Medium Severity
Brand impersonation: Quickbooks
Description
Impersonation of the Quickbooks service from Intuit.
References
No references.
Sublime Security
Created Nov 4th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
(
strings.ilike(sender.display_name, 'quickbook*')
or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
or strings.ilike(sender.email.domain.domain, '*quickbooks*')
)
or strings.ilike(body.current_thread.text, "*invoice*")
)
and (
any(ml.logo_detect(beta.message_screenshot()).brands,
.name == "Quickbooks" and .confidence in ("medium", "high")
)
// contains the address and copyright
or (
strings.icontains(body.current_thread.text,
'2800 E. Commerce Center Place, Tucson, AZ 85706'
)
and regex.icontains(body.current_thread.text, '©\s*(?:\d+)\s*Intuit')
)
or strings.icontains(body.current_thread.text, 'Powered by QuickBooks')
or strings.icontains(body.current_thread.text,
'QuickBooks and Intuit are trademarks of Intuit Inc.'
)
// phone number and update language
or (
regex.icontains(body.current_thread.text,
'\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b'
)
and any(beta.ml_topic(body.current_thread.text).topics,
.name == "Software and App Updates"
)
// we need to re-check for QB indicators, otherwise we can have "*invoice*"
// and this block, which is much more than just QB impersonation
and (
strings.ilike(sender.display_name, '*quickbooks*')
or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1
or strings.ilike(sender.email.domain.domain, '*quickbooks*')
)
)
)
and sender.email.domain.root_domain not in~ (
'intuit.com',
'turbotax.com',
'intuit.ca',
'meliopayments.com',
'qemailserver.com',
'intuit.co.uk',
'quickbooksonline.com',
'tsheets.com'
)
and (
not profile.by_sender().any_messages_benign
and not profile.by_sender().solicited
)
// links in body are not known QB domains or the senders root website (both indicative of a legitimate QuickBooks invoice message)
and (
length(filter(body.links,
.href_url.domain.root_domain in~ (
'intuit.com',
'turbotax.com',
'intuit.ca',
'meliopayments.com',
'qemailserver.com',
'intuit.co.uk',
'quickbooksonline.com'
)
or (
.href_url.domain.root_domain == sender.email.domain.root_domain
and (.href_url.path is null or .href_url.path == "/")
)
// handle links to the root website when the sender uses a freemail address to send invoices
or (
.href_url.domain.sld == sender.email.local_part
and (.href_url.path is null or .href_url.path == "/")
and sender.email.domain.root_domain in $free_email_providers
)
)
) != length(body.links)
// or no valid links
or length(filter(body.links, .href_url.domain.domain is not null)) == 0
)
// the call to action link does not lead to inuit
and not (
// filter down to observed call to action display text
any(filter(body.links,
.display_text in~ (
"view and pay",
"review and pay",
"view details"
)
),
// benign/legit href_url details for those links
(
// sendgrid rewritten links
.href_url.domain.domain == "links.notification.intuit.com"
// CTA link
or (
.href_url.domain.domain == "connect.intuit.com"
and strings.icontains(.href_url.query_params, 'cta=viewinvoicenow')
)
// Mimecast links
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and (
strings.icontains(.href_url.query_params,
'domain=links.notification.intuit.com'
)
or strings.icontains(.href_url.query_params,
'domain=connect.intuit.com'
)
)
)
)
)
)
// negate common sender of quickbooks reseller
and not strings.icontains(body.current_thread.text, 'Purchasing Reviews, Inc')
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.