Brand impersonation: Zoom with deceptive link display

calendar Apr 1, 2026  ยท
Share on: linkedin copy

Detects messages mentioning Zoom in the subject or body that contain links appearing to go to zoom.us but actually redirect to different domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Zoom with deceptive link display"
 2description: "Detects messages mentioning Zoom in the subject or body that contain links appearing to go to zoom.us but actually redirect to different domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain in $free_email_providers
 8  and any([subject.base, body.current_thread.text], strings.icontains(., "zoom"))
 9  and any(filter(body.current_thread.links,
10                 strings.icontains(.href_url.url, "zoom.us")
11          ),
12          .href_url.domain.root_domain not in ("zoom.us", "zoom.com")
13          and .display_url.domain.root_domain not in ("zoom.us", "zoom.com")
14  )  
15attack_types:
16  - "Credential Phishing"
17  - "Malware/Ransomware"
18tactics_and_techniques:
19  - "Impersonation: Brand"
20detection_methods:
21  - "Content analysis"
22  - "URL analysis"
23id: "de5b26b7-24fa-531a-9906-b4391884d133"
to-top