detection.wiki

Detection rules › Sublime MQL

Link: Job recruitment lure from unsolicited sender with suspicious hosting

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Message contains job recruitment language with links to suspicious hosting services including free file hosts, subdomain hosts, or URL shorteners from an unsolicited sender.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesSocial engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
// commonly observed abused senders
and sender.email.domain.root_domain in (
  'hireology.com',
  'appsheet.com',
  'welcomekit.co',
  'xero.com',
  'workforce.com',
  'eventbrite.com',
  'tiscali.it',
  'on24event.com',
  'talexio.com',
  'easy.jobs',
  'suitzzedash.com',
  'awsapps.com',
  'beehiiv.com'
)
and regex.icontains(sender.display_name, 'careers|jobs')
and (
  any(body.links,
      (
        // domain contains brand, but root domain is not legit brand domain
        regex.icontains(.href_url.domain.domain,
                        '(?:ferrari|tesla|vuitton|red[ -]?bull|nike|robert[ -]?half|adidas|coca[ -]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ledger|uber|ikea|canva|bbdo|mango)'
        )
        and not regex.icontains(.href_url.domain.root_domain,
                                '(?:spotify|instagram|ferarri|tesla|nike|adidas|louisvuitton|redbull|roberthalf|coca-cola|reebok|marriott|starbucks|whatsapp|ledger|uber|ikea|canva|bbdo|mango)\.com'
        )
      )
      and not regex.icontains(.display_text, 'unsubscribe')
  )
  or (
    regex.icontains(subject.base,
                    '(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|\buber\b|\bikea\b|canva|bbdo|mango)'
    )
    or regex.icontains(sender.display_name,
                       '(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|\buber\b|\bikea\b|canva|bbdo|mango)'
    )
    or regex.icontains(body.current_thread.text,
                       '\b(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|uber|ikea|canva|bbdo|mango)\b'
    )
    or regex.icontains(sender.display_name,
                       '^[a-z-]+\s*\|\s*(?:Careers|Recruitment|hiring talent|talent connect|talents recruitment$)'
    )
    or regex.icontains(sender.display_name, '\bIG\b.*(?:Recruitment|Strategy)')
  )
)
and not regex.icontains(body.current_thread.text,
                        '\b(?:facebook|copyright|llp|legal|vip|representative|case details|summit|training|conference|apartments|live\s*stream|masterclass|tickets|b2b networking|RSVP|discover more events|Marketing e Eventos|workshop|register here|vip|delivery date)\b'
)

Detection logic

Scope: inbound message.

Message contains job recruitment language with links to suspicious hosting services including free file hosts, subdomain hosts, or URL shorteners from an unsolicited sender.

  1. inbound message
  2. sender.email.domain.root_domain in ('hireology.com', 'appsheet.com', 'welcomekit.co', 'xero.com', 'workforce.com', 'eventbrite.com', 'tiscali.it', 'on24event.com', 'talexio.com', 'easy.jobs', 'suitzzedash.com', 'awsapps.com', 'beehiiv.com')
  3. sender.display_name matches 'careers|jobs'
  4. any of:
    • any of body.links where all hold:
      • all of:
        • .href_url.domain.domain matches '(?:ferrari|tesla|vuitton|red[ -]?bull|nike|robert[ -]?half|adidas|coca[ -]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ledger|uber|ikea|canva|bbdo|mango)'
        • not:
          • .href_url.domain.root_domain matches '(?:spotify|instagram|ferarri|tesla|nike|adidas|louisvuitton|redbull|roberthalf|coca-cola|reebok|marriott|starbucks|whatsapp|ledger|uber|ikea|canva|bbdo|mango)\\.com'
      • not:
        • .display_text matches 'unsubscribe'
    • any of:
      • subject.base matches '(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|\\buber\\b|\\bikea\\b|canva|bbdo|mango)'
      • sender.display_name matches '(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|\\buber\\b|\\bikea\\b|canva|bbdo|mango)'
      • body.current_thread.text matches '\\b(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|uber|ikea|canva|bbdo|mango)\\b'
      • sender.display_name matches '^[a-z-]+\\s*\\|\\s*(?:Careers|Recruitment|hiring talent|talent connect|talents recruitment$)'
      • sender.display_name matches '\\bIG\\b.*(?:Recruitment|Strategy)'
  5. not:
    • body.current_thread.text matches '\\b(?:facebook|copyright|llp|legal|vip|representative|case details|summit|training|conference|apartments|live\\s*stream|masterclass|tickets|b2b networking|RSVP|discover more events|Marketing e Eventos|workshop|register here|vip|delivery date)\\b'

Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, sender.display_name, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: regex.icontains.

Indicators matched (22)

FieldMatchValue
sender.email.domain.root_domainmemberhireology.com
sender.email.domain.root_domainmemberappsheet.com
sender.email.domain.root_domainmemberwelcomekit.co
sender.email.domain.root_domainmemberxero.com
sender.email.domain.root_domainmemberworkforce.com
sender.email.domain.root_domainmembereventbrite.com
sender.email.domain.root_domainmembertiscali.it
sender.email.domain.root_domainmemberon24event.com
sender.email.domain.root_domainmembertalexio.com
sender.email.domain.root_domainmembereasy.jobs
sender.email.domain.root_domainmembersuitzzedash.com
sender.email.domain.root_domainmemberawsapps.com
10 more
sender.email.domain.root_domainmemberbeehiiv.com
regex.icontainsregexcareers|jobs
regex.icontainsregex(?:ferrari|tesla|vuitton|red[ -]?bull|nike|robert[ -]?half|adidas|coca[ -]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ledger|uber|ikea|canva|bbdo|mango)
regex.icontainsregex(?:spotify|instagram|ferarri|tesla|nike|adidas|louisvuitton|redbull|roberthalf|coca-cola|reebok|marriott|starbucks|whatsapp|ledger|uber|ikea|canva|bbdo|mango)\.com
regex.icontainsregexunsubscribe
regex.icontainsregex(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|instagram|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|\buber\b|\bikea\b|canva|bbdo|mango)
regex.icontainsregex\b(?:ferrari|tesla|vuitton|red.?bull|nike|robert[ _-]?half|adidas|coca[ _-]?cola|spotify|reebok|marriott|starbucks|whatsapp|ray[ _-]ban|meta talent|executive talent|talent acquisition|ledger|uber|ikea|canva|bbdo|mango)\b
regex.icontainsregex^[a-z-]+\s*\|\s*(?:Careers|Recruitment|hiring talent|talent connect|talents recruitment$)
regex.icontainsregex\bIG\b.*(?:Recruitment|Strategy)
regex.icontainsregex\b(?:facebook|copyright|llp|legal|vip|representative|case details|summit|training|conference|apartments|live\s*stream|masterclass|tickets|b2b networking|RSVP|discover more events|Marketing e Eventos|workshop|register here|vip|delivery date)\b