Spam: New job cold outreach from unsolicited sender

calendar Sep 29, 2025  ·
Share on: linkedin copy

Detects unsolicited messages congratulating recipients on new jobs or roles that contain unsubscribe links, calendar booking links, or exhibit B2B cold outreach characteristics from senders who have not been previously contacted.

Sublime rule (View on GitHub)

 1name: "Spam: New job cold outreach from unsolicited sender"
 2description: "Detects unsolicited messages congratulating recipients on new jobs or roles that contain unsubscribe links, calendar booking links, or exhibit B2B cold outreach characteristics from senders who have not been previously contacted."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // direct outreach to sender
 8  and length(recipients.to) == 1
 9  // talking about new job
10  and any([body.current_thread.text, subject.subject],
11          regex.icontains(., 'congrat(?:ulation)?s on the new (?:job|gig|role)')
12  )
13  // body link to unsubscribe or to book time, otherwise use NLU on the body current thread
14  and (
15    any(body.links,
16        strings.icontains(.href_url.url, "unsubscribe")
17        or strings.icontains(.href_url.url, "opt-out")
18        or strings.icontains(.href_url.url, "preferences")
19        or strings.icontains(.href_url.url, "calendar")
20    )
21    or any(ml.nlu_classifier(body.current_thread.text).topics,
22           .name == "B2B Cold Outreach" and .confidence != "low"
23    )
24  )
25  // not someone they have reached out to before
26  and not profile.by_sender().solicited
27    
28
29attack_types:
30  - "Spam"
31detection_methods:
32  - "Content analysis"
33  - "Natural Language Understanding"
34  - "Sender analysis"
35  - "URL analysis"
36id: "ec39b789-d0bc-5ccf-9e5b-1d2276fa7797"
to-top