• Sublime Core Feed
High Severity

Recruitee Infrastructure Abuse

Labels

BEC/Fraud
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
URL analysis
Whois

Description

Identifies inbound messages from Recruitee domains containing recruitment-related topics and application links, where the sender has limited prior history. The URLs in these messages either point to recently registered domains or appear as standalone links with application-focused text.

References

No references.

Sublime Security
Created Mar 3rd, 2025 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.root_domain == "recruitee.com"
and any(beta.ml_topic(body.current_thread.text).topics,
        .name in (
          "Advertising and Promotions",
          "Professional and Career Development"
        )
        and .confidence != "low"
)
and any(body.links,
        (
          network.whois(.href_url.domain).days_old < 30
          or length(body.links) == 1
        )
        and regex.icontains(.display_text, "apply|submit")
)
// use sender email, not domain, to ensure new *.recruitee.com addresses are correctly identified
and profile.by_sender_email().prevalence in ("new", "outlier")
and not profile.by_sender_email().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started