← Back to Explore
sublimemediumRule
Credential phishing: Tax form impersonation with payment request
Detects messages impersonating tax-related communications that contain payment requests and PDF links, excluding legitimate tax service providers. The rule identifies tax terminology combined with payment solicitation language and PDF link references, which is a common pattern in tax season scams.
Detection Query
type.inbound
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'schedule.c\b',
'tax.form',
'1099\b',
'\bw-?2\b',
'tax.return',
'tax.preparation'
)
and (
regex.icontains(body.current_thread.text,
"reply.with.your.payment",
"payment.details",
"send.payment.information",
"provide.payment",
"payment.method",
"billing.information",
"processing.fee",
"completion.fee"
)
)
and any(body.links, strings.icontains(.display_text, "PDF"))
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Events and Webinars", "Newsletters and Digests")
)
and not sender.email.domain.root_domain in (
"intuit.com",
"hrblock.com",
"turbotax.com",
"taxact.com",
"freetaxusa.com",
"geico.com",
"eventshq.com",
"square.com"
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing: Tax form impersonation with payment request"
description: "Detects messages impersonating tax-related communications that contain payment requests and PDF links, excluding legitimate tax service providers. The rule identifies tax terminology combined with payment solicitation language and PDF link references, which is a common pattern in tax season scams."
type: "rule"
severity: "medium"
source: |
type.inbound
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'schedule.c\b',
'tax.form',
'1099\b',
'\bw-?2\b',
'tax.return',
'tax.preparation'
)
and (
regex.icontains(body.current_thread.text,
"reply.with.your.payment",
"payment.details",
"send.payment.information",
"provide.payment",
"payment.method",
"billing.information",
"processing.fee",
"completion.fee"
)
)
and any(body.links, strings.icontains(.display_text, "PDF"))
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Events and Webinars", "Newsletters and Digests")
)
and not sender.email.domain.root_domain in (
"intuit.com",
"hrblock.com",
"turbotax.com",
"taxact.com",
"freetaxusa.com",
"geico.com",
"eventshq.com",
"square.com"
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
- "PDF"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "717695cf-caf0-5673-a8a8-223bb56ec8e1"