Brand impersonation: Zoom

calendar Sep 22, 2025  ·
Share on: linkedin copy

Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Zoom"
  2description: "Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    // the social links in the footer
  9    3 of (
 10      any(body.links, strings.icontains(.href_url.url, "twitter.com/zoom")),
 11      any(body.links,
 12          strings.icontains(.href_url.url,
 13                            "linkedin.com/company/zoom-video-communications"
 14          )
 15      ),
 16      any(body.links, strings.icontains(.href_url.url, "blog.zoom.us")),
 17      strings.ilike(body.html.raw,
 18                    '*https://go.pardot.com/l/84442/*/*/84442/*/twitter.png*'
 19      ),
 20      strings.ilike(body.html.raw,
 21                    '*https://go.pardot.com/l/84442/*/*/84442/*/linkedin.png*'
 22      ),
 23      strings.ilike(body.html.raw,
 24                    '*https://go.pardot.com/l/84442/*/*/84442/*/zoomblog.png*'
 25      )
 26    )
 27    or (
 28      strings.ilike(body.html.raw,
 29                    '*https://st1.zoom.us/homepage/publish/_nuxt/social_icons_footer*.png*'
 30      )
 31    )
 32    or (
 33      length(beta.ml_topic(body.html.display_text).topics) == 1
 34      and all(beta.ml_topic(body.html.display_text).topics,
 35              .name in ("Events and Webinars", "Software and App Updates")
 36              and .confidence != "low"
 37      )
 38      and any(ml.logo_detect(file.message_screenshot()).brands,
 39              .name == "Zoom" and .confidence == "high"
 40      )
 41      and any(body.links,
 42              any(ml.nlu_classifier(.display_text).intents,
 43                  .name == "cred_theft" and .confidence == "high"
 44              )
 45      )
 46    )
 47    or (
 48      any(body.links,
 49          // link claims to go to a Zoom domain, but does not
 50          (
 51            .display_url.domain.root_domain in ("zoom.us", "zoom.com")
 52            or strings.icontains(.display_text, "zoom.us")
 53            or strings.icontains(.display_text, "zoom.com")
 54          )
 55          and .href_url.domain.root_domain not in ("zoom.us", "zoom.com")
 56          and (
 57            .href_url.domain.tld in $suspicious_tlds
 58            // country code second-level domain
 59            or strings.istarts_with(.href_url.domain.tld, "com.")
 60            or (
 61              (
 62                length(ml.link_analysis(.).files_downloaded) > 0
 63                // Zoom logo on page
 64                or ml.link_analysis(.).credphish.brand.name == "Zoom"
 65                // blocked by a Cloudflare CAPTCHA
 66                or strings.icontains(ml.link_analysis(.).final_dom.raw,
 67                                     'https://challenges.cloudflare.com/turnstile/',
 68                )
 69              )
 70              and ml.link_analysis(.).effective_url.domain.root_domain not in (
 71                "zoom.us",
 72                "zoom.com"
 73              )
 74            )
 75          )
 76      )
 77    )
 78  )
 79  // negate auto-generated meeting summaries 
 80  and not (
 81    strings.icontains(body.current_thread.text, "meeting summary")
 82    and strings.icontains(body.current_thread.text,
 83                          "AI-generated content may be inaccurate or misleading."
 84    )
 85  )
 86  and not (
 87    (
 88      strings.istarts_with(subject.subject, "RE:")
 89      or strings.istarts_with(subject.subject, "R:")
 90      or strings.istarts_with(subject.subject, "ODG:")
 91      or strings.istarts_with(subject.subject, "答复:")
 92      or strings.istarts_with(subject.subject, "AW:")
 93      or strings.istarts_with(subject.subject, "TR:")
 94      or strings.istarts_with(subject.subject, "FWD:")
 95      or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 96      or regex.imatch(subject.subject,
 97                      '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 98      )
 99    )
100    and (
101      length(headers.references) > 0
102      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
103    )
104  )
105  // Not from a legitimate Zoom domain
106  and not (
107    sender.email.domain.root_domain in (
108      "zoom.us",
109      "zuora.com",
110      "zoomgov.com",
111      "zoom.com",
112      "zoom-x.de"
113    )
114    and headers.auth_summary.dmarc.pass
115  )  
116
117attack_types:
118  - "Credential Phishing"
119tactics_and_techniques:
120  - "Impersonation: Brand"
121  - "Social engineering"
122  - "Evasion"
123detection_methods:
124  - "Computer Vision"
125  - "Content analysis"
126  - "HTML analysis"
127  - "Natural Language Understanding"
128  - "URL analysis"
129id: "5abad540-8e6c-5c82-9f8e-a59009915b63"
to-top