Service abuse: Recruiting with suspicious language patterns from legitimate platforms

Detects suspicious recruiting messages from legitimate services like Salesforce, LADesk, or AWS Apps with unusually long sender email addresses and recruiting-specific language patterns that may indicate abuse of trusted platforms for social engineering.

Sublime rule (View on GitHub)

 1name: "Service abuse: Recruiting with suspicious language patterns from legitimate platforms"
 2description: "Detects suspicious recruiting messages from legitimate services like Salesforce, LADesk, or AWS Apps with unusually long sender email addresses and recruiting-specific language patterns that may indicate abuse of trusted platforms for social engineering."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(sender.email.email) >= 50
 8  and sender.email.domain.root_domain in (
 9    "salesforce.com",
10    "ladesk.com",
11    "awsapps.com"
12  )
13  and (
14    (
15      any(ml.nlu_classifier(body.current_thread.text).topics,
16          .name in ("B2B Cold Outreach", "Professional and Career Development")
17      )
18      and not any(ml.nlu_classifier(body.current_thread.text).topics,
19                  .name == "Reminders and Notifications" and .confidence == "high"
20      )
21    )
22    or 2 of (
23      strings.icontains(body.current_thread.text, "profile caught my attention"),
24      strings.icontains(body.current_thread.text, "recruiting top talent"),
25      strings.icontains(body.current_thread.text, "talent acquisition team"),
26      strings.icontains(body.current_thread.text,
27                        "experience seems highly relevant"
28      ),
29      strings.icontains(body.current_thread.text, "expling this opptunity"),
30      strings.icontains(body.current_thread.text, "your professional profile"),
31      strings.icontains(body.current_thread.text, "a pivotal hire"),
32      strings.icontains(body.current_thread.text, "a key hire"),
33      strings.icontains(body.current_thread.text, "schedule a time")
34    )
35  )  
36
37attack_types:
38  - "BEC/Fraud"
39tactics_and_techniques:
40  - "Social engineering"
41detection_methods:
42  - "Content analysis"
43  - "Header analysis"
44  - "Natural Language Understanding"
45  - "Sender analysis"
46id: "29e12696-9fab-50a5-bcbc-03c8e382853d"
to-top