Scam soliciting employer review/rating

calendar Jun 12, 2026  ·
Share on: linkedin copy

Detects scam content that impersonates employer review/rating platforms (e.g., Glassdoor, Indeed, Comparably, Great Place to Work) and solicits the recipient to review or rate their employer, while excluding legitimate review/rating platform senders.

Sublime rule (View on GitHub)

 1name: "Scam soliciting employer review/rating"
 2description: "Detects scam content that impersonates employer review/rating platforms (e.g., Glassdoor, Indeed, Comparably, Great Place to Work) and solicits the recipient to review or rate their employer, while excluding legitimate review/rating platform senders."
 3type: "rule"
 4severity: "low"
 5source: |
 6    type.inbound
 7    // credential theft or scam intent
 8    and any(ml.nlu_classifier(body.current_thread.text).intents,
 9            .name in ("cred_theft", "job_scam") and .confidence != "low"
10    )
11    // employer/workplace review solicitation phrasing
12    and regex.icontains(body.current_thread.text,
13                        '\brate\s+(?:your\s+)?(?:employer|workplace|job)\b',
14                        '\breview\s+(?:your\s+)?(?:experience\s+(?:at|with)\s+(?:your|the)\s)',
15                        '\b(?:employer|workplace|job)\s+(?:review|rating|feedback)\b',
16                        '\bleave\s+(?:a\s+)?(?:review|rating).{0,40}(?:employer|workplace|job)',
17                        '(?:glassdoor|comparably|great\s+place\s+to\s+work|kununu|jobcase).{0,40}(?:review|rate|rating|feedback)'
18    )
19    and (
20      // credential harvesting
21      regex.icontains(body.current_thread.text,
22                      '(?:enter|provide|confirm|verify).{0,40}(?:password|credentials|login|email\s+and\s+password)',
23                      'verify\s+your\s+(?:identity|eligibility|account|profile)',
24                      '(?:password|credential|login).{0,30}(?:enter|provide|confirm|verify|required)'
25      )
26      // or monetary incentive
27      or regex.icontains(body.current_thread.text,
28                         'gift.?card',
29                         '(?:receive|earn|get|claim).{0,30}[\$€£]\d+',
30                         '[\$€£]\d+.{0,30}(?:gift|reward|credit|incentive|voucher|bonus|prize)',
31                         'token\s+of\s+(?:our\s+)?(?:appreciation|thanks|gratitude)'
32      )
33    )
34    // negating legitimate/trusted employer review/rating senders
35    and not (
36      (
37        sender.email.domain.root_domain in (
38          'comparably.com',
39          'greatplacetowork.com',
40          'builtin.com',
41          'lensa.com',
42          'ziprecruiter.com',
43          'kununu.com',
44          'jobcase.com',
45          'trustpilot.com'
46        )
47        or sender.email.domain.root_domain in $high_trust_sender_root_domains
48      )
49      and coalesce(headers.auth_summary.dmarc.pass, false)
50    )
51    // subject cites employer review / rating / feedback context
52    and regex.icontains(subject.subject,
53                        '\breview\b',
54                        '\brating\b',
55                        '\brate\b',
56                        '\bfeedback\b',
57                        '\btestimonial\b',
58                        '\b(?:employer|workplace|company|employee|job)\b',
59                        '\b(?:glassdoor|indeed|linkedin|comparably|great\s+place\s+to\s+work|built\s?in|lensa|ziprecruiter|kununu|jobcase|trustpilot)\b',
60                        '\bexperience\b',
61                        '\bsurvey\b',
62                        '\bopinion\b'
63    )    
64attack_types:
65  - "BEC/Fraud"
66  - "Credential Phishing"
67tactics_and_techniques:
68  - "Social engineering"
69  - "Impersonation: Brand"
70detection_methods:
71  - "Content analysis"
72  - "Natural Language Understanding"
73  - "Header analysis"
74  - "Sender analysis"
75id: "ad3c63e8-02a8-5583-bb60-e5ebd76d0331"
to-top