← Back to Explore
sublimehighRule
Brand impersonation: Google Careers
Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google.
Detection Query
type.inbound
and (
strings.icontains(body.current_thread.text, 'Google Careers')
or strings.icontains(body.current_thread.text, 'GoogleCareers')
// Spanish
or strings.icontains(body.current_thread.text, 'Google Carreras')
or strings.icontains(body.current_thread.text, 'GoogleCarreras')
// German Norwegian
or strings.icontains(body.current_thread.text, 'Google Karriere')
or strings.icontains(body.current_thread.text, 'GoogleKarriere')
// Swedish
or strings.icontains(body.current_thread.text, 'Google Karriär')
or strings.icontains(body.current_thread.text, 'GoogleKarriär')
// Dutch
or strings.icontains(body.current_thread.text, 'Google Carrières')
or strings.icontains(body.current_thread.text, 'GoogleCarrières')
// Turkish
or strings.icontains(body.current_thread.text, 'Google Kariyer')
or strings.icontains(body.current_thread.text, 'GoogleKariyer')
// The screenshot OCR captures google careers or the google logo
or (
sender.email.domain.root_domain == "salesforce.com"
and (
regex.icontains(beta.ocr(file.message_screenshot()).text,
"google careers"
)
or any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Google")
)
)
)
)
and not any(body.links, .href_url.domain.root_domain in ("google.com", "c.gle"))
and not (
sender.email.domain.root_domain in ("google.com", "sublimesecurity.com")
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Google Careers"
description: "Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google."
type: "rule"
severity: "high"
source: |
type.inbound
and (
strings.icontains(body.current_thread.text, 'Google Careers')
or strings.icontains(body.current_thread.text, 'GoogleCareers')
// Spanish
or strings.icontains(body.current_thread.text, 'Google Carreras')
or strings.icontains(body.current_thread.text, 'GoogleCarreras')
// German Norwegian
or strings.icontains(body.current_thread.text, 'Google Karriere')
or strings.icontains(body.current_thread.text, 'GoogleKarriere')
// Swedish
or strings.icontains(body.current_thread.text, 'Google Karriär')
or strings.icontains(body.current_thread.text, 'GoogleKarriär')
// Dutch
or strings.icontains(body.current_thread.text, 'Google Carrières')
or strings.icontains(body.current_thread.text, 'GoogleCarrières')
// Turkish
or strings.icontains(body.current_thread.text, 'Google Kariyer')
or strings.icontains(body.current_thread.text, 'GoogleKariyer')
// The screenshot OCR captures google careers or the google logo
or (
sender.email.domain.root_domain == "salesforce.com"
and (
regex.icontains(beta.ocr(file.message_screenshot()).text,
"google careers"
)
or any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Google")
)
)
)
)
and not any(body.links, .href_url.domain.root_domain in ("google.com", "c.gle"))
and not (
sender.email.domain.root_domain in ("google.com", "sublimesecurity.com")
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "cf2d97ad-1866-57a5-a098-fe875d59e46e"