Brand impersonation: Zoom via lookalike domain

 1name: "Brand impersonation: Zoom via lookalike domain"
 2description: "Message contains a single link which attempts to spoof a 'zoom' link, sent from a free email provider to a single recipient."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          not (
 9            .href_url.domain.root_domain in (
10              "zoom.us",
11              "zoom.com",
12              "zoominternet.net",
13              "profitzoom.net",
14              "zoomtown.com"
15            )
16            or (
17              .display_url.domain.root_domain is not null
18              and .display_url.domain.root_domain in (
19                "zoom.us",
20                "zoom.com",
21                "zoominternet.net",
22                "profitzoom.net",
23                "zoomtown.com"
24              )
25            )
26          )
27  
28          // zoom in the subdomain or sld
29          and (
30            strings.contains(.href_url.domain.sld, "zoom")
31            or strings.contains(.href_url.domain.subdomain, "zoom")
32            or strings.contains(.display_url.domain.sld, "zoom")
33            or strings.contains(.display_url.domain.subdomain, "zoom")
34          )
35  )
36  and length(distinct(body.current_thread.links, .href_url.url)) == 1
37  and sender.email.domain.root_domain in $free_email_providers
38  and length(recipients.to) == 1
39  and not subject.is_forward  
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Impersonation: Brand"
44  - "Free email provider"
45  - "Social engineering"
46detection_methods:
47  - "URL analysis"
48  - "Sender analysis"
49id: "b9d5e4b5-7137-5ac5-b5cc-0ec5323fd31c"