Link: Job recruitment lure from unsolicited sender with suspicious hosting
Message contains job recruitment language with links to suspicious hosting services including free file hosts, subdomain hosts, or URL shorteners from an unsolicited sender.
Sublime rule (View on GitHub)
1name: "Link: Job recruitment lure from unsolicited sender with suspicious hosting"
2description: "Message contains job recruitment language with links to suspicious hosting services including free file hosts, subdomain hosts, or URL shorteners from an unsolicited sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // commonly observed abused senders
8 and sender.email.domain.root_domain in (
9 'hireology.com',
10 'appsheet.com',
11 'welcomekit.co',
12 'xero.com',
13 'workforce.com',
14 'eventbrite.com',
15 'tiscali.it',
16 'on24event.com',
17 'talexio.com',
18 'easy.jobs',
19 'suitzzedash.com',
20 'awsapps.com',
21 'beehiiv.com'
22 )
23 and regex.icontains(sender.display_name, 'careers|jobs')
24 and (
25 any(body.links,
26 (
27 // domain contains brand, but root domain is not legit brand domain
28 regex.icontains(.href_url.domain.domain,
29 '(?:ferrari|tesla|vuitton|red[ -]?bull|nike|robert[ -]?half|adidas|coca[ -]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ledger|uber|ikea|canva|bbdo|mango)'
30 )
31 and not regex.icontains(.href_url.domain.root_domain,
32 '(?:spotify|instagram|ferarri|tesla|nike|adidas|louisvuitton|redbull|roberthalf|coca-cola|reebok|marriott|starbucks|whatsapp|ledger|uber|ikea|canva|bbdo|mango)\.com'
33 )
34 )
35 and not regex.icontains(.display_text, 'unsubscribe')
36 )
37 or (
38 regex.icontains(subject.base,
39 '(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|\buber\b|\bikea\b|canva|bbdo|mango)'
40 )
41 or regex.icontains(sender.display_name,
42 '(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|\buber\b|\bikea\b|canva|bbdo|mango)'
43 )
44 or regex.icontains(body.current_thread.text,
45 '\b(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|uber|ikea|canva|bbdo|mango)\b'
46 )
47 or regex.icontains(sender.display_name,
48 '^[a-z-]+\s*\|\s*(?:Careers|Recruitment|hiring talent|talent connect|talents recruitment$)'
49 )
50 or regex.icontains(sender.display_name, '\bIG\b.*(?:Recruitment|Strategy)')
51 )
52 )
53 and not regex.icontains(body.current_thread.text,
54 '\b(?:facebook|copyright|llp|legal|vip|representative|case details|summit|training|conference|apartments|live\s*stream|masterclass|tickets|b2b networking|RSVP|discover more events|Marketing e Eventos|workshop|register here|vip|delivery date)\b'
55 )
56
57attack_types:
58 - "Credential Phishing"
59tactics_and_techniques:
60 - "Social engineering"
61detection_methods:
62 - "Content analysis"
63 - "Sender analysis"
64 - "URL analysis"
65id: "0d9ea49e-6393-51ee-97e8-e8efb8cebda0"