← Back to Explore
sublimemediumRule
Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Detection Query
type.inbound
and (
(
strings.ilike(sender.display_name, 'quickbook*')
or strings.like(sender.display_name, "QB-*")
or strings.ilike(sender.display_name, 'intuit*')
or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
or strings.ilike(sender.email.domain.domain, '*quickbook*')
or (
length(filter(ml.nlu_classifier(body.current_thread.text).entities,
strings.icontains(.text, "quickbooks")
)
) > 2
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
)
)
or strings.ilike(body.current_thread.text, "*invoice*")
)
and (
any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Quickbooks" and .confidence in ("medium", "high")
)
// contains the address and copyright
or (
strings.icontains(body.current_thread.text,
'2800 E. Commerce Center Place, Tucson, AZ 85706'
)
and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
)
or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
or strings.icontains(body.current_thread.text,
'QuickBooks and Intuit are trademarks of Intuit Inc.'
)
or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
// phone number and update language
or (
regex.icontains(body.current_thread.text,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Software and App Updates", "Security and Authentication")
)
// we need to re-check for QB indicators, otherwise we can have "*invoice*"
// and this block, which is much more than just QB impersonation
and (
strings.ilike(sender.display_name, 'quickbook*')
or strings.like(sender.display_name, "QB-*")
or strings.ilike(sender.display_name, 'intuit*')
or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
or strings.ilike(sender.email.domain.domain, '*quickbook*')
or (
length(filter(ml.nlu_classifier(body.current_thread.text).entities,
strings.icontains(.text, "quickbooks")
)
) > 2
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
)
)
)
)
and not (
sender.email.domain.root_domain in~ (
'intuit.com',
'turbotax.com',
'intuit.ca',
'meliopayments.com',
'qemailserver.com',
'intuit.co.uk',
'quickbooksonline.com',
'tsheets.com'
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
and (
not profile.by_sender().any_messages_benign
and not profile.by_sender().solicited
)
// links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
and (
length(filter(body.links,
.href_url.domain.root_domain in~ (
'intuit.com',
'turbotax.com',
'intuit.ca',
'meliopayments.com',
'qemailserver.com',
'intuit.co.uk',
'quickbooksonline.com'
)
or (
.href_url.domain.root_domain == sender.email.domain.root_domain
and (.href_url.path is null or .href_url.path == "/")
)
// handle links to the root website when the sender uses a freemail address to send invoices
or (
.href_url.domain.sld == sender.email.local_part
and (.href_url.path is null or .href_url.path == "/")
and sender.email.domain.root_domain in $free_email_providers
)
)
) != length(body.links)
// or no valid links
or length(filter(body.links, .href_url.domain.domain is not null)) == 0
)
// the call to action link does not lead to inuit
and not (
// filter down to observed call to action display text
any(filter(body.links,
.display_text in~ (
"view and pay",
"review and pay",
"view details"
)
),
// benign/legit href_url details for those links
(
// sendgrid rewritten links
.href_url.domain.domain == "links.notification.intuit.com"
// CTA link
or (
.href_url.domain.domain == "connect.intuit.com"
and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
)
// Mimecast links
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and (
strings.icontains(.href_url.query_params,
'domain=links.notification.intuit.com'
)
or strings.icontains(.href_url.query_params,
'domain=connect.intuit.com'
)
)
)
)
)
)
// negate common sender of quickbooks reseller
and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Quickbooks"
description: "Impersonation of the Quickbooks service from Intuit."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
(
strings.ilike(sender.display_name, 'quickbook*')
or strings.like(sender.display_name, "QB-*")
or strings.ilike(sender.display_name, 'intuit*')
or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
or strings.ilike(sender.email.domain.domain, '*quickbook*')
or (
length(filter(ml.nlu_classifier(body.current_thread.text).entities,
strings.icontains(.text, "quickbooks")
)
) > 2
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
)
)
or strings.ilike(body.current_thread.text, "*invoice*")
)
and (
any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Quickbooks" and .confidence in ("medium", "high")
)
// contains the address and copyright
or (
strings.icontains(body.current_thread.text,
'2800 E. Commerce Center Place, Tucson, AZ 85706'
)
and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
)
or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
or strings.icontains(body.current_thread.text,
'QuickBooks and Intuit are trademarks of Intuit Inc.'
)
or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
// phone number and update language
or (
regex.icontains(body.current_thread.text,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Software and App Updates", "Security and Authentication")
)
// we need to re-check for QB indicators, otherwise we can have "*invoice*"
// and this block, which is much more than just QB impersonation
and (
strings.ilike(sender.display_name, 'quickbook*')
or strings.like(sender.display_name, "QB-*")
or strings.ilike(sender.display_name, 'intuit*')
or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
or strings.ilike(sender.email.domain.domain, '*quickbook*')
or (
length(filter(ml.nlu_classifier(body.current_thread.text).entities,
strings.icontains(.text, "quickbooks")
)
) > 2
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
)
)
)
)
and not (
sender.email.domain.root_domain in~ (
'intuit.com',
'turbotax.com',
'intuit.ca',
'meliopayments.com',
'qemailserver.com',
'intuit.co.uk',
'quickbooksonline.com',
'tsheets.com'
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
and (
not profile.by_sender().any_messages_benign
and not profile.by_sender().solicited
)
// links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
and (
length(filter(body.links,
.href_url.domain.root_domain in~ (
'intuit.com',
'turbotax.com',
'intuit.ca',
'meliopayments.com',
'qemailserver.com',
'intuit.co.uk',
'quickbooksonline.com'
)
or (
.href_url.domain.root_domain == sender.email.domain.root_domain
and (.href_url.path is null or .href_url.path == "/")
)
// handle links to the root website when the sender uses a freemail address to send invoices
or (
.href_url.domain.sld == sender.email.local_part
and (.href_url.path is null or .href_url.path == "/")
and sender.email.domain.root_domain in $free_email_providers
)
)
) != length(body.links)
// or no valid links
or length(filter(body.links, .href_url.domain.domain is not null)) == 0
)
// the call to action link does not lead to inuit
and not (
// filter down to observed call to action display text
any(filter(body.links,
.display_text in~ (
"view and pay",
"review and pay",
"view details"
)
),
// benign/legit href_url details for those links
(
// sendgrid rewritten links
.href_url.domain.domain == "links.notification.intuit.com"
// CTA link
or (
.href_url.domain.domain == "connect.intuit.com"
and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
)
// Mimecast links
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and (
strings.icontains(.href_url.query_params,
'domain=links.notification.intuit.com'
)
or strings.icontains(.href_url.query_params,
'domain=connect.intuit.com'
)
)
)
)
)
)
// negate common sender of quickbooks reseller
and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Callback Phishing"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"