Service abuse: Recruiting with suspicious language patterns from legitimate platforms
Detects suspicious recruiting messages from legitimate services like Salesforce, LADesk, or AWS Apps with unusually long sender email addresses and recruiting-specific language patterns that may indicate abuse of trusted platforms for social engineering.
Sublime rule (View on GitHub)
1name: "Service abuse: Recruiting with suspicious language patterns from legitimate platforms"
2description: "Detects suspicious recruiting messages from legitimate services like Salesforce, LADesk, or AWS Apps with unusually long sender email addresses and recruiting-specific language patterns that may indicate abuse of trusted platforms for social engineering."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(sender.email.email) >= 50
8 and sender.email.domain.root_domain in (
9 "salesforce.com",
10 "ladesk.com",
11 "awsapps.com"
12 )
13 and (
14 (
15 any(ml.nlu_classifier(body.current_thread.text).topics,
16 .name in ("B2B Cold Outreach", "Professional and Career Development")
17 )
18 and not any(ml.nlu_classifier(body.current_thread.text).topics,
19 .name == "Reminders and Notifications" and .confidence == "high"
20 )
21 )
22 or 2 of (
23 strings.icontains(body.current_thread.text, "profile caught my attention"),
24 strings.icontains(body.current_thread.text, "recruiting top talent"),
25 strings.icontains(body.current_thread.text, "talent acquisition team"),
26 strings.icontains(body.current_thread.text,
27 "experience seems highly relevant"
28 ),
29 strings.icontains(body.current_thread.text, "expling this opptunity"),
30 strings.icontains(body.current_thread.text, "your professional profile"),
31 strings.icontains(body.current_thread.text, "a pivotal hire"),
32 strings.icontains(body.current_thread.text, "a key hire"),
33 strings.icontains(body.current_thread.text, "schedule a time")
34 )
35 )
36
37attack_types:
38 - "BEC/Fraud"
39tactics_and_techniques:
40 - "Social engineering"
41detection_methods:
42 - "Content analysis"
43 - "Header analysis"
44 - "Natural Language Understanding"
45 - "Sender analysis"
46id: "29e12696-9fab-50a5-bcbc-03c8e382853d"