This detection rule identifies email messages that potentially host phishing attempts using images associated with the QuickBooks brand. The detection focuses on email attachments that contain the QuickBooks logo and include a single link directing to an undesirable URL. Several conditions are applied to restrict false positives: the email must have fewer than three attachments, and it must not contain a lengthy body text (either too short or filled with warning banner language). The link must not belong to reputable domains and must pass specific checks against known free file hosts and URL shorteners. Additionally, the origin of the sender’s email address is verified against trusted QuickBooks domains and high-trust domains, ensuring they either fail DMARC authentication or are not from trusted sources. Overall, this rule aims to catch various credential phishing attempts through visually deceptive email tactics.