detection.wiki

Detection rules › Sublime MQL

Scam soliciting employer review/rating

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects scam content that impersonates employer review/rating platforms (e.g., Glassdoor, Indeed, Comparably, Great Place to Work) and solicits the recipient to review or rate their employer, while excluding legitimate review/rating platform senders.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesBEC/Fraud, Credential Phishing
Tactics and techniquesSocial engineering, Impersonation: Brand

Event coverage

Message attribute
body.current_thread
headers.auth_summary
sender.email
subject
type

Rule body MQL

type.inbound
// credential theft or scam intent
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("cred_theft", "job_scam") and .confidence != "low"
)
// employer/workplace review solicitation phrasing
and regex.icontains(body.current_thread.text,
                    '\brate\s+(?:your\s+)?(?:employer|workplace|job)\b',
                    '\breview\s+(?:your\s+)?(?:experience\s+(?:at|with)\s+(?:your|the)\s)',
                    '\b(?:employer|workplace|job)\s+(?:review|rating|feedback)\b',
                    '\bleave\s+(?:a\s+)?(?:review|rating).{0,40}(?:employer|workplace|job)',
                    '(?:glassdoor|comparably|great\s+place\s+to\s+work|kununu|jobcase).{0,40}(?:review|rate|rating|feedback)'
)
and (
  // credential harvesting
  regex.icontains(body.current_thread.text,
                  '(?:enter|provide|confirm|verify).{0,40}(?:password|credentials|login|email\s+and\s+password)',
                  'verify\s+your\s+(?:identity|eligibility|account|profile)',
                  '(?:password|credential|login).{0,30}(?:enter|provide|confirm|verify|required)'
  )
  // or monetary incentive
  or regex.icontains(body.current_thread.text,
                     'gift.?card',
                     '(?:receive|earn|get|claim).{0,30}[\$€£]\d+',
                     '[\$€£]\d+.{0,30}(?:gift|reward|credit|incentive|voucher|bonus|prize)',
                     'token\s+of\s+(?:our\s+)?(?:appreciation|thanks|gratitude)'
  )
)
// negating legitimate/trusted employer review/rating senders
and not (
  (
    sender.email.domain.root_domain in (
      'comparably.com',
      'greatplacetowork.com',
      'builtin.com',
      'lensa.com',
      'ziprecruiter.com',
      'kununu.com',
      'jobcase.com',
      'trustpilot.com'
    )
    or sender.email.domain.root_domain in $high_trust_sender_root_domains
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
// subject cites employer review / rating / feedback context
and regex.icontains(subject.subject,
                    '\breview\b',
                    '\brating\b',
                    '\brate\b',
                    '\bfeedback\b',
                    '\btestimonial\b',
                    '\b(?:employer|workplace|company|employee|job)\b',
                    '\b(?:glassdoor|indeed|linkedin|comparably|great\s+place\s+to\s+work|built\s?in|lensa|ziprecruiter|kununu|jobcase|trustpilot)\b',
                    '\bexperience\b',
                    '\bsurvey\b',
                    '\bopinion\b'
)

Detection logic

Scope: inbound message.

Detects scam content that impersonates employer review/rating platforms (e.g., Glassdoor, Indeed, Comparably, Great Place to Work) and solicits the recipient to review or rate their employer, while excluding legitimate review/rating platform senders.

