Service abuse: Suspicious Zoom Docs link

calendar Dec 2, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.

Sublime rule (View on GitHub)

 1name: "Service abuse: Suspicious Zoom Docs link"
 2description: "Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "zoom.us"
 8  and strings.ends_with(sender.display_name, "Zoom Docs")
 9  and (
10    any(html.xpath(body.html, '//h2').nodes,
11        // extract the sender email out of the message body
12        any(regex.iextract(.display_text,
13                           '^(?P<sender_display_name>[^\(]+)\((?P<sender_email>[^\)]+@(?P<sender_domain>[^\)]+))\)'
14            ),
15            .named_groups["sender_domain"] not in $org_domains
16            and .named_groups["sender_email"] not in $recipient_emails
17            and .named_groups["sender_email"] not in $sender_emails
18            and not (
19              .named_groups["sender_domain"] not in $free_email_providers
20              and .named_groups["sender_domain"] in $recipient_domains
21              and .named_groups["sender_domain"] in $sender_domains
22            )
23        )
24    )
25    or any(body.links,
26           .href_url.domain.domain == "docs.zoom.us"
27           and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
28                          .href_url.domain.root_domain != 'zoom.us'
29                          and .href_url.domain.domain != 'zoom.us'
30                   ),
31                   (
32                     // any of those links domains are new
33                     network.whois(.href_url.domain).days_old < 30
34                     // go to free file hosts
35                     or .href_url.domain.root_domain in $free_file_hosts
36                     or .href_url.domain.domain in $free_file_hosts
37  
38                     // go to free subdomains hosts
39                     or (
40                       .href_url.domain.root_domain in $free_subdomain_hosts
41                       // where there is a subdomain
42                       and .href_url.domain.subdomain is not null
43                       and .href_url.domain.subdomain != "www"
44                     )
45                     // go to url shortners
46                     or .href_url.domain.root_domain in $url_shorteners
47                     or .href_url.domain.domain in $url_shorteners
48                     or (
49                       // find any links that mention common "action" words
50                       regex.icontains(.display_text,
51                                       '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
52                       )
53                     )
54                   )
55           )
56    )
57  )  
58tags:
59 - "Attack surface reduction"
60attack_types:
61  - "Credential Phishing"
62tactics_and_techniques:
63  - "Social engineering"
64  - "Free file host"
65  - "Evasion"
66detection_methods:
67  - "HTML analysis"
68  - "Sender analysis"
69  - "Header analysis"
70id: "064b2594-d24d-5857-8571-43ff2e8267c9"

Related rules

to-top