• Sublime Core Feed
Medium Severity

Brand impersonation: QuickBooks notification from Intuit themed company name

Labels

Callback Phishing
Credential Phishing
BEC/Fraud
Evasion
Social engineering
Content analysis
Sender analysis
Header analysis

Description

This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.

References

No references.

Sublime Security
Created Dec 16th, 2024 • Last updated Aug 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// Legitimate Intuit sending infratructure
and sender.email.email == "quickbooks@notification.intuit.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and strings.ends_with(headers.auth_summary.spf.details.designator,
                      '.intuit.com'
)
and (
  // the reply-to contains Inuit Themes
  any(headers.reply_to,
         (
           strings.icontains(.email.email, 'intuit')
           or strings.icontains(.email.domain.domain, 'quickbooks')
         )
         and not (.email.domain.root_domain in ('intuit.com', 'quickbooks.com'))
  )
  // the "company" part of the message
  or regex.icontains(body.html.raw,
                     '<(?:div|p) class="company(?:Name|Details)[^\"]*\"[^\>]*\>[^\<]*(?:Intuit|Quickbooks).*</(?:p|div)>'
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started