Attachment: Fake Zoom installer
HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
Sublime rule (View on GitHub)
1name: "Attachment: Fake Zoom installer"
2description: |
3 HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml")
11 or .file_type == "html"
12 or .content_type == "text/html"
13 )
14 and any(ml.logo_detect(file.html_screenshot(.)).brands,
15 .name == "Zoom" and .confidence in ("medium", "high")
16 )
17 and any(ml.nlu_classifier(file.parse_html(.).display_text).entities,
18 .name == "request" and .text =~ "download"
19 )
20 and any(file.explode(.),
21 any(.scan.url.urls,
22 strings.iends_with(.path, ".exe")
23 and .domain.root_domain not in $org_domains
24 )
25 )
26 )
27attack_types:
28 - "Malware/Ransomware"
29tactics_and_techniques:
30 - "Evasion"
31 - "HTML smuggling"
32 - "Impersonation: Brand"
33 - "Scripting"
34 - "Social engineering"
35detection_methods:
36 - "Archive analysis"
37 - "Computer Vision"
38 - "File analysis"
39 - "HTML analysis"
40 - "Natural Language Understanding"
41 - "URL analysis"
42id: "840a12a6-a796-5e73-b975-1d1b5f745aea"