Service abuse: Suspicious Zoom Docs link

calendar Aug 5, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.

Sublime rule (View on GitHub)

 1name: "Service abuse: Suspicious Zoom Docs link"
 2description: "Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "zoom.us"
 8  and strings.ends_with(sender.display_name, "Zoom Docs")
 9  and any(html.xpath(body.html, '//h2').nodes,
10          // extract the sender email out of the message body
11          any(regex.iextract(.display_text,
12                             '^(?P<sender_display_name>[^\(]+)\((?P<sender_email>[^\)]+@(?P<sender_domain>[^\)]+))\)'
13              ),
14              .named_groups["sender_domain"] not in $org_domains
15              and .named_groups["sender_email"] not in $recipient_emails
16              and .named_groups["sender_email"] not in $sender_emails
17              and not (
18                .named_groups["sender_domain"] not in $free_email_providers
19                and .named_groups["sender_domain"] in $recipient_domains
20                and .named_groups["sender_domain"] in $sender_domains
21              )
22          )
23          or any(body.links,
24                 .href_url.domain.domain == "docs.zoom.us"
25                 and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
26                                .href_url.domain.root_domain != 'zoom.us'
27                                and .href_url.domain.domain != 'zoom.us'
28                         ),
29                         (
30                           // any of those links domains are new
31                           network.whois(.href_url.domain).days_old < 30
32                           // go to free file hosts
33                           or .href_url.domain.root_domain in $free_file_hosts
34                           or .href_url.domain.domain in $free_file_hosts
35  
36                           // go to free subdomains hosts
37                           or (
38                             .href_url.domain.root_domain in $free_subdomain_hosts
39                             // where there is a subdomain
40                             and .href_url.domain.subdomain is not null
41                             and .href_url.domain.subdomain != "www"
42                           )
43                           // go to url shortners
44                           or .href_url.domain.root_domain in $url_shorteners
45                           or .href_url.domain.domain in $url_shorteners
46                           or (
47                             // find any links that mention common "action" words
48                             regex.icontains(.display_text,
49                                             '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
50                             )
51                           )
52                         )
53                 )
54          )
55  )  
56tags:
57 - "Attack surface reduction"
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Social engineering"
62  - "Free file host"
63  - "Evasion"
64detection_methods:
65  - "HTML analysis"
66  - "Sender analysis"
67  - "Header analysis"
68id: "064b2594-d24d-5857-8571-43ff2e8267c9"

Related rules

to-top