diff --git a/detection-rules/link_quickbooks_image_lure_suspicious_link.yml b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml
new file mode 100644
index 00000000000..26254fee409
--- /dev/null
+++ b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml
@@ -0,0 +1,94 @@
+name: "Link: QuickBooks image lure with suspicious link"
+description: "This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL. "
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) < 3
+  and any(attachments,
+          .file_type in $file_types_images
+          and any(ml.logo_detect(.).brands, .name == "Quickbooks")
+  )
+  and length(body.links) == 1
+  and (
+    // body text is very short
+    (
+      0 <= (length(body.current_thread.text)) < 10
+      or body.current_thread.text is null
+    )
+    or (
+      length(body.current_thread.text) < 900
+      // or body is most likely all warning banner (text contains the sender and common warning banner language)
+      and (
+        regex.icontains(body.current_thread.text,
+                        'caution|confidentiality notice|warning'
+        )
+      )
+    )
+  )
+  
+  // suspicious link
+  and any(body.links,
+          (
+            .href_url.domain.root_domain not in $tranco_1m
+            or .href_url.domain.domain in $free_file_hosts
+            or .href_url.domain.root_domain in $free_subdomain_hosts
+            or .href_url.domain.domain in $url_shorteners
+            or 
+  
+            // mass mailer link, masks the actual URL
+            .href_url.domain.root_domain in (
+              "hubspotlinks.com",
+              "mandrillapp.com",
+              "sendgrid.net",
+              "rs6.net"
+            )
+          )
+  
+          // exclude sources of potential FPs
+          and (
+            .href_url.domain.root_domain not in (
+              "svc.ms",
+              "sharepoint.com",
+              "1drv.ms",
+              "microsoft.com",
+              "aka.ms",
+              "msftauthimages.net",
+              "intuit.com",
+              "turbotax.com",
+              "intuit.ca"
+            )
+            or any(body.links, .href_url.domain.domain in $free_file_hosts)
+          )
+          and .href_url.domain.root_domain not in $org_domains
+  )
+  and sender.email.domain.root_domain not in~ (
+    'intuit.com',
+    'turbotax.com',
+    'intuit.ca'
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "URL analysis"
+id: "3826a923-865e-5d87-82e4-0c1f8434efc0"