Skip to content

Update impersonation_quickbooks.yml #3697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MSAdministrator wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update impersonation_quickbooks.yml #3697

MSAdministrator wants to merge 1 commit into from
+16 −9

Conversation

@MSAdministrator
Copy link
Member

@MSAdministrator MSAdministrator commented Dec 17, 2025

Description

Adding logic to detect if it comes from a sender and dmarc/spf/dkim fail then we need to know.

Associated samples

Associated hunts

@MSAdministrator MSAdministrator requested a review from a team as a code owner December 17, 2025 21:27
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Dec 17, 2025
github-actions bot added a commit that referenced this pull request Dec 17, 2025
@github-actions
[PR #3697] added rule: Brand impersonation: Quickbooks
ddf1abf
@MSAdministrator MSAdministrator self-assigned this Dec 23, 2025
@MSAdministrator MSAdministrator added the review-needed Indicates that a PR is waiting for review label Dec 23, 2025
zoomequipd
zoomequipd requested changes Dec 24, 2025
View reviewed changes
detection-rules/impersonation_quickbooks.yml
Comment on lines +72 to 88
and (
sender.email.domain.root_domain not in~ (
'intuit.com',
'turbotax.com',
'intuit.ca',
'meliopayments.com',
'qemailserver.com',
'intuit.co.uk',
'quickbooksonline.com',
'tsheets.com'
)
or (
not headers.auth_summary.spf.pass
or not headers.auth_summary.dmarc.pass
or not 'fail' in~ distinct(map(headers.hops, .authentication_results.dkim))
)
)
Copy link
Member

@zoomequipd zoomequipd Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might be better handled in a more standard way

and not (
  sender.email.domain.root_domain in~ (
    'intuit.com',
    'turbotax.com',
    'intuit.ca',
    'meliopayments.com',
    'qemailserver.com',
    'intuit.co.uk',
    'quickbooksonline.com',
    'tsheets.com'
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

@zoomequipd zoomequipd removed the review-needed Indicates that a PR is waiting for review label Dec 24, 2025
@zoomequipd
Copy link
Member

zoomequipd commented Dec 24, 2025

removing the review-neeeded label until feedback addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@MSAdministrator MSAdministrator

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MSAdministrator @zoomequipd