Recruitee Infrastructure Abuse

calendar Mar 3, 2025  ·
Share on: linkedin copy

Identifies inbound messages from Recruitee domains containing recruitment-related topics and application links, where the sender has limited prior history. The URLs in these messages either point to recently registered domains or appear as standalone links with application-focused text.

Sublime rule (View on GitHub)

 1name: "Recruitee Infrastructure Abuse"
 2description: "Identifies inbound messages from Recruitee domains containing recruitment-related topics and application links, where the sender has limited prior history. The URLs in these messages either point to recently registered domains or appear as standalone links with application-focused text."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "recruitee.com"
 8  and any(beta.ml_topic(body.current_thread.text).topics,
 9          .name in (
10            "Advertising and Promotions",
11            "Professional and Career Development"
12          )
13          and .confidence != "low"
14  )
15  and any(body.links,
16          (
17            network.whois(.href_url.domain).days_old < 30
18            or length(body.links) == 1
19          )
20          and regex.icontains(.display_text, "apply|submit")
21  )
22  // use sender email, not domain, to ensure new *.recruitee.com addresses are correctly identified
23  and profile.by_sender_email().prevalence in ("new", "outlier")
24  and not profile.by_sender_email().any_false_positives  
25
26attack_types:
27  - "BEC/Fraud"
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "Impersonation: Brand"
31  - "Social engineering"
32detection_methods:
33  - "Content analysis"
34  - "Natural Language Understanding"
35  - "Sender analysis"
36  - "URL analysis"
37  - "Whois"
38id: "31cab83d-f279-5db4-a0e5-c81a6e6e3d68"
to-top