EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Service abuse: QuickBooks notification from new domain

This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.

MITRE ATT&CK

T1566.003T1598T1566T1566.001T1566.002T1534T1656T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound

// Legitimate Intuit sending infratructure
and sender.email.email == "quickbooks@notification.intuit.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and strings.ends_with(headers.auth_summary.spf.details.designator,
                      '.intuit.com'
)

// remove payment confirmation messages
and not strings.starts_with(subject.subject, 'Payment confirmation:')

// the message needs to have a reply-to address
and length(headers.reply_to) > 0

// 
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
// 

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign

// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Service abuse: QuickBooks notification from new domain"
description: "This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains."
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // Legitimate Intuit sending infratructure
  and sender.email.email == "quickbooks@notification.intuit.com"
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
  and strings.ends_with(headers.auth_summary.spf.details.designator,
                        '.intuit.com'
  )
  
  // remove payment confirmation messages
  and not strings.starts_with(subject.subject, 'Payment confirmation:')
  
  // the message needs to have a reply-to address
  and length(headers.reply_to) > 0
  
  // 
  // This rule makes use of a beta feature and is subject to change without notice
  // using the beta feature in custom rules is not suggested until it has been formally released
  // 
  
  // reply-to email address has never been sent an email by the org
  and not beta.profile.by_reply_to().solicited
  
  // do not match if the reply_to address has been observed as a reply_to address
  // of a message that has been classified as benign
  and not beta.profile.by_reply_to().any_messages_benign
  
  // new reply-to
  and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
tags:
 - "Attack surface reduction"
attack_types:
  - "Callback Phishing"
  - "Credential Phishing"
  - "BEC/Fraud"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
  - "Header analysis"
id: "c4f46473-0f5a-56d6-bb7e-489460bdb20f"