• Sublime Core Feed
Medium Severity

Service abuse: QuickBooks notification from new domain

Labels

Callback Phishing
Credential Phishing
BEC/Fraud
Evasion
Social engineering
Content analysis
Sender analysis
Header analysis

Description

This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.

References

No references.

Sublime Security
Created Dec 16th, 2024 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// Legitimate Intuit sending infratructure
and sender.email.email == "quickbooks@notification.intuit.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and strings.ends_with(headers.auth_summary.spf.details.designator,
                      '.intuit.com'
)

// remove payment confirmation messages
and not strings.starts_with(subject.subject, 'Payment confirmation:')

// the message needs to have a reply-to address
and length(headers.reply_to) > 0

// 
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
// 

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign

// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started