• Sublime Core Feed
Medium Severity

Link: Intuit link abuse with file share context

Labels

Credential Phishing
Impersonation: Brand
Social engineering
URL analysis
Natural Language Understanding
Content analysis
Header analysis

Description

Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes

References

No references.

Sublime Security
Created Jun 27th, 2025 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// look for links to links.notification.intuit.com but the sender is not from quickbooks/intuit
and any(body.links, .href_url.domain.domain == "links.notification.intuit.com")
and sender.email.domain.root_domain not in ("quickbooks.com", "intuit.com")
// check to see if it is classified as cred_theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("cred_theft") and .confidence != "low"
)
and length(body.current_thread.text) < 1750
// check to see if the topic is File Sharing & Cloud Services
and any(beta.ml_topic(body.current_thread.text).topics,
        .name == "File Sharing and Cloud Services" and .confidence != "low"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started