Brand impersonation: Zoom via HTML styling

calendar Feb 27, 2026  ยท
Share on: linkedin copy

Detects messages impersonating Zoom by identifying HTML table cells with specific blue styling (rgb(11,92,255)) containing Zoom branding in header elements.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Zoom via HTML styling"
 2description: "Detects messages impersonating Zoom by identifying HTML table cells with specific blue styling (rgb(11,92,255)) containing Zoom branding in header elements."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(html.xpath(body.html, '//tr/td[contains(@style, "rgb(11,92,255)")]/h1').nodes,
 8          strings.icontains(.display_text, "zoom")
 9  )  
10attack_types:
11  - "Credential Phishing"
12tactics_and_techniques:
13  - "Impersonation: Brand"
14  - "Social engineering"
15detection_methods:
16  - "Content analysis"
17  - "HTML analysis"
18id: "b717920d-5da0-581f-bd72-3d62c568e96f"
to-top