detection.wiki

Detection rules › Sublime MQL

Job scam with specific salary pattern

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects job scam content that includes specific weekly salary mentions (e.g., '$XXX weekly' patterns) in either the current email thread or previous thread conversations, while excluding legitimate income verification services.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud
Tactics and techniquesSocial engineering

Event coverage

Message attribute
body
body.current_thread
body.previous_threads (collection)
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and (
  (
    // job scam in current thread
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("job_scam") and .confidence != "low"
    )
    // and salary mention in current thread
    and regex.icontains(body.current_thread.text,
                        '\$\d{3} weekly',
                        'weekly(?:\s+\w+){0,4}\s+\$\d{3}[^\d]'
    )
  )
  // job scam in previous thread
  or any(body.previous_threads,
         any(ml.nlu_classifier(.text).intents,
             .name in ("job_scam") and .confidence != "low"
         )
         // and salary mention in previous thread
         and regex.icontains(.text,
                             '\$\d{3} weekly',
                             'weekly(?:\s+\w+){0,4}\s+\$\d{3}[^\d]'
         )
  )
)
and length(body.current_thread.links) < 10

// negating income / job verification senders
and not (
  sender.email.domain.root_domain in (
    'loandepot.com',
    'sofi.com',
    'lensa.com',
    'indeed.com',
    'ziprecruiter.com',
    'glassdoor.com',
    'postjobfree.com',
    'jobplacements.com'
  )
  and headers.auth_summary.dmarc.pass
)

Detection logic

Scope: inbound message.

Detects job scam content that includes specific weekly salary mentions (e.g., '$XXX weekly' patterns) in either the current email thread or previous thread conversations, while excluding legitimate income verification services.

  1. inbound message
  2. any of:
    • all of:
      • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
        • .name in ('job_scam')
        • .confidence is not 'low'
      • body.current_thread.text matches any of 2 patterns
        • \$\d{3} weekly
        • weekly(?:\s+\w+){0,4}\s+\$\d{3}[^\d]
    • any of body.previous_threads where all hold:
      • any of ml.nlu_classifier(.text).intents where all hold:
        • .name in ('job_scam')
        • .confidence is not 'low'
      • .text matches any of 2 patterns
        • \$\d{3} weekly
        • weekly(?:\s+\w+){0,4}\s+\$\d{3}[^\d]
  3. length(body.current_thread.links) < 10
  4. not:
    • all of:
      • sender.email.domain.root_domain in ('loandepot.com', 'sofi.com', 'lensa.com', 'indeed.com', 'ziprecruiter.com', 'glassdoor.com', 'postjobfree.com', 'jobplacements.com')
      • headers.auth_summary.dmarc.pass

Inspects: body.current_thread.links, body.current_thread.text, body.previous_threads, body.previous_threads[].text, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, regex.icontains.

Indicators matched (12)

FieldMatchValue
ml.nlu_classifier(body.current_thread.text).intents[].namememberjob_scam
regex.icontainsregex\$\d{3} weekly
regex.icontainsregexweekly(?:\s+\w+){0,4}\s+\$\d{3}[^\d]
ml.nlu_classifier(body.previous_threads[].text).intents[].namememberjob_scam
sender.email.domain.root_domainmemberloandepot.com
sender.email.domain.root_domainmembersofi.com
sender.email.domain.root_domainmemberlensa.com
sender.email.domain.root_domainmemberindeed.com
sender.email.domain.root_domainmemberziprecruiter.com
sender.email.domain.root_domainmemberglassdoor.com
sender.email.domain.root_domainmemberpostjobfree.com
sender.email.domain.root_domainmemberjobplacements.com