Low Severity

Brand impersonation: TurboTax

Labels

Credential Phishing

Impersonation: Brand

Lookalike domain

Social engineering

Sender analysis

Description

Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).

References

https://turbotax.intuit.com/tax-tips/security/taxpayer-beware-email-phishing-scams/L6r4YHSuG

Sublime Security

Created Aug 17th, 2023 • Last updated Jun 12th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  strings.ilike(sender.display_name, '*turbotax*')
  or (
    strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
    // negates FP for company called TurboTan
    and not (
      sender.display_name == "TurboTan"
      and sender.email.domain.root_domain == "brevosend.com"
      and headers.auth_summary.spf.pass
    )
  )
  or strings.ilike(sender.email.domain.domain, '*turbotax*')
)
and sender.email.domain.root_domain not in (
  'intuit.com',
  'turbotax.com',
  'intuit.ca',
  'truist.com' // Truist partners with Intuit to provide discounts
)
and sender.email.email not in $recipient_emails

// negates survery service used by TurboTax
and not (
  sender.email.domain.root_domain in ('qemailserver.com')
  and headers.auth_summary.spf.pass
  and any(body.links,
          .href_url.domain.root_domain in ("qualtrics.com", "intuit.com")
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.