Job scam with specific salary pattern

 1name: "Job scam with specific salary pattern"
 2description: "Detects job scam content that includes specific weekly salary mentions (e.g., '$XXX weekly' patterns) in either the current email thread or previous thread conversations, while excluding legitimate income verification services."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      // job scam in current thread
10      any(ml.nlu_classifier(body.current_thread.text).intents,
11          .name in ("job_scam") and .confidence != "low"
12      )
13      // and salary mention in current thread
14      and regex.icontains(body.current_thread.text,
15                          '\$\d{3} weekly',
16                          'weekly(?:\s+\w+){0,4}\s+\$\d{3}[^\d]'
17      )
18    )
19    // job scam in previous thread
20    or any(body.previous_threads,
21           any(ml.nlu_classifier(.text).intents,
22               .name in ("job_scam") and .confidence != "low"
23           )
24           // and salary mention in previous thread
25           and regex.icontains(.text,
26                               '\$\d{3} weekly',
27                               'weekly(?:\s+\w+){0,4}\s+\$\d{3}[^\d]'
28           )
29    )
30  )
31  and length(body.current_thread.links) < 10
32  
33  // negating income / job verification senders
34  and not (
35    sender.email.domain.root_domain in (
36      'loandepot.com',
37      'sofi.com',
38      'lensa.com',
39      'indeed.com',
40      'ziprecruiter.com',
41      'glassdoor.com',
42      'postjobfree.com',
43      'jobplacements.com'
44    )
45    and headers.auth_summary.dmarc.pass
46  )  
47attack_types:
48  - "BEC/Fraud"
49tactics_and_techniques:
50  - "Social engineering"
51detection_methods:
52  - "Content analysis"
53  - "Natural Language Understanding"
54  - "Header analysis"
55  - "Sender analysis"
56id: "af7f9e21-54a1-5bba-a70d-e4d52a13eae3"