
Summary
This detection rule is designed to identify brand impersonation attacks specifically targeting the TurboTax service by Intuit, which are particularly prevalent during tax season (the first quarter of the year). The rule analyzes inbound emails to determine if they are attempting to impersonate TurboTax by examining various characteristics of the sender. The key considerations include whether the display name of the sender contains the term 'turbotax', has a spelling similarity to 'turbotax' using the Levenshtein distance, or if the sender's email domain bears resemblance to 'turbotax'. Additionally, the rule checks that the sender's email domain does not belong to the legitimate domains associated with TurboTax or Intuit, ensuring that any emails from these authentic sources are excluded from detection. The objective is to prevent credential phishing techniques that rely on deceiving users into believing they are communicating with the trustful TurboTax brand.
Categories
- Identity Management
- Web
- Cloud
- Endpoint
Data Sources
- User Account
- Web Credential
- Network Traffic
Created: 2021-02-19