Skip to content

Added new rule for detecting rating solicitation scams#4492

Open
jacob-mazurkiewicz wants to merge 2 commits into
sublime-security:mainfrom
jacob-mazurkiewicz:Feauture/Scam-Employer-Review-Solicitation
Open

Added new rule for detecting rating solicitation scams#4492
jacob-mazurkiewicz wants to merge 2 commits into
sublime-security:mainfrom
jacob-mazurkiewicz:Feauture/Scam-Employer-Review-Solicitation

Conversation

@jacob-mazurkiewicz
Copy link
Copy Markdown

@jacob-mazurkiewicz jacob-mazurkiewicz commented May 15, 2026
edited
Loading

Description

This new rule targets attempts for solicitation of ratings/reviews of employers. These false solicitations can contain malicious links or be attempts at phishing information or credentials from the receiver.

Associated samples

Example one:

Date: Thu, 15 May 2026 14:02:33 -0400
Subject: You've Been Selected - Rate Your Employer & Earn $500!
From: John Glennson <John@gl4ssdoor-reviews.com>
To: Jacob.Mazurkiewicz2@dcsg.com

Dear Valued Professional,

Congratulations! You have been specially selected to particpiate in our Annual Employer Review Program.

We are partnering with top companies to collect honest workplace feedback. As a token of our appreciation, you will receive a $500 gift card simply for completing a short review of your employer.

To claim your reward, please review your experience at your current workplace by clicking the link below:

https://gl4ssdoor-reviews.com/rate-employer?ref=29571

All you need to do is:
1. Rate your employer on a scale of 1-5
2. Share your review of your workplace experience
3. Verify your identity by entering your company email and password

Your feedback helps other job seekers make informed decisions. Leave a review today and your $500 gift card will be sent within 24 hours.

This offer expires in 48 hours so act now! Write a review before time runs out.

Important: To verify your eligibility and process your reward, we will need you to confirm your login credentials on the next page.

Thank you for helping us improve workplace transparency!

Best regards,
John Glennson
Glassdoor Ratings Department

Screenshot (insights)

Rule flagged example one
image

Rule flagged example two
image

@github-actions github-actions Bot added the review-needed Indicates that a PR is waiting for review label May 15, 2026
@jacob-mazurkiewicz jacob-mazurkiewicz marked this pull request as ready for review May 15, 2026 11:46
@jacob-mazurkiewicz jacob-mazurkiewicz requested a review from a team May 15, 2026 11:46
@jacob-mazurkiewicz jacob-mazurkiewicz requested a review from a team as a code owner May 15, 2026 11:46
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 15, 2026

Test Rules Sync - Action Required

This PR was not automatically synced to test-rules because the author is not a member of the sublime-security organization.

To enable syncing, an organization member can comment /update-test-rules on this PR.

Once triggered, the rules will be synced on the next scheduled run (every 10 minutes).

IndiaAce
IndiaAce requested changes May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Jacob thanks for your contribution!

I think this is a clever idea to provide coverage for these scams. Early telemetry looks okay, however I have a few suggestions (left below). Also, I'm curious to hear your thoughts on reinforcing the "scam" nature of these two examples you provided. I see some arrant false positives on some document sharing messages that are requests to view documents/proposals and leave feedback. They are no doubt malicious, but outside of the scope of this rule. I'm curious to see what the nlu classifier gives as a .topic for both of your samples? Perhaps the "giveaway" angle is something worth pursuing?

Keeping your .intent use for both current and previous threads, but adding another "and" stanza with something like
and any(ml.nlu_classifier(body.current_thread.text).topics, .name == "Advertising and Promotions" )

I also see some patterns (with some samples I found as well) where each of these seem to provide "instructions" to the user, notice your two samples contain that set of 4 instructions. That might be an angle worth pursuing.

Let me know your thoughts!

Comment thread detection-rules/scam_employer_review_solicitation.yml
(
// scam in current thread
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("scam", "job_scam", "cred_theft") and .confidence != "low"
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.name in ("scam", "job_scam", "cred_theft") and .confidence != "low"
.name in ("job_scam", "cred_theft") and .confidence != "low"

"scam" is an invalid enumerator for our nlu_classifier, cred_theft and job_scam should grant us all the coverage you need here... you might consider "callback_scam" as well if you've seen samples!

Comment thread detection-rules/scam_employer_review_solicitation.yml
Comment on lines +44 to +60
// negating legitimate employer review/rating senders
and not (
sender.email.domain.root_domain in (
'glassdoor.com',
'indeed.com',
'comparably.com',
'greatplacetowork.com',
'builtin.com',
'linkedin.com',
'lensa.com',
'ziprecruiter.com',
'kununu.com',
'jobcase.com',
'trustpilot.com'
)
and headers.auth_summary.dmarc.pass
)
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// negating legitimate employer review/rating senders
and not (
sender.email.domain.root_domain in (
'glassdoor.com',
'indeed.com',
'comparably.com',
'greatplacetowork.com',
'builtin.com',
'linkedin.com',
'lensa.com',
'ziprecruiter.com',
'kununu.com',
'jobcase.com',
'trustpilot.com'
)
and headers.auth_summary.dmarc.pass
)
// negating legitimate employer review/rating senders
and not (
(
sender.email.domain.root_domain in (
'comparably.com',
'greatplacetowork.com',
'builtin.com',
'lensa.com',
'ziprecruiter.com',
'kununu.com',
'jobcase.com',
'trustpilot.com'
)
or sender.email.domain.root_domain in $high_trust_sender_root_domains
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)

A few of these domains are found in our high trust sender root domains, so I removed those and added a general check for those. Consider also strengthening the auth check to consider "null" values.

Comment thread detection-rules/scam_employer_review_solicitation.yml
// scam in previous thread
or any(body.previous_threads,
any(ml.nlu_classifier(.text).intents,
.name in ("scam", "job_scam", "cred_theft")
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.name in ("scam", "job_scam", "cred_theft")
.name in ("job_scam", "cred_theft")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IndiaAce IndiaAce IndiaAce requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

review-needed Indicates that a PR is waiting for review shared-samples:excluded:author_membership test-rules:excluded:author_membership

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacob-mazurkiewicz @IndiaAce