" part of the message
    or regex.icontains(body.html.raw,
                       '<(?:div|p) class="company(?:Name|Details)[^\"]*\"[^\>]*\>[^\<]*(?:Intuit|Quickbooks).*</(?:p|div)>'
    )
  )
attack_types:
  - "Callback Phishing"
  - "Credential Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
  - "Header analysis"
id: "42058fc4-d700-5bc3-9ee9-91641d9343c2"