sublimemediumRule

Service abuse: QuickBooks notification with suspicious comments

This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification

MITRE ATT&CK

T1566.003 T1598 T1566 T1566.001 T1566.002 T1534 T1656 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound

// Legitimate Intuit sending infratructure
and sender.email.email == "quickbooks@notification.intuit.com"

// remove payment confirmation messages
and not strings.starts_with(subject.subject, 'Payment confirmation:')
and body.html.raw is not null
// Comments contains suspicious phrases
and (
  // several different templates where commonly observed, run regex for each template
  any([
        html.xpath(body.html,
                   '//span[@id="condensedEmailMessageSectionContentWebPlayer"]'
        ).nodes,
        html.xpath(body.html, '//div[@id="emailContainer"]').nodes,
        html.xpath(body.html, '//table[@width="700"][1]//tr/td').nodes,
        html.xpath(body.html, '//tr[@class="email-header"]').nodes,
        html.xpath(body.html, '//tr[@class="email-center"]').nodes,
        html.xpath(body.html, '//div[@class="mlr22"]').nodes,
        html.xpath(body.html, '//td[@class="itemDesc"]//div').nodes,
        html.xpath(body.html, '//td[@class="shippingContent"]//div').nodes,
        html.xpath(body.html,
                   '//table[@class="shippingAndCustomLayout width100"]'
        ).nodes
      ],
      any(.,
          regex.icontains(.inner_text,
                          // subscription, renewals, verificaitons, etc
                          '(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change|bill\s+to\s+subscriber)',
                          // callback wording
                          'recognize this seller?|For more info.{0,25}Call|To cancel.{0,25}Call|did not authorize',
          )
      )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Service abuse: QuickBooks notification with suspicious comments"
description: "This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification"
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // Legitimate Intuit sending infratructure
  and sender.email.email == "quickbooks@notification.intuit.com"
  
  // remove payment confirmation messages
  and not strings.starts_with(subject.subject, 'Payment confirmation:')
  and body.html.raw is not null
  // Comments contains suspicious phrases
  and (
    // several different templates where commonly observed, run regex for each template
    any([
          html.xpath(body.html,
                     '//span[@id="condensedEmailMessageSectionContentWebPlayer"]'
          ).nodes,
          html.xpath(body.html, '//div[@id="emailContainer"]').nodes,
          html.xpath(body.html, '//table[@width="700"][1]//tr/td').nodes,
          html.xpath(body.html, '//tr[@class="email-header"]').nodes,
          html.xpath(body.html, '//tr[@class="email-center"]').nodes,
          html.xpath(body.html, '//div[@class="mlr22"]').nodes,
          html.xpath(body.html, '//td[@class="itemDesc"]//div').nodes,
          html.xpath(body.html, '//td[@class="shippingContent"]//div').nodes,
          html.xpath(body.html,
                     '//table[@class="shippingAndCustomLayout width100"]'
          ).nodes
        ],
        any(.,
            regex.icontains(.inner_text,
                            // subscription, renewals, verificaitons, etc
                            '(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change|bill\s+to\s+subscriber)',
                            // callback wording
                            'recognize this seller?|For more info.{0,25}Call|To cancel.{0,25}Call|did not authorize',
            )
        )
    )
  )
attack_types:
  - "Callback Phishing"
  - "Credential Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
  - "Header analysis"
id: "a23d0950-9117-5199-bc74-7192217b80ff"