Service abuse: Suspicious Zoom Docs link
Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.
Sublime rule (View on GitHub)
1name: "Service abuse: Suspicious Zoom Docs link"
2description: "Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and sender.email.domain.root_domain == "zoom.us"
8 and strings.ends_with(sender.display_name, "Zoom Docs")
9 and any(html.xpath(body.html, '//h2').nodes,
10 // extract the sender email out of the message body
11 any(regex.iextract(.display_text,
12 '^(?P<sender_display_name>[^\(]+)\((?P<sender_email>[^\)]+@(?P<sender_domain>[^\)]+))\)'
13 ),
14 .named_groups["sender_domain"] not in $org_domains
15 and .named_groups["sender_email"] not in $recipient_emails
16 and .named_groups["sender_email"] not in $sender_emails
17 and not (
18 .named_groups["sender_domain"] not in $free_email_providers
19 and .named_groups["sender_domain"] in $recipient_domains
20 and .named_groups["sender_domain"] in $sender_domains
21 )
22 )
23 or any(body.links,
24 .href_url.domain.domain == "docs.zoom.us"
25 and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
26 .href_url.domain.root_domain != 'zoom.us'
27 and .href_url.domain.domain != 'zoom.us'
28 ),
29 (
30 // any of those links domains are new
31 network.whois(.href_url.domain).days_old < 30
32 // go to free file hosts
33 or .href_url.domain.root_domain in $free_file_hosts
34 or .href_url.domain.domain in $free_file_hosts
35
36 // go to free subdomains hosts
37 or (
38 .href_url.domain.root_domain in $free_subdomain_hosts
39 // where there is a subdomain
40 and .href_url.domain.subdomain is not null
41 and .href_url.domain.subdomain != "www"
42 )
43 // go to url shortners
44 or .href_url.domain.root_domain in $url_shorteners
45 or .href_url.domain.domain in $url_shorteners
46 or (
47 // find any links that mention common "action" words
48 regex.icontains(.display_text,
49 '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
50 )
51 )
52 )
53 )
54 )
55 )
56tags:
57 - "Attack surface reduction"
58attack_types:
59 - "Credential Phishing"
60tactics_and_techniques:
61 - "Social engineering"
62 - "Free file host"
63 - "Evasion"
64detection_methods:
65 - "HTML analysis"
66 - "Sender analysis"
67 - "Header analysis"
68id: "064b2594-d24d-5857-8571-43ff2e8267c9"