Brand impersonation: Zoom via lookalike domain

 1name: "Brand impersonation: Zoom via lookalike domain"
 2description: "Message contains a single link which attempts to spoof a 'zoom' link, sent from a free email provider to a single recipient."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          not (
 9            .href_url.domain.root_domain in (
10              "zoom.us",
11              "zoom.com",
12              "zoominternet.net",
13              "profitzoom.net",
14              "zoomtown.com"
15            )
16            or .display_url.domain.root_domain in (
17              "zoom.us",
18              "zoom.com",
19              "zoominternet.net",
20              "profitzoom.net",
21              "zoomtown.com"
22            )
23          )
24          // zoom in the subdomain or sld
25          and (
26            strings.contains(.href_url.domain.sld, "zoom")
27            or strings.contains(.href_url.domain.subdomain, "zoom")
28            or strings.contains(.display_url.domain.sld, "zoom")
29            or strings.contains(.display_url.domain.subdomain, "zoom")
30          )
31  )
32  and length(body.current_thread.links) == 1
33  and sender.email.domain.root_domain in $free_email_providers
34  and length(recipients.to) == 1
35  and not subject.is_forward  
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Impersonation: Brand"
40  - "Free email provider"
41  - "Social engineering"
42detection_methods:
43  - "URL analysis"
44  - "Sender analysis"
45id: "b9d5e4b5-7137-5ac5-b5cc-0ec5323fd31c"