Service Abuse: Zoom Docs From an Unsolicited Sender Address

 1name: "Service Abuse: Zoom Docs From an Unsolicited Sender Address"
 2description: "Detects messages from Zoom Docs in which the document originates from a newly observed email address.  The email address is extracted from the body message."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "zoom.us"
 8  and sender.display_name == "Zoom Docs"
 9  and any(html.xpath(body.html, '//h2').nodes,
10          // extract the sender email out of the message body
11          any(regex.iextract(.display_text,
12                             '^(?P<sender_display_name>[^\(]+)\((?P<sender_email>[^\)]+@(?P<sender_domain>[^\)]+))\)'
13              ),
14              .named_groups["sender_domain"] not in $org_domains
15              and .named_groups["sender_email"] not in $recipient_emails
16              and .named_groups["sender_email"] not in $sender_emails
17              and not (
18                .named_groups["sender_domain"] not in $free_email_providers
19                and .named_groups["sender_domain"] in $recipient_domains
20                and .named_groups["sender_domain"] in $sender_domains
21              )
22          )
23  )  
24tags:
25 - "Attack surface reduction"
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Social engineering"
30  - "Free file host"
31  - "Evasion"
32detection_methods:
33  - "HTML analysis"
34  - "Sender analysis"
35  - "Header analysis"
36id: "064b2594-d24d-5857-8571-43ff2e8267c9"