Brand impersonation: Google Careers

calendar Oct 2, 2025  ·
Share on: linkedin copy

Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Google Careers"
 2description: "Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    strings.icontains(body.current_thread.text, 'Google Careers')
 9    or strings.icontains(body.current_thread.text, 'GoogleCareers')
10    // Spanish
11    or strings.icontains(body.current_thread.text, 'Google Carreras')
12    or strings.icontains(body.current_thread.text, 'GoogleCarreras')
13    // German Norwegian
14    or strings.icontains(body.current_thread.text, 'Google Karriere')
15    or strings.icontains(body.current_thread.text, 'GoogleKarriere')
16    // Swedish
17    or strings.icontains(body.current_thread.text, 'Google Karriär')
18    or strings.icontains(body.current_thread.text, 'GoogleKarriär')
19    // Dutch
20    or strings.icontains(body.current_thread.text, 'Google Carrières')
21    or strings.icontains(body.current_thread.text, 'GoogleCarrières')
22    // Turkish
23    or strings.icontains(body.current_thread.text, 'Google Kariyer')
24    or strings.icontains(body.current_thread.text, 'GoogleKariyer')
25    // The screenshot OCR captures google careers or the google logo
26    or (
27      sender.email.domain.root_domain == "salesforce.com"
28      and (
29        regex.icontains(beta.ocr(file.message_screenshot()).text,
30                        "google careers"
31        )
32        or any(ml.logo_detect(file.message_screenshot()).brands,
33               strings.starts_with(.name, "Google")
34        )
35      )
36    )
37  )
38  and not any(body.links, .href_url.domain.root_domain in ("google.com", "c.gle"))
39  and not (
40    sender.email.domain.root_domain in ("google.com")
41    and headers.auth_summary.dmarc.pass
42  )  
43attack_types:
44  - "Credential Phishing"
45tactics_and_techniques:
46  - "Impersonation: Brand"
47  - "Social engineering"
48detection_methods:
49  - "Content analysis"
50  - "Header analysis"
51  - "Sender analysis"
52  - "URL analysis"
53id: "cf2d97ad-1866-57a5-a098-fe875d59e46e"
to-top