Brand impersonation: Zoom

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Zoom"
  2description: "Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    // the social links in the footer
  9    3 of (
 10      any(body.links, strings.icontains(.href_url.url, "twitter.com/zoom")),
 11      any(body.links,
 12          strings.icontains(.href_url.url,
 13                            "linkedin.com/company/zoom-video-communications"
 14          )
 15      ),
 16      any(body.links, strings.icontains(.href_url.url, "blog.zoom.us")),
 17      strings.ilike(body.html.raw,
 18                    '*https://go.pardot.com/l/84442/*/*/84442/*/twitter.png*'
 19      ),
 20      strings.ilike(body.html.raw,
 21                    '*https://go.pardot.com/l/84442/*/*/84442/*/linkedin.png*'
 22      ),
 23      strings.ilike(body.html.raw,
 24                    '*https://go.pardot.com/l/84442/*/*/84442/*/zoomblog.png*'
 25      )
 26    )
 27    or (
 28      strings.ilike(body.html.raw,
 29                    '*https://st1.zoom.us/homepage/publish/_nuxt/social_icons_footer*.png*'
 30      )
 31    )
 32    or (
 33      length(beta.ml_topic(body.html.display_text).topics) == 1
 34      and all(beta.ml_topic(body.html.display_text).topics,
 35              .name in ("Events and Webinars", "Software and App Updates")
 36              and .confidence != "low"
 37      )
 38      and any(ml.logo_detect(file.message_screenshot()).brands,
 39              .name == "Zoom" and .confidence == "high"
 40      )
 41      and any(body.links,
 42              any(ml.nlu_classifier(.display_text).intents,
 43                  .name == "cred_theft" and .confidence == "high"
 44              )
 45      )
 46    )
 47    or (
 48      any(body.links,
 49          // link claims to go to a Zoom domain, but does not
 50          (
 51            .display_url.domain.root_domain in ("zoom.us", "zoom.com")
 52            or strings.icontains(.display_text, "zoom.us")
 53            or strings.icontains(.display_text, "zoom.com")
 54          )
 55          and .href_url.domain.root_domain not in ("zoom.us", "zoom.com")
 56          and (
 57            .href_url.domain.tld in $suspicious_tlds
 58            // country code second-level domain
 59            or strings.istarts_with(.href_url.domain.tld, "com.")
 60            or (
 61              (
 62                length(ml.link_analysis(.).files_downloaded) > 0
 63                // Zoom logo on page
 64                or ml.link_analysis(.).credphish.brand.name == "Zoom"
 65                // blocked by a Cloudflare CAPTCHA
 66                or strings.icontains(ml.link_analysis(.).final_dom.raw,
 67                                     'https://challenges.cloudflare.com/turnstile/',
 68                )
 69              )
 70              and ml.link_analysis(.).effective_url.domain.root_domain not in (
 71                "zoom.us",
 72                "zoom.com"
 73              )
 74            )
 75          )
 76      )
 77    )
 78  )
 79  // negate auto-generated meeting summaries
 80  and not (
 81    strings.icontains(body.current_thread.text, "meeting summary")
 82    and strings.icontains(body.current_thread.text,
 83                          "AI-generated content may be inaccurate or misleading."
 84    )
 85  )
 86  and not (
 87    (
 88      strings.istarts_with(subject.subject, "RE:")
 89      or strings.istarts_with(subject.subject, "R:")
 90      or strings.istarts_with(subject.subject, "ODG:")
 91      or strings.istarts_with(subject.subject, "答复:")
 92      or strings.istarts_with(subject.subject, "AW:")
 93      or strings.istarts_with(subject.subject, "TR:")
 94      or strings.istarts_with(subject.subject, "FWD:")
 95      or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 96      or regex.imatch(subject.subject,
 97                      '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 98      )
 99    )
100    and (length(headers.references) > 0 or headers.in_reply_to is not null)
101  )
102  // Not from a legitimate Zoom domain
103  and not (
104    sender.email.domain.root_domain in (
105      "zoom.us",
106      "zuora.com",
107      "zoomgov.com",
108      "zoom.com",
109      "zoom-x.de"
110    )
111    and headers.auth_summary.dmarc.pass
112  )  
113attack_types:
114  - "Credential Phishing"
115tactics_and_techniques:
116  - "Impersonation: Brand"
117  - "Social engineering"
118  - "Evasion"
119detection_methods:
120  - "Computer Vision"
121  - "Content analysis"
122  - "HTML analysis"
123  - "Natural Language Understanding"
124  - "URL analysis"
125id: "5abad540-8e6c-5c82-9f8e-a59009915b63"
to-top