Brand impersonation: TurboTax

name: "Brand impersonation: TurboTax"
description: |
  Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).
references:
  - "https://turbotax.intuit.com/tax-tips/security/taxpayer-beware-email-phishing-scams/L6r4YHSuG"
type: "rule"
severity: "low"
source: |
  type.inbound
  and (
    strings.ilike(sender.display_name, '*turbotax*')
    or (
      strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
      // negates FP for company called TurboTan
      and not (
        sender.display_name == "TurboTan"
        and sender.email.domain.root_domain == "brevosend.com"
        and headers.auth_summary.spf.pass
      )
    )
    or strings.ilike(sender.email.domain.domain, '*turbotax*')
  )
  and sender.email.domain.root_domain not in (
    'intuit.com',
    'turbotax.com',
    'intuit.ca',
    'truist.com' // Truist partners with Intuit to provide discounts
  )
  and sender.email.email not in $recipient_emails
  
  // negates survery service used by TurboTax
  and not (
    sender.email.domain.root_domain in ('qemailserver.com')
    and headers.auth_summary.spf.pass
    and any(body.links,
            .href_url.domain.root_domain in ("qualtrics.com", "intuit.com")
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Lookalike domain"
  - "Social engineering"
detection_methods:
  - "Sender analysis"
id: "90084031-cd65-5184-a7d6-a1e61d32b82b"