From f1513dc4fc6031f66ab6daf7f82436d85894f2cd Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 25 Oct 2024 09:49:24 -0500
Subject: [PATCH 1/2] Create abuse_quickbooks_suspicious_comments.yml

---
 .../abuse_quickbooks_suspicious_comments.yml  | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 detection-rules/abuse_quickbooks_suspicious_comments.yml

diff --git a/detection-rules/abuse_quickbooks_suspicious_comments.yml b/detection-rules/abuse_quickbooks_suspicious_comments.yml
new file mode 100644
index 00000000000..228858a15e9
--- /dev/null
+++ b/detection-rules/abuse_quickbooks_suspicious_comments.yml
@@ -0,0 +1,38 @@
+name: "Service Abuse: QuickBooks Notification with Suspicious Comments"
+description: "This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  
+  // Legitimate Intuit sending infratructure
+  and sender.email.email == "quickbooks@notification.intuit.com"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+  and strings.ends_with(headers.auth_summary.spf.details.designator,
+                         '.intuit.com'
+  )
+  
+  // remove payment confirmation messages
+  and not strings.starts_with(subject.subject, 'Payment confirmation:')
+  
+  and body.html.raw is not null
+  // Comments contains suspicious phrases
+  and (
+    // three different templates where commonly observed, on regex for each template
+    // this could optionally be converted into a "2 of" logic against current_thread if FN are discovered
+    regex.icontains(body.html.raw, '<div class="condensed-email-message-section" style="font-size: 1em; line-height: 1.5em; text-align: center; margin: 2.25em 0;">\s*<span id="condensedEmailMessageSectionContentWebPlayer">.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</span></div>')
+    or regex.icontains(body.html.raw, '<div id="emailContainer" class="emailContainer" style="font-size: 18px; line-height: 1.5; text-align: left; padding-left: 20px; margin-left: 20px;">.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</div>')
+    or regex.icontains(body.html.raw, '<table width=\"700\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" style=\"margin-bottom:10px; font-family:Arial, Helvetica, sans-serif; font-size:12px\">(?:\s*<tbody>)?\s*<tr>\s*<td>\s*.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</td>')
+  )
+attack_types:
+  - "Callback Phishing"
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "Header analysis"

From d01be43085f50e65a9ae4934d779d38d223291c6 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Fri, 25 Oct 2024 14:51:00 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/abuse_quickbooks_suspicious_comments.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/abuse_quickbooks_suspicious_comments.yml b/detection-rules/abuse_quickbooks_suspicious_comments.yml
index 228858a15e9..ec436e55852 100644
--- a/detection-rules/abuse_quickbooks_suspicious_comments.yml
+++ b/detection-rules/abuse_quickbooks_suspicious_comments.yml
@@ -36,3 +36,4 @@ detection_methods:
   - "Content analysis"
   - "Sender analysis"
   - "Header analysis"
+id: "a23d0950-9117-5199-bc74-7192217b80ff"