EXPLORE
Sign In
← Back to Explore
sublimelowRule

Spam: New job cold outreach from unsolicited sender

Detects unsolicited messages congratulating recipients on new jobs or roles that contain unsubscribe links, calendar booking links, or exhibit B2B cold outreach characteristics from senders who have not been previously contacted.

MITRE ATT&CK

T1566

Detection Query

type.inbound
// direct outreach to sender
and length(recipients.to) == 1
// talking about new job
and any([body.current_thread.text, subject.subject],
        regex.icontains(., 'congrat(?:ulation)?s on the new (?:job|gig|role)')
)
// body link to unsubscribe or to book time, otherwise use NLU on the body current thread
and (
  any(body.links,
      strings.icontains(.href_url.url, "unsubscribe")
      or strings.icontains(.href_url.url, "opt-out")
      or strings.icontains(.href_url.url, "preferences")
      or strings.icontains(.href_url.url, "calendar")
  )
  or any(ml.nlu_classifier(body.current_thread.text).topics,
         .name == "B2B Cold Outreach" and .confidence != "low"
  )
)
// not someone they have reached out to before
and not profile.by_sender().solicited

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Spam: New job cold outreach from unsolicited sender"
description: "Detects unsolicited messages congratulating recipients on new jobs or roles that contain unsubscribe links, calendar booking links, or exhibit B2B cold outreach characteristics from senders who have not been previously contacted."
type: "rule"
severity: "low"
source: |
  type.inbound
  // direct outreach to sender
  and length(recipients.to) == 1
  // talking about new job
  and any([body.current_thread.text, subject.subject],
          regex.icontains(., 'congrat(?:ulation)?s on the new (?:job|gig|role)')
  )
  // body link to unsubscribe or to book time, otherwise use NLU on the body current thread
  and (
    any(body.links,
        strings.icontains(.href_url.url, "unsubscribe")
        or strings.icontains(.href_url.url, "opt-out")
        or strings.icontains(.href_url.url, "preferences")
        or strings.icontains(.href_url.url, "calendar")
    )
    or any(ml.nlu_classifier(body.current_thread.text).topics,
           .name == "B2B Cold Outreach" and .confidence != "low"
    )
  )
  // not someone they have reached out to before
  and not profile.by_sender().solicited
  

attack_types:
  - "Spam"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
  - "URL analysis"
id: "ec39b789-d0bc-5ccf-9e5b-1d2276fa7797"