Brand impersonation: Google Careers
Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google Careers"
2description: "Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 strings.icontains(body.current_thread.text, 'Google Careers')
9 or strings.icontains(body.current_thread.text, 'GoogleCareers')
10 // Spanish
11 or strings.icontains(body.current_thread.text, 'Google Carreras')
12 or strings.icontains(body.current_thread.text, 'GoogleCarreras')
13 // German Norwegian
14 or strings.icontains(body.current_thread.text, 'Google Karriere')
15 or strings.icontains(body.current_thread.text, 'GoogleKarriere')
16 // Swedish
17 or strings.icontains(body.current_thread.text, 'Google Karriär')
18 or strings.icontains(body.current_thread.text, 'GoogleKarriär')
19 // Dutch
20 or strings.icontains(body.current_thread.text, 'Google Carrières')
21 or strings.icontains(body.current_thread.text, 'GoogleCarrières')
22 // Turkish
23 or strings.icontains(body.current_thread.text, 'Google Kariyer')
24 or strings.icontains(body.current_thread.text, 'GoogleKariyer')
25 )
26 and not any(body.links, .href_url.domain.root_domain in ("google.com", "c.gle"))
27 and not (
28 sender.email.domain.root_domain in ("google.com")
29 and headers.auth_summary.dmarc.pass
30 )
31attack_types:
32 - "Credential Phishing"
33tactics_and_techniques:
34 - "Impersonation: Brand"
35 - "Social engineering"
36detection_methods:
37 - "Content analysis"
38 - "Header analysis"
39 - "Sender analysis"
40 - "URL analysis"
41id: "cf2d97ad-1866-57a5-a098-fe875d59e46e"