sublime-security · zoomequipd · Dec 16, 2024 · Oct 25, 2024 · Oct 25, 2024
@@ -0,0 +1,39 @@
+name: "Service Abuse: QuickBooks Notification with Suspicious Comments"
+description: "This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+
+  // Legitimate Intuit sending infratructure
+  and sender.email.email == "[email protected]"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+  and strings.ends_with(headers.auth_summary.spf.details.designator,
+                         '.intuit.com'
+  )
+
+  // remove payment confirmation messages
+  and not strings.starts_with(subject.subject, 'Payment confirmation:')
+
+  and body.html.raw is not null
+  // Comments contains suspicious phrases
+  and (
+    // three different templates where commonly observed, on regex for each template
+    // this could optionally be converted into a "2 of" logic against current_thread if FN are discovered
+    regex.icontains(body.html.raw, '<div class="condensed-email-message-section" style="font-size: 1em; line-height: 1.5em; text-align: center; margin: 2.25em 0;">\s*<span id="condensedEmailMessageSectionContentWebPlayer">.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</span></div>')
+    or regex.icontains(body.html.raw, '<div id="emailContainer" class="emailContainer" style="font-size: 18px; line-height: 1.5; text-align: left; padding-left: 20px; margin-left: 20px;">.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</div>')
+    or regex.icontains(body.html.raw, '<table width=\"700\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" style=\"margin-bottom:10px; font-family:Arial, Helvetica, sans-serif; font-size:12px\">(?:\s*<tbody>)?\s*<tr>\s*<td>\s*.*\b(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change)\b.*</td>')
+  )
+attack_types:
+  - "Callback Phishing"
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "Header analysis"
+id: "a23d0950-9117-5199-bc74-7192217b80ff"