Job scam (unsolicited sender)

 1name: "Job scam (unsolicited sender)"
 2description: |
 3    Detects job scam attempts by analyzing the message body text from an unsolicited sender.
 4type: "rule"
 5severity: "low"
 6source: |
 7  type.inbound
 8  and (
 9    any(ml.nlu_classifier(body.current_thread.text).intents,
10        .name in ("job_scam") and .confidence == "high"
11    )
12  )
13  and (
14    any(ml.nlu_classifier(body.current_thread.text).entities,
15        .name == "financial"
16    )
17    or strings.icontains(body.current_thread.text, "salary package")
18    or strings.icontains(body.current_thread.text, "kindly")
19    or (
20      (
21        any(ml.nlu_classifier(body.current_thread.text).entities,
22            .name in ("greeting", "salutation")
23        )
24        or sender.email.domain.root_domain in $free_email_providers
25      )
26      and (
27        (
28          length(recipients.to) == 0
29          or length(recipients.bcc) > 0
30          or (
31            all(recipients.to, .email.domain.valid == false)
32            and all(recipients.cc, .email.domain.valid == false)
33          )
34        )
35      )
36    )
37  )
38  // negating income / job verification senders
39  and not (
40    sender.email.domain.root_domain in ('loandepot.com', 'sofi.com')
41    and headers.auth_summary.dmarc.pass
42  )
43  and (
44    not profile.by_sender().solicited
45    or profile.by_sender().any_messages_malicious_or_spam
46  )
47  and not profile.by_sender().any_messages_benign  
48attack_types:
49  - "BEC/Fraud"
50tactics_and_techniques:
51  - "Social engineering"
52detection_methods:
53  - "Content analysis"
54  - "Header analysis"
55  - "Natural Language Understanding"
56  - "Sender analysis"
57id: "a37dc32d-33a4-5097-a585-ff6c345d0ecc"