• Sublime Core Feed
Medium Severity

Link: QuickBooks image lure with suspicious link

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
File analysis
Optical Character Recognition
URL analysis

Description

This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.

References

No references.

Sublime Security
Created Nov 8th, 2023 • Last updated May 2nd, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) < 3
and any(attachments,
        .file_type in $file_types_images
        and any(ml.logo_detect(.).brands, .name == "Quickbooks")
)
and length(body.links) == 1
and (
  // body text is very short
  (
    0 <= (length(body.current_thread.text)) < 10
    or body.current_thread.text is null
  )
  or (
    length(body.current_thread.text) < 1500
    // or body is most likely all warning banner (text contains the sender and common warning banner language)
    and (
      regex.icontains(body.current_thread.text,
                      'caution|confidentiality notice|warning|disclaimer|permission'
      )
    )
  )
)

// suspicious link
and any(body.links,
        (
          .href_url.domain.root_domain not in $tranco_1m
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $url_shorteners
          or 

          // mass mailer link, masks the actual URL
          .href_url.domain.root_domain in (
            "hubspotlinks.com",
            "mandrillapp.com",
            "sendgrid.net",
            "naylorcampaigns.com",
            "rs6.net"
          )
        )

        // exclude sources of potential FPs
        and (
          .href_url.domain.root_domain not in (
            "svc.ms",
            "sharepoint.com",
            "1drv.ms",
            "microsoft.com",
            "aka.ms",
            "msftauthimages.net",
            "intuit.com",
            "turbotax.com",
            "intuit.ca"
          )
          or any(body.links, .href_url.domain.domain in $free_file_hosts)
        )
        and .href_url.domain.root_domain not in $org_domains
)
and sender.email.domain.root_domain not in~ (
  'intuit.com',
  'turbotax.com',
  'intuit.ca'
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started