Link: Intuit link abuse with file share context

name: "Link: Intuit link abuse with file share context"
description: "Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes"
type: "rule"
severity: "medium"
source: |
  type.inbound
  // look for links to links.notification.intuit.com but the sender is not from quickbooks/intuit
  and any(body.links, .href_url.domain.domain == "links.notification.intuit.com")
  and sender.email.domain.root_domain not in ("quickbooks.com", "intuit.com")
  // check to see if it is classified as cred_theft
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name in ("cred_theft") and .confidence != "low"
  )
  and length(body.current_thread.text) < 1750
  // check to see if the topic is File Sharing & Cloud Services
  and any(beta.ml_topic(body.current_thread.text).topics,
          .name == "File Sharing and Cloud Services" and .confidence != "low"
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "URL analysis"
  - "Natural Language Understanding"
  - "Content analysis"
  - "Header analysis"
id: "cd15cc34-76b3-5993-bade-053e05b2ad48"