Brand Impersonation: Zoom

calendar May 15, 2025  ·
Share on: linkedin copy

Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains.

Sublime rule (View on GitHub)

  1name: "Brand Impersonation: Zoom"
  2description: "Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    // the social links in the footer
  9    3 of (
 10      any(body.links, strings.icontains(.href_url.url, "twitter.com/zoom")),
 11      any(body.links,
 12          strings.icontains(.href_url.url,
 13                            "linkedin.com/company/zoom-video-communications"
 14          )
 15      ),
 16      any(body.links, strings.icontains(.href_url.url, "blog.zoom.us")),
 17      strings.ilike(body.html.raw,
 18                    '*https://go.pardot.com/l/84442/*/*/84442/*/twitter.png*'
 19      ),
 20      strings.ilike(body.html.raw,
 21                    '*https://go.pardot.com/l/84442/*/*/84442/*/linkedin.png*'
 22      ),
 23      strings.ilike(body.html.raw,
 24                    '*https://go.pardot.com/l/84442/*/*/84442/*/zoomblog.png*'
 25      )
 26    )
 27    or (
 28      strings.ilike(body.html.raw,
 29                    '*https://st1.zoom.us/homepage/publish/_nuxt/social_icons_footer*.png*'
 30      )
 31    )
 32    or (
 33      length(beta.ml_topic(body.html.display_text).topics) == 1
 34      and all(beta.ml_topic(body.html.display_text).topics,
 35              .name in ("Events and Webinars", "Software and App Updates")
 36              and .confidence != "low"
 37      )
 38      and any(ml.logo_detect(beta.message_screenshot()).brands,
 39              .name == "Zoom" and .confidence == "high"
 40      )
 41      and any(body.links,
 42              any(ml.nlu_classifier(.display_text).intents,
 43                  .name == "cred_theft" and .confidence == "high"
 44              )
 45      )
 46    )
 47    or (
 48      any(body.links,
 49          // link claims to go to a Zoom domain, but does not
 50          (
 51            .display_url.domain.root_domain in ("zoom.us", "zoom.com")
 52            or strings.icontains(.display_text, "zoom.us")
 53            or strings.icontains(.display_text, "zoom.com")
 54          )
 55          and .href_url.domain.root_domain not in ("zoom.us", "zoom.com")
 56          and (
 57            .href_url.domain.tld in $suspicious_tlds
 58            // country code second-level domain
 59            or strings.istarts_with(.href_url.domain.tld, "com.")
 60            or (
 61              (
 62                length(ml.link_analysis(.).files_downloaded) > 0
 63                // Zoom logo on page
 64                or ml.link_analysis(.).credphish.brand.name == "Zoom"
 65                // blocked by a Cloudflare CAPTCHA
 66                or strings.icontains(ml.link_analysis(.).final_dom.raw,
 67                                     'https://challenges.cloudflare.com/turnstile/',
 68                )
 69              )
 70              and ml.link_analysis(.).effective_url.domain.root_domain not in (
 71                "zoom.us",
 72                "zoom.com"
 73              )
 74            )
 75          )
 76      )
 77    )
 78  )
 79
 80  and not (
 81    (
 82      strings.istarts_with(subject.subject, "RE:")
 83      or strings.istarts_with(subject.subject, "R:")
 84      or strings.istarts_with(subject.subject, "ODG:")
 85      or strings.istarts_with(subject.subject, "答复:")
 86      or strings.istarts_with(subject.subject, "AW:")
 87      or strings.istarts_with(subject.subject, "TR:")
 88      or strings.istarts_with(subject.subject, "FWD:")
 89      or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 90      or regex.imatch(subject.subject,
 91                      '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 92      )
 93    )
 94    and (
 95      length(headers.references) > 0
 96      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 97    )
 98  )
 99  
100  // Not from a legitimate Zoom domain
101  and not (
102    sender.email.domain.root_domain in (
103      "zoom.us",
104      "zuora.com",
105      "zoomgov.com",
106      "zoom.com"
107    )
108    and headers.auth_summary.dmarc.pass
109  )  
110
111attack_types:
112  - "Credential Phishing"
113tactics_and_techniques:
114  - "Impersonation: Brand"
115  - "Social engineering"
116  - "Evasion"
117detection_methods:
118  - "Computer Vision"
119  - "Content analysis"
120  - "HTML analysis"
121  - "Natural Language Understanding"
122  - "URL analysis"
123id: "5abad540-8e6c-5c82-9f8e-a59009915b63"
to-top