From ec9bda518483ec84fff62c9138cdf212f08a4563 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Wed, 18 Oct 2023 15:39:05 +0000
Subject: [PATCH] Sync from PR#862

New rule: impersonation_quickbooks.yml by @aidenmitchell
https://github.com/sublime-security/sublime-rules/pull/862
Source SHA f65c491ca98c94aa26441668eba757a9e474cebb
Triggered by @morriscode
---
 detection-rules/impersonation_quickbooks.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 detection-rules/impersonation_quickbooks.yml

diff --git a/detection-rules/impersonation_quickbooks.yml b/detection-rules/impersonation_quickbooks.yml
new file mode 100644
index 00000000000..35c86fd32b5
--- /dev/null
+++ b/detection-rules/impersonation_quickbooks.yml
@@ -0,0 +1,19 @@
+name: "Brand impersonation: Quickbooks"
+description: "Impersonation of the Quickbooks service from Intuit."
+type: "rule"
+severity: "medium"
+source: "type.inbound\nand (\n  (\n    strings.ilike(sender.display_name, '*quickbooks*')\n    or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1\n    or strings.ilike(sender.email.domain.domain, '*quickbooks*')\n  )\n  or strings.ilike(body.current_thread.text, \"*invoice*\")\n)\nand any(ml.logo_detect(beta.message_screenshot()).brands,\n        .name == \"Quickbooks\" and .confidence in (\"medium\", \"high\")\n)\nand sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca')\nand (\n    not profile.by_sender().any_false_positives \n    and not profile.by_sender().solicited\n)\n"
+attack_types:
+  - "Callback Phishing"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62"
+testing_pr: 862
+testing_sha: f65c491ca98c94aa26441668eba757a9e474cebb