detection.wiki

Detection rules › Sublime MQL

Brand impersonation: TurboTax

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Lookalike domain, Social engineering

Event coverage

Message attribute
body
body.links (collection)
headers.auth_summary
sender
sender.email
type

Rule body MQL

type.inbound
and (
  strings.ilike(sender.display_name, '*turbotax*')
  or (
    strings.ilevenshtein(sender.display_name, 'turbotax') <= 1
    // negates FP for company called TurboTan
    and not (
      sender.display_name == "TurboTan"
      and sender.email.domain.root_domain == "brevosend.com"
      and headers.auth_summary.spf.pass
    )
  )
  or strings.ilike(sender.email.domain.domain, '*turbotax*')
)
and sender.email.domain.root_domain not in (
  'intuit.com',
  'turbotax.com',
  'intuit.ca',
  'truist.com' // Truist partners with Intuit to provide discounts
)
and sender.email.email not in $recipient_emails

// negates survery service used by TurboTax
and not (
  sender.email.domain.root_domain in ('qemailserver.com')
  and headers.auth_summary.spf.pass
  and any(body.links,
          .href_url.domain.root_domain in ("qualtrics.com", "intuit.com")
  )
)

Detection logic

Scope: inbound message.

Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).

  1. inbound message
  2. any of:
    • sender.display_name matches '*turbotax*'
    • all of:
      • sender.display_name is similar to 'turbotax'
      • not:
        • all of:
          • sender.display_name is 'TurboTan'
          • sender.email.domain.root_domain is 'brevosend.com'
          • headers.auth_summary.spf.pass
    • sender.email.domain.domain matches '*turbotax*'
  3. sender.email.domain.root_domain not in ('intuit.com', 'turbotax.com', 'intuit.ca', 'truist.com')
  4. sender.email.email not in $recipient_emails
  5. not:
    • all of:
      • sender.email.domain.root_domain in ('qemailserver.com')
      • headers.auth_summary.spf.pass
      • any of body.links where:
        • .href_url.domain.root_domain in ('qualtrics.com', 'intuit.com')

Inspects: body.links, body.links[].href_url.domain.root_domain, headers.auth_summary.spf.pass, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: strings.ilevenshtein, strings.ilike. Reference lists: $recipient_emails.

Indicators matched (11)

FieldMatchValue
strings.ilikesubstring*turbotax*
strings.ilevenshteinfuzzyturbotax
sender.display_nameequalsTurboTan
sender.email.domain.root_domainequalsbrevosend.com
sender.email.domain.root_domainmemberintuit.com
sender.email.domain.root_domainmemberturbotax.com
sender.email.domain.root_domainmemberintuit.ca
sender.email.domain.root_domainmembertruist.com
sender.email.domain.root_domainmemberqemailserver.com
body.links[].href_url.domain.root_domainmemberqualtrics.com
body.links[].href_url.domain.root_domainmemberintuit.com