• Sublime Core Feed
Low Severity

Job scam (unsolicited sender)

Labels

BEC/Fraud
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

Detects job scam attempts by analyzing the message body text from an unsolicited sender.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Nov 3rd, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name in ("job_scam") and .confidence == "high"
  )
)
and (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "financial"
  )
  or strings.icontains(body.current_thread.text, "salary package")
  or strings.icontains(body.current_thread.text, "kindly")
  or (
    (
      any(ml.nlu_classifier(body.current_thread.text).entities,
          .name in ("greeting", "salutation")
      )
      or sender.email.domain.root_domain in $free_email_providers
    )
    and (
      (
        length(recipients.to) == 0
        or length(recipients.bcc) > 0
        or (
          all(recipients.to, .email.domain.valid == false)
          and all(recipients.cc, .email.domain.valid == false)
        )
      )
    )
  )
)
// negating income / job verification senders
and not (
  sender.email.domain.root_domain in ('loandepot.com', 'sofi.com')
  and headers.auth_summary.dmarc.pass
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started