Brand impersonation: Google Careers

Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Google Careers"
 2description: "Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    strings.icontains(body.current_thread.text, 'Google Careers')
 9    or strings.icontains(body.current_thread.text, 'GoogleCareers')
10    // Spanish
11    or strings.icontains(body.current_thread.text, 'Google Carreras')
12    or strings.icontains(body.current_thread.text, 'GoogleCarreras')
13    // German Norwegian
14    or strings.icontains(body.current_thread.text, 'Google Karriere')
15    or strings.icontains(body.current_thread.text, 'GoogleKarriere')
16    // Swedish
17    or strings.icontains(body.current_thread.text, 'Google Karriär')
18    or strings.icontains(body.current_thread.text, 'GoogleKarriär')
19    // Dutch
20    or strings.icontains(body.current_thread.text, 'Google Carrières')
21    or strings.icontains(body.current_thread.text, 'GoogleCarrières')
22    // Turkish
23    or strings.icontains(body.current_thread.text, 'Google Kariyer')
24    or strings.icontains(body.current_thread.text, 'GoogleKariyer')
25  )
26  and not any(body.links, .href_url.domain.root_domain in ("google.com", "c.gle"))
27  and not (
28    sender.email.domain.root_domain in ("google.com")
29    and headers.auth_summary.dmarc.pass
30  )  
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Impersonation: Brand"
35  - "Social engineering"
36detection_methods:
37  - "Content analysis"
38  - "Header analysis"
39  - "Sender analysis"
40  - "URL analysis"
41id: "cf2d97ad-1866-57a5-a098-fe875d59e46e"
to-top