Update impersonation_quickbooks.yml (#2117)

sublime-security · Nov 13, 2024 · 611f985 · 611f985
1 parent e89856e
commit 611f985
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/detection-rules/impersonation_quickbooks.yml b/detection-rules/impersonation_quickbooks.yml
@@ -12,8 +12,11 @@ source: |
     )
     or strings.ilike(body.current_thread.text, "*invoice*")
   )
-  and any(ml.logo_detect(beta.message_screenshot()).brands,
-          .name == "Quickbooks" and .confidence in ("medium", "high")
+  and (
+    any(ml.logo_detect(beta.message_screenshot()).brands,
+        .name == "Quickbooks" and .confidence in ("medium", "high")
+    )
+    or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
   )
   and sender.email.domain.root_domain not in~ (
     'intuit.com',