heroui logo

BEC/Fraud - Job Scam Fake thread or plaintext pivot to freemail

Sublime Rules

View Source
Summary
This detection rule identifies potential job-related scams that attempt to pivot communication to free email providers (e.g., Gmail, Yahoo) from unsolicited email senders. It checks if the email content exhibits characteristics typical of scams, such as the presence of certain keywords, structures of replies or forwards, and tells associated with unsolicited communications. Key features include analyzing the email body for specific job-related phrases and patterns often used in scams, ensuring that crucial elements like attachments are either non-existent or primarily consist of images, all while checking if any embedded email address links to a free email provider and if it is distinct from the sender's domain. A crucial aspect of this rule is engaging a natural language understanding (NLU) classifier to derive entities from the text, which helps ascertain the presence of greetings or salutations that are common in marketing or phishing emails. The detection is further refined by ensuring that the sender’s communication history does not revert to any false positives, allowing for a refined output focused on true malicious behavior.
Categories
  • Web
  • Endpoint
  • Cloud
Data Sources
  • User Account
  • Application Log
Created: 2024-01-08