Detection rules › Sublime MQL
Service abuse: Recruiting with suspicious language patterns from legitimate platforms
Detects suspicious recruiting messages from legitimate services like Salesforce, LADesk, or AWS Apps with unusually long sender email addresses and recruiting-specific language patterns that may indicate abuse of trusted platforms for social engineering.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud |
| Tactics and techniques | Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| type |
Rule body MQL
type.inbound
and length(sender.email.email) >= 50
and sender.email.domain.root_domain in (
"salesforce.com",
"ladesk.com",
"awsapps.com"
)
and (
(
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("B2B Cold Outreach", "Professional and Career Development")
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Reminders and Notifications" and .confidence == "high"
)
)
or 2 of (
strings.icontains(body.current_thread.text, "profile caught my attention"),
strings.icontains(body.current_thread.text, "recruiting top talent"),
strings.icontains(body.current_thread.text, "talent acquisition team"),
strings.icontains(body.current_thread.text,
"experience seems highly relevant"
),
strings.icontains(body.current_thread.text, "expling this opptunity"),
strings.icontains(body.current_thread.text, "your professional profile"),
strings.icontains(body.current_thread.text, "a pivotal hire"),
strings.icontains(body.current_thread.text, "a key hire"),
strings.icontains(body.current_thread.text, "schedule a time")
)
)
Detection logic
Scope: inbound message.
Detects suspicious recruiting messages from legitimate services like Salesforce, LADesk, or AWS Apps with unusually long sender email addresses and recruiting-specific language patterns that may indicate abuse of trusted platforms for social engineering.
- inbound message
- length(sender.email.email) ≥ 50
- sender.email.domain.root_domain in ('salesforce.com', 'ladesk.com', 'awsapps.com')
any of:
all of:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name in ('B2B Cold Outreach', 'Professional and Career Development')
not:
any of
ml.nlu_classifier(body.current_thread.text).topicswhere all hold:- .name is 'Reminders and Notifications'
- .confidence is 'high'
at least 2 of 9: body.current_thread.text contains any of 9 patterns
profile caught my attentionrecruiting top talenttalent acquisition teamexperience seems highly relevantexpling this opptunityyour professional profilea pivotal hirea key hireschedule a time
Inspects: body.current_thread.text, sender.email.domain.root_domain, sender.email.email, type.inbound. Sensors: ml.nlu_classifier, strings.icontains.
Indicators matched (16)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | member | salesforce.com |
sender.email.domain.root_domain | member | ladesk.com |
sender.email.domain.root_domain | member | awsapps.com |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | B2B Cold Outreach |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Professional and Career Development |
ml.nlu_classifier(body.current_thread.text).topics[].name | equals | Reminders and Notifications |
ml.nlu_classifier(body.current_thread.text).topics[].confidence | equals | high |
strings.icontains | substring | profile caught my attention |
strings.icontains | substring | recruiting top talent |
strings.icontains | substring | talent acquisition team |
strings.icontains | substring | experience seems highly relevant |
strings.icontains | substring | expling this opptunity |
4 more
strings.icontains | substring | your professional profile |
strings.icontains | substring | a pivotal hire |
strings.icontains | substring | a key hire |
strings.icontains | substring | schedule a time |