Brand impersonation: Zoom
Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Zoom"
2description: "Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // the social links in the footer
9 3 of (
10 any(body.links, strings.icontains(.href_url.url, "twitter.com/zoom")),
11 any(body.links,
12 strings.icontains(.href_url.url,
13 "linkedin.com/company/zoom-video-communications"
14 )
15 ),
16 any(body.links, strings.icontains(.href_url.url, "blog.zoom.us")),
17 strings.ilike(body.html.raw,
18 '*https://go.pardot.com/l/84442/*/*/84442/*/twitter.png*'
19 ),
20 strings.ilike(body.html.raw,
21 '*https://go.pardot.com/l/84442/*/*/84442/*/linkedin.png*'
22 ),
23 strings.ilike(body.html.raw,
24 '*https://go.pardot.com/l/84442/*/*/84442/*/zoomblog.png*'
25 )
26 )
27 or (
28 strings.ilike(body.html.raw,
29 '*https://st1.zoom.us/homepage/publish/_nuxt/social_icons_footer*.png*'
30 )
31 )
32 or (
33 length(beta.ml_topic(body.html.display_text).topics) == 1
34 and all(beta.ml_topic(body.html.display_text).topics,
35 .name in ("Events and Webinars", "Software and App Updates")
36 and .confidence != "low"
37 )
38 and any(ml.logo_detect(beta.message_screenshot()).brands,
39 .name == "Zoom" and .confidence == "high"
40 )
41 and any(body.links,
42 any(ml.nlu_classifier(.display_text).intents,
43 .name == "cred_theft" and .confidence == "high"
44 )
45 )
46 )
47 or (
48 any(body.links,
49 // link claims to go to a Zoom domain, but does not
50 (
51 .display_url.domain.root_domain in ("zoom.us", "zoom.com")
52 or strings.icontains(.display_text, "zoom.us")
53 or strings.icontains(.display_text, "zoom.com")
54 )
55 and .href_url.domain.root_domain not in ("zoom.us", "zoom.com")
56 and (
57 .href_url.domain.tld in $suspicious_tlds
58 // country code second-level domain
59 or strings.istarts_with(.href_url.domain.tld, "com.")
60 or (
61 (
62 length(ml.link_analysis(.).files_downloaded) > 0
63 // Zoom logo on page
64 or ml.link_analysis(.).credphish.brand.name == "Zoom"
65 // blocked by a Cloudflare CAPTCHA
66 or strings.icontains(ml.link_analysis(.).final_dom.raw,
67 'https://challenges.cloudflare.com/turnstile/',
68 )
69 )
70 and ml.link_analysis(.).effective_url.domain.root_domain not in (
71 "zoom.us",
72 "zoom.com"
73 )
74 )
75 )
76 )
77 )
78 )
79 // negate auto-generated meeting summaries
80 and not (
81 strings.icontains(body.current_thread.text, "meeting summary")
82 and strings.icontains(body.current_thread.text,
83 "AI-generated content may be inaccurate or misleading."
84 )
85 )
86 and not (
87 (
88 strings.istarts_with(subject.subject, "RE:")
89 or strings.istarts_with(subject.subject, "R:")
90 or strings.istarts_with(subject.subject, "ODG:")
91 or strings.istarts_with(subject.subject, "答复:")
92 or strings.istarts_with(subject.subject, "AW:")
93 or strings.istarts_with(subject.subject, "TR:")
94 or strings.istarts_with(subject.subject, "FWD:")
95 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
96 or regex.imatch(subject.subject,
97 '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
98 )
99 )
100 and (
101 length(headers.references) > 0
102 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
103 )
104 )
105 // Not from a legitimate Zoom domain
106 and not (
107 sender.email.domain.root_domain in (
108 "zoom.us",
109 "zuora.com",
110 "zoomgov.com",
111 "zoom.com",
112 "zoom-x.de"
113 )
114 and headers.auth_summary.dmarc.pass
115 )
116
117attack_types:
118 - "Credential Phishing"
119tactics_and_techniques:
120 - "Impersonation: Brand"
121 - "Social engineering"
122 - "Evasion"
123detection_methods:
124 - "Computer Vision"
125 - "Content analysis"
126 - "HTML analysis"
127 - "Natural Language Understanding"
128 - "URL analysis"
129id: "5abad540-8e6c-5c82-9f8e-a59009915b63"