Medium Severity
Link: QuickBooks image lure with suspicious link
Description
This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.
References
No references.
Sublime Security
Created Nov 8th, 2023 • Last updated May 2nd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(attachments) < 3
and any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, .name == "Quickbooks")
)
and length(body.links) == 1
and (
// body text is very short
(
0 <= (length(body.current_thread.text)) < 10
or body.current_thread.text is null
)
or (
length(body.current_thread.text) < 1500
// or body is most likely all warning banner (text contains the sender and common warning banner language)
and (
regex.icontains(body.current_thread.text,
'caution|confidentiality notice|warning|disclaimer|permission'
)
)
)
)
// suspicious link
and any(body.links,
(
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or
// mass mailer link, masks the actual URL
.href_url.domain.root_domain in (
"hubspotlinks.com",
"mandrillapp.com",
"sendgrid.net",
"naylorcampaigns.com",
"rs6.net"
)
)
// exclude sources of potential FPs
and (
.href_url.domain.root_domain not in (
"svc.ms",
"sharepoint.com",
"1drv.ms",
"microsoft.com",
"aka.ms",
"msftauthimages.net",
"intuit.com",
"turbotax.com",
"intuit.ca"
)
or any(body.links, .href_url.domain.domain in $free_file_hosts)
)
and .href_url.domain.root_domain not in $org_domains
)
and sender.email.domain.root_domain not in~ (
'intuit.com',
'turbotax.com',
'intuit.ca'
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.