EXPLORE
Sign In
← Back to Explore
sublimelowRule

Job scam (unsolicited sender)

Detects job scam attempts by analyzing the message body text from an unsolicited sender.

MITRE ATT&CK

T1566.002T1534T1656T1566T1598
initial-access

Detection Query

type.inbound
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name in ("job_scam") and .confidence == "high"
  )
)
and (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "financial"
  )
  or strings.icontains(body.current_thread.text, "salary package")
  or strings.icontains(body.current_thread.text, "kindly")
  or (
    (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name in ("greeting", "salutation")
      )
      or sender.email.domain.root_domain in $free_email_providers
    )
    and (
      (
        length(recipients.to) == 0
        or length(recipients.bcc) > 0
        or (
          all(recipients.to, .email.domain.valid == false)
          and all(recipients.cc, .email.domain.valid == false)
        )
      )
    )
  )
)
// negating income / job verification senders
and not (
  sender.email.domain.root_domain in ('loandepot.com', 'sofi.com')
  and headers.auth_summary.dmarc.pass
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Job scam (unsolicited sender)"
description: |
  Detects job scam attempts by analyzing the message body text from an unsolicited sender.
type: "rule"
severity: "low"
source: |
  type.inbound
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("job_scam") and .confidence == "high"
    )
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
    )
    or strings.icontains(body.current_thread.text, "salary package")
    or strings.icontains(body.current_thread.text, "kindly")
    or (
      (
        any(ml.nlu_classifier(body.current_thread.text).entities,
            .name in ("greeting", "salutation")
        )
        or sender.email.domain.root_domain in $free_email_providers
      )
      and (
        (
          length(recipients.to) == 0
          or length(recipients.bcc) > 0
          or (
            all(recipients.to, .email.domain.valid == false)
            and all(recipients.cc, .email.domain.valid == false)
          )
        )
      )
    )
  )
  // negating income / job verification senders
  and not (
    sender.email.domain.root_domain in ('loandepot.com', 'sofi.com')
    and headers.auth_summary.dmarc.pass
  )
  and (
    not profile.by_sender().solicited
    or profile.by_sender().any_messages_malicious_or_spam
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "a37dc32d-33a4-5097-a585-ff6c345d0ecc"