Skip to content

Commit

Permalink
Sync from PR#862
Browse files Browse the repository at this point in the history 
New rule: impersonation_quickbooks.yml by @aidenmitchell
#862
Source SHA f65c491
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Oct 18, 2023
1 parent 0d484a0 commit ec9bda5
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions detection-rules/impersonation_quickbooks.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: "Brand impersonation: Quickbooks"
description: "Impersonation of the Quickbooks service from Intuit."
type: "rule"
severity: "medium"
source: "type.inbound\nand (\n (\n strings.ilike(sender.display_name, '*quickbooks*')\n or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1\n or strings.ilike(sender.email.domain.domain, '*quickbooks*')\n )\n or strings.ilike(body.current_thread.text, \"*invoice*\")\n)\nand any(ml.logo_detect(beta.message_screenshot()).brands,\n .name == \"Quickbooks\" and .confidence in (\"medium\", \"high\")\n)\nand sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca')\nand (\n not profile.by_sender().any_false_positives \n and not profile.by_sender().solicited\n)\n"
attack_types:
- "Callback Phishing"
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"
testing_pr: 862
testing_sha: f65c491ca98c94aa26441668eba757a9e474cebb

0 comments on commit ec9bda5

Please sign in to comment.