Technical summary: This rule detects inbound messages that impersonate QuickBooks or Intuit and claim to be dispute notifications or dispute resolutions, but originate from unauthorized domains that fail DMARC authentication. It activates when the message shows QuickBooks/Intuit indicators in subject or sender display name and references “Dispute Notification” or “Dispute Resolution” in the subject or body. It excludes messages from a set of whitelisted domains (e.g., intuit.com, turbotax.com, intuit.ca, meliopayments.com, qemailserver.com, intuit.co.uk, quickbooksonline.com, tsheets.com) if DMARC authentication passes. The detection signals a potential brand impersonation/BEC attempt and is rated high severity. The rule relies on content analysis (brand terms and dispute-phrase matching), sender/domain evaluation, and DMARC header verification to determine legitimacy.