type.inbound
and (
  (
    strings.ilike(sender.display_name, 'quickbook*')
    or strings.like(sender.display_name, "QB-*")
    or strings.ilike(sender.display_name, 'intuit*')
    or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
    or strings.ilike(sender.email.domain.domain, '*quickbook*')
    or (
      length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                    strings.icontains(.text, "quickbooks")
             )
      ) > 2
      and any(ml.nlu_classifier(body.current_thread.text).intents,
              .name == "cred_theft"
      )
    )
  )
  or strings.ilike(body.current_thread.text, "*invoice*")
)
and (
  any(ml.logo_detect(file.message_screenshot()).brands,
      .name == "Quickbooks" and .confidence in ("medium", "high")
  )
  // contains the address and copyright 
  or (
    strings.icontains(body.current_thread.text,
                      '2800 E. Commerce Center Place, Tucson, AZ 85706'
    )
    and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
  )
  or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
  or strings.icontains(body.current_thread.text,
                       'QuickBooks and Intuit are trademarks of Intuit Inc.'
  )
  or strings.icontains(body.current_thread.text, "QuickBooks Cloud Services")
  // phone number and update language
  or (
    regex.icontains(body.current_thread.text,
                    '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                    '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
    )
    and any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in ("Software and App Updates", "Security and Authentication")
    )

    // we need to re-check for QB indicators, otherwise we can have "*invoice*"
    // and this block, which is much more than just QB impersonation
    and (
      strings.ilike(sender.display_name, 'quickbook*')
      or strings.like(sender.display_name, "QB-*")
      or strings.ilike(sender.display_name, 'intuit*')
      or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
      or strings.ilike(sender.email.domain.domain, '*quickbook*')
      or (
        length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                      strings.icontains(.text, "quickbooks")
               )
        ) > 2
        and any(ml.nlu_classifier(body.current_thread.text).intents,
                .name == "cred_theft"
        )
      )
    )
  )
)
and sender.email.domain.root_domain not in~ (
  'intuit.com',
  'turbotax.com',
  'intuit.ca',
  'meliopayments.com',
  'qemailserver.com',
  'intuit.co.uk',
  'quickbooksonline.com',
  'tsheets.com'
)
and (
  not profile.by_sender().any_messages_benign
  and not profile.by_sender().solicited
)
// links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
and (
  length(filter(body.links,
                .href_url.domain.root_domain in~ (
                  'intuit.com',
                  'turbotax.com',
                  'intuit.ca',
                  'meliopayments.com',
                  'qemailserver.com',
                  'intuit.co.uk',
                  'quickbooksonline.com'
                )
                or (
                  .href_url.domain.root_domain == sender.email.domain.root_domain
                  and (.href_url.path is null or .href_url.path == "/")
                )
                // handle links to the root website when the sender uses a freemail address to send invoices
                or (
                  .href_url.domain.sld == sender.email.local_part
                  and (.href_url.path is null or .href_url.path == "/")
                  and sender.email.domain.root_domain in $free_email_providers
                )
         )
  ) != length(body.links)
  // or no valid links
  or length(filter(body.links, .href_url.domain.domain is not null)) == 0
)
// the call to action link does not lead to inuit
and not (
  // filter down to observed call to action display text
  any(filter(body.links,
             .display_text in~ (
               "view and pay",
               "review and pay",
               "view details"
             )
      ),
      // benign/legit href_url details for those links
      (
        // sendgrid rewritten links
        .href_url.domain.domain == "links.notification.intuit.com"
        // CTA link
        or (
          .href_url.domain.domain == "connect.intuit.com"
          and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
        )
        // Mimecast links 
        or (
          .href_url.domain.root_domain == "mimecastprotect.com"
          and (
            strings.icontains(.href_url.query_params,
                              'domain=links.notification.intuit.com'
            )
            or strings.icontains(.href_url.query_params,
                                 'domain=connect.intuit.com'
            )
          )
        )
      )
  )
)
// negate common sender of quickbooks reseller
and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started

Brand impersonation: Quickbooks

Labels

Description

References

Playground

Share

Get Started. Today.