  1. inbound message
  2. any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    • .name in ('cred_theft', 'job_scam')
    • .confidence is not 'low'
  3. body.current_thread.text matches any of 5 patterns
    • \brate\s+(?:your\s+)?(?:employer|workplace|job)\b
    • \breview\s+(?:your\s+)?(?:experience\s+(?:at|with)\s+(?:your|the)\s)
    • \b(?:employer|workplace|job)\s+(?:review|rating|feedback)\b
    • \bleave\s+(?:a\s+)?(?:review|rating).{0,40}(?:employer|workplace|job)
    • (?:glassdoor|comparably|great\s+place\s+to\s+work|kununu|jobcase).{0,40}(?:review|rate|rating|feedback)
  4. any of:
    • body.current_thread.text matches any of 3 patterns
      • (?:enter|provide|confirm|verify).{0,40}(?:password|credentials|login|email\s+and\s+password)
      • verify\s+your\s+(?:identity|eligibility|account|profile)
      • (?:password|credential|login).{0,30}(?:enter|provide|confirm|verify|required)
    • body.current_thread.text matches any of 4 patterns
      • gift.?card
      • (?:receive|earn|get|claim).{0,30}[\$€£]\d+
      • [\$€£]\d+.{0,30}(?:gift|reward|credit|incentive|voucher|bonus|prize)
      • token\s+of\s+(?:our\s+)?(?:appreciation|thanks|gratitude)
  5. not:
    • all of:
      • any of:
        • sender.email.domain.root_domain in ('comparably.com', 'greatplacetowork.com', 'builtin.com', 'lensa.com', 'ziprecruiter.com', 'kununu.com', 'jobcase.com', 'trustpilot.com')
        • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • coalesce(headers.auth_summary.dmarc.pass)
  6. subject.subject matches any of 10 patterns
    • \breview\b
    • \brating\b
    • \brate\b
    • \bfeedback\b
    • \btestimonial\b
    • \b(?:employer|workplace|company|employee|job)\b
    • \b(?:glassdoor|indeed|linkedin|comparably|great\s+place\s+to\s+work|built\s?in|lensa|ziprecruiter|kununu|jobcase|trustpilot)\b
    • \bexperience\b
    • \bsurvey\b
    • \bopinion\b

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, regex.icontains. Reference lists: $high_trust_sender_root_domains.

Indicators matched (32)

FieldMatchValue
ml.nlu_classifier(body.current_thread.text).intents[].namemembercred_theft
ml.nlu_classifier(body.current_thread.text).intents[].namememberjob_scam
regex.icontainsregex\brate\s+(?:your\s+)?(?:employer|workplace|job)\b
regex.icontainsregex\breview\s+(?:your\s+)?(?:experience\s+(?:at|with)\s+(?:your|the)\s)
regex.icontainsregex\b(?:employer|workplace|job)\s+(?:review|rating|feedback)\b
regex.icontainsregex\bleave\s+(?:a\s+)?(?:review|rating).{0,40}(?:employer|workplace|job)
regex.icontainsregex(?:glassdoor|comparably|great\s+place\s+to\s+work|kununu|jobcase).{0,40}(?:review|rate|rating|feedback)
regex.icontainsregex(?:enter|provide|confirm|verify).{0,40}(?:password|credentials|login|email\s+and\s+password)
regex.icontainsregexverify\s+your\s+(?:identity|eligibility|account|profile)
regex.icontainsregex(?:password|credential|login).{0,30}(?:enter|provide|confirm|verify|required)
regex.icontainsregexgift.?card
regex.icontainsregex(?:receive|earn|get|claim).{0,30}[\$€£]\d+
20 more
regex.icontainsregex[\$€£]\d+.{0,30}(?:gift|reward|credit|incentive|voucher|bonus|prize)
regex.icontainsregextoken\s+of\s+(?:our\s+)?(?:appreciation|thanks|gratitude)
sender.email.domain.root_domainmembercomparably.com
sender.email.domain.root_domainmembergreatplacetowork.com
sender.email.domain.root_domainmemberbuiltin.com
sender.email.domain.root_domainmemberlensa.com
sender.email.domain.root_domainmemberziprecruiter.com
sender.email.domain.root_domainmemberkununu.com
sender.email.domain.root_domainmemberjobcase.com
sender.email.domain.root_domainmembertrustpilot.com
regex.icontainsregex\breview\b
regex.icontainsregex\brating\b
regex.icontainsregex\brate\b
regex.icontainsregex\bfeedback\b
regex.icontainsregex\btestimonial\b
regex.icontainsregex\b(?:employer|workplace|company|employee|job)\b
regex.icontainsregex\b(?:glassdoor|indeed|linkedin|comparably|great\s+place\s+to\s+work|built\s?in|lensa|ziprecruiter|kununu|jobcase|trustpilot)\b
regex.icontainsregex\bexperience\b
regex.icontainsregex\bsurvey\b
regex.icontainsregex\bopinion\b