Detection rules › Sublime MQL
Brand impersonation: QuickBooks dispute notification
Detects messages impersonating QuickBooks or Intuit that reference dispute notifications or resolutions, but originate from unauthorized domains that fail DMARC authentication.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud |
| Tactics and techniques | Impersonation: Brand |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| headers.auth_summary |
| sender |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and any([subject.base, sender.display_name],
strings.icontains(., 'Quickbooks', 'Intuit')
)
and any([subject.base, sender.display_name, body.current_thread.text],
regex.icontains(., 'Dispute\s+(?:Notification|Resolution)')
)
and not (
sender.email.domain.root_domain in~ (
'intuit.com',
'turbotax.com',
'intuit.ca',
'meliopayments.com',
'qemailserver.com',
'intuit.co.uk',
'quickbooksonline.com',
'tsheets.com'
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Detection logic
Scope: inbound message.
Detects messages impersonating QuickBooks or Intuit that reference dispute notifications or resolutions, but originate from unauthorized domains that fail DMARC authentication.
- inbound message
any of
[subject.base, sender.display_name]where:. contains any of 2 patterns
QuickbooksIntuit
any of
[subject.base, sender.display_name, body.current_thread.text]where:- . matches 'Dispute\\s+(?:Notification|Resolution)'
not:
all of:
- sender.email.domain.root_domain in ('intuit.com', 'turbotax.com', 'intuit.ca', 'meliopayments.com', 'qemailserver.com', 'intuit.co.uk', 'quickbooksonline.com', 'tsheets.com')
- coalesce(headers.auth_summary.dmarc.pass)
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: regex.icontains, strings.icontains.
Indicators matched (11)
| Field | Match | Value |
|---|---|---|
strings.icontains | substring | Quickbooks |
strings.icontains | substring | Intuit |
regex.icontains | regex | Dispute\s+(?:Notification|Resolution) |
sender.email.domain.root_domain | member | intuit.com |
sender.email.domain.root_domain | member | turbotax.com |
sender.email.domain.root_domain | member | intuit.ca |
sender.email.domain.root_domain | member | meliopayments.com |
sender.email.domain.root_domain | member | qemailserver.com |
sender.email.domain.root_domain | member | intuit.co.uk |
sender.email.domain.root_domain | member | quickbooksonline.com |
sender.email.domain.root_domain | member | tsheets.com |