BEC/Fraud: Job scam fake thread or plaintext pivot to freemail

calendar Nov 20, 2025  ยท
Share on: linkedin copy

Detects potential job scams using plaintext or fake threads attempting to pivot to a freemail address from an unsolicited sender.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Job scam fake thread or plaintext pivot to freemail"
 2description: "Detects potential job scams using plaintext or fake threads attempting to pivot to a freemail address from an unsolicited sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(ml.nlu_classifier(body.current_thread.text).entities,
 8          .name in ("greeting", "salutation")
 9  )
10  
11  // most likely to occur in plain text
12  and (
13    body.html.raw is null
14    or 
15  
16    // HTML is not null but fake thread
17    (subject.is_reply or subject.is_forward)
18    and (
19      (length(headers.references) == 0 and headers.in_reply_to is null)
20      or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
21    )
22  )
23  and (
24    3 of (
25      any([subject.subject, body.current_thread.text],
26          regex.icontains(., '(full|part).time')
27      ),
28      strings.ilike(body.current_thread.text, '*job*'),
29      regex.icontains(body.current_thread.text, '\bHR\b'),
30      strings.ilike(body.current_thread.text, '*manager*'),
31      strings.ilike(body.current_thread.text, '*commission*'),
32      strings.ilike(body.current_thread.text, '*hourly*'),
33      strings.ilike(body.current_thread.text, '*per hour*'),
34      strings.ilike(body.current_thread.text, '*prior experience*'),
35      strings.ilike(body.current_thread.text, '*company rep*'),
36      strings.ilike(body.current_thread.text, "100% legal")
37    )
38    or (
39      length(ml.nlu_classifier(body.current_thread.text).topics) == 1
40      and any(ml.nlu_classifier(body.current_thread.text).topics,
41              .name == "Professional and Career Development"
42              and .confidence == "high"
43      )
44      and (
45        length(recipients.to) == 0
46        or all(recipients.to, strings.ilike(.display_name, "Undisclosed?recipients"))
47      )
48    )
49  )
50  
51  // all attachments are images or there's no attachments
52  and (
53    (
54      length(attachments) > 0
55      and all(attachments, .file_type in $file_types_images)
56    )
57    or length(attachments) == 0
58  )
59  
60  // there's an email in the body and it's a freemail
61  and any(regex.extract(body.current_thread.text,
62                        "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
63          ),
64          strings.parse_email(.full_match).domain.domain in $free_email_providers
65          or strings.parse_email(.full_match).domain.root_domain in $free_email_providers
66  )
67  
68  // and that email doesn't match the sender domain
69  and (
70    all(body.links, .href_url.domain.root_domain != sender.email.domain.domain)
71    or sender.email.domain.root_domain in $free_email_providers
72  )
73  and (
74    (
75      not profile.by_sender().solicited
76      and not profile.by_sender().any_messages_benign
77    )
78    or profile.by_sender().any_messages_malicious_or_spam
79  )
80  and not profile.by_sender().any_messages_benign  
81
82attack_types:
83  - "BEC/Fraud"
84tactics_and_techniques:
85  - "Free email provider"
86  - "Out of band pivot"
87detection_methods:
88  - "Content analysis"
89  - "File analysis"
90  - "Natural Language Understanding"
91id: "ce21c151-90c2-5573-b19e-3dcbcfc0a195"
to-